diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml index 3a174f8..db59626 100644 --- a/.github/workflows/build_scan_container.yml +++ b/.github/workflows/build_scan_container.yml @@ -47,7 +47,7 @@ jobs: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} - name: Scan built image with Inspector - uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.0.0 + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta id: inspector with: artifact_type: 'container' @@ -55,12 +55,15 @@ jobs: display_vulnerability_findings: "enabled" output_sbom_path: 'sbom.json' output_inspector_scan_path: 'inspector_scan.json' - output_inspector_scan_path_csv: 'inspector_scan.csv' + output_inspector_scan_path_csv: 'inspector_pkg_scan.csv' + output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv' + output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md' critical_threshold: 1 high_threshold: 1 medium_threshold: 1 low_threshold: 1 other_threshold: 1 + sbomgen_version: "1.2.0-beta" - name: Demonstrate SBOM Output (JSON) run: cat ${{ steps.inspector.outputs.artifact_sbom }} @@ -71,14 +74,28 @@ jobs: - name: Demonstrate Inspector Scan Output (CSV) run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} + - name: Display Dockerfile vulns (CSV) + run: cat inspector_dockerfile_scan.csv + + - name: Display Dockerfile vulns (MD) + run: cat inspector_dockerfile_scan.md + + - name: Debug Dockerfile output variables + run: | + echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} + echo ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} + - name: Demonstrate Upload Scan Results uses: actions/upload-artifact@v4 with: name: Inspector Scan SBOM Results path: | + ${{ steps.inspector.outputs.artifact_sbom }} ${{ steps.inspector.outputs.inspector_scan_results }} ${{ steps.inspector.outputs.inspector_scan_results_csv }} - ${{ steps.inspector.outputs.artifact_sbom }} + ${{ steps.inspector.outputs.inspector_scan_results_markdown }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} - name: On vulnerability threshold exceeded diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml index fcf02dc..aabce3f 100644 --- a/.github/workflows/example_display_findings.yml +++ b/.github/workflows/example_display_findings.yml @@ -54,6 +54,7 @@ jobs: medium_threshold: 1 low_threshold: 1 other_threshold: 1 + sbomgen_version: "1.2.0-beta" # Additional input arguments are available. # See 'action.yml' for additional input/output options. diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml index 08dcb74..27cb8db 100644 --- a/.github/workflows/test_archive.yml +++ b/.github/workflows/test_archive.yml @@ -37,6 +37,7 @@ jobs: artifact_type: 'archive' artifact_path: 'entrypoint/tests/test_data/artifacts/archives/testData.zip' display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml index 621df87..6f6f89f 100644 --- a/.github/workflows/test_binary.yml +++ b/.github/workflows/test_binary.yml @@ -37,6 +37,7 @@ jobs: artifact_type: 'binary' artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/inspector-sbomgen' display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml index f8fa94b..e3db62b 100644 --- a/.github/workflows/test_containers.yml +++ b/.github/workflows/test_containers.yml @@ -37,6 +37,7 @@ jobs: artifact_type: 'container' artifact_path: 'ubuntu:14.04' display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml new file mode 100644 index 0000000..6a60379 --- /dev/null +++ b/.github/workflows/test_dockerfile_vulns.yml @@ -0,0 +1,77 @@ +name: Test Dockerfile Vulnerabilities + +# This workflow tests that the action can successfully +# scan a GitHub repository. This workflow runs automatically +# every 6 hours, and on pushes. + +on: + schedule: + - cron: '0 */6 * * *' # runs every 6 hours + push: + branches: # + - '*' + +jobs: + daily_job: + runs-on: ubuntu-latest + environment: + name: plugin-development + + steps: + - name: Checkout this repository + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Scan Dockerfiles + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta + with: + artifact_type: 'repository' + artifact_path: './' + display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" + + - name: Display scan results (JSON) + run: cat ${{ steps.inspector.outputs.inspector_scan_results }} + + - name: Display package vulns (CSV) + run: cat ${{ steps.inspector.outputs.inspector_scan_results_csv }} + + - name: Display package vulns (MD) + run: cat ${{ steps.inspector.outputs.inspector_scan_results_markdown }} + + - name: Display Dockerfile vulns (CSV) + run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_csv }} + + - name: Display Dockerfile vulns (MD) + run: cat ${{ steps.inspector.outputs.inspector_dockerfile_scan_results_markdown }} + + - name: Validate scan content + run: python3 validator/validate_inspector_scan.py --file ${{ steps.inspector.outputs.inspector_scan_results }} + + - name: Demonstrate Upload Scan Results + uses: actions/upload-artifact@v4 + with: + name: Inspector Scan SBOM Results + path: | + ${{ steps.inspector.outputs.artifact_sbom }} + ${{ steps.inspector.outputs.inspector_scan_results }} + ${{ steps.inspector.outputs.inspector_scan_results_csv }} + ${{ steps.inspector.outputs.inspector_scan_results_markdown }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} + + + # only run if the previous step failed + - name: Notify maintainers of validation failure + if: ${{ failure() }} + run: echo "this feature is not implemented" + # TODO: add steps to send notification to a Lambda to cut a ticket on job failure + diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml index 6df455e..af74ef1 100644 --- a/.github/workflows/test_installation.yml +++ b/.github/workflows/test_installation.yml @@ -33,6 +33,7 @@ jobs: artifact_type: 'container' artifact_path: 'alpine:latest' display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" # only run if the previous step failed - name: Notify maintainers of installation failure diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml new file mode 100644 index 0000000..02f0cef --- /dev/null +++ b/.github/workflows/test_no_vulns.yml @@ -0,0 +1,54 @@ +name: Test No Vulns + +# confirm that reports are not displayed when no vulns are found + +on: + push: + branches: # + - '*' + +jobs: + daily_job: + runs-on: ubuntu-latest + environment: + name: plugin-development + + steps: + + - name: Checkout + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: ${{ secrets.AWS_IAM_ROLE }} + + - name: Test binary scan + id: inspector + uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@test_sbomgen_1.2.0-beta + with: + artifact_type: 'binary' + artifact_path: 'entrypoint/tests/test_data/artifacts/binaries/test_go_binary' + display_vulnerability_findings: "enabled" + output_sbom_path: 'sbom.json' + output_inspector_scan_path: 'inspector_scan.json' + output_inspector_scan_path_csv: 'inspector_pkg_scan.csv' + output_inspector_dockerfile_scan_path_csv: 'inspector_dockerfile_scan.csv' + output_inspector_dockerfile_scan_path_markdown: 'inspector_dockerfile_scan.md' + sbomgen_version: "1.2.0-beta" + + - name: Demonstrate Upload Scan Results + uses: actions/upload-artifact@v4 + with: + name: Inspector Scan SBOM Results + path: | + ${{ steps.inspector.outputs.artifact_sbom }} + ${{ steps.inspector.outputs.inspector_scan_results }} + ${{ steps.inspector.outputs.inspector_scan_results_csv }} + ${{ steps.inspector.outputs.inspector_scan_results_markdown }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_csv }} + ${{ steps.inspector.outputs.inspector_dockerile_scan_results_markdown }} + diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml index 719f0ba..c58b700 100644 --- a/.github/workflows/test_repository.yml +++ b/.github/workflows/test_repository.yml @@ -36,6 +36,7 @@ jobs: artifact_type: 'repository' artifact_path: './' display_vulnerability_findings: "enabled" + sbomgen_version: "1.2.0-beta" - name: Display scan results run: cat ${{ steps.inspector.outputs.inspector_scan_results }} diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml index 27c0a6f..65fd8b7 100644 --- a/.github/workflows/test_vuln_thresholds.yml +++ b/.github/workflows/test_vuln_thresholds.yml @@ -44,6 +44,7 @@ jobs: medium_threshold: 1 low_threshold: 1 other_threshold: 1 + sbomgen_version: "1.2.0-beta" - name: Fail if vulnerability threshold is exceeded run: if [[ ${{ steps.inspector.outputs.vulnerability_threshold_exceeded }} != "1" ]]; then echo "test failed"; else echo "test passed"; fi diff --git a/.gitignore b/.gitignore index 2f99726..f216dcf 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ plan.txt __pycache__ scripts/entrypoint/test_data .coverage +.DS_Store diff --git a/README.md b/README.md index 8205b5d..4a246e8 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,12 @@ This action can scan the following artifact types for vulnerabilities: For more information, please refer to Amazon Inspector's supported [artifacts](https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html) and [container operating systems](https://docs.aws.amazon.com/inspector/latest/user/supported.html#supported-os-ecr). +To learn more about Amazon Inspector, as well as Inspector's free trial and pricing model, please see the links below: + +1. https://aws.amazon.com/inspector/ +2. https://aws.amazon.com/inspector/pricing/?nc=sn&loc=3 + + ## Prerequisites 1. **Required:** You must have an active AWS account to use this action. Guidance on creating an AWS account is diff --git a/action.yml b/action.yml index 5548df7..7110ffe 100644 --- a/action.yml +++ b/action.yml @@ -40,6 +40,16 @@ inputs: required: False default: 'inspector_scan_${{ github.run_id }}.md' + output_inspector_dockerfile_scan_path_csv: + description: "The destination file path for Inspector's Dockerfile vulnerability scan (CSV format)." + required: False + default: 'inspector_dockerfile_scan_${{ github.run_id }}.csv' + + output_inspector_dockerfile_scan_path_markdown: + description: "The destination file path for Inspector's Dockerfile vulnerability scan (markdown format)." + required: False + default: 'inspector_dockerfile_scan_${{ github.run_id }}.md' + sbomgen_version: description: "The inspector-sbomgen version you wish to use for SBOM generation. See here for more info: https://docs.aws.amazon.com/inspector/latest/user/sbom-generator.html" required: False @@ -109,6 +119,13 @@ outputs: inspector_scan_results_markdown: description: "The file path to the Inspector vulnerability scan findings in markdown format." + inspector_dockerile_scan_results_csv: + description: "The file path to the Inspector Dockerfile vulnerability scan findings in CSV format." + + inspector_dockerile_scan_results_markdown: + description: "The file path to the Inspector Dockerfile vulnerability scan findings in markdown format." + + vulnerability_threshold_exceeded: description: "This variable is set to 1 if any vulnerability threshold was exceeded, otherwise it is 0. This variable can be used to trigger custom logic, such as failing the job if vulnerabilities were detected." @@ -123,6 +140,8 @@ runs: - --out-scan=${{ inputs.output_inspector_scan_path }} - --out-scan-csv=${{ inputs.output_inspector_scan_path_csv }} - --out-scan-markdown=${{ inputs.output_inspector_scan_path_markdown }} + - --out-dockerfile-scan-csv=${{ inputs.output_inspector_dockerfile_scan_path_csv }} + - --out-dockerfile-scan-md=${{ inputs.output_inspector_dockerfile_scan_path_markdown }} - --sbomgen-version=${{ inputs.sbomgen_version }} - --thresholds - --critical=${{ inputs.critical_threshold }} diff --git a/entrypoint/entrypoint/cli.py b/entrypoint/entrypoint/cli.py index fbe57ac..384a9dd 100644 --- a/entrypoint/entrypoint/cli.py +++ b/entrypoint/entrypoint/cli.py @@ -23,6 +23,10 @@ def init(sys_argv=None) -> argparse.Namespace: help="The destination file path for Inspector's vulnerability scan in CSV format.") parser.add_argument("--out-scan-markdown", type=str, default="inspector-scan.md", help="The destination file path for Inspector's vulnerability scan results in markdown format.") + parser.add_argument("--out-dockerfile-scan-csv", type=str, default="inspector-dockerfile-scan.csv", + help="The destination file path for Inspector's Dockerfile vulnerability scan in CSV format.") + parser.add_argument("--out-dockerfile-scan-md", type=str, default="inspector-dockerfile-scan.md", + help="The destination file path for Inspector's Dockerfile vulnerability scan in markdown format.") parser.add_argument("--verbose", action="store_true", help="Enables verbose console logging.") parser.add_argument("--sbomgen-version", type=str, default="latest", help="The inspector-sbomgen version you wish to use for SBOM generation.") diff --git a/entrypoint/entrypoint/dockerfile.py b/entrypoint/entrypoint/dockerfile.py new file mode 100644 index 0000000..53ff4ae --- /dev/null +++ b/entrypoint/entrypoint/dockerfile.py @@ -0,0 +1,347 @@ +import json +import logging + +from typing import List + + +class DockerfileVulnerability: + def __int__(self): + self.vuln_id: str = "" + self.severity: str = "" + self.description: str = "" + + # for a single Dockerfile vulnerability, we + # may have multiple affected files and line numbers + self.filepaths = [] + self.lines = [] + + +def get_json_value(key: str, inspector_scan_json: dict): + value = inspector_scan_json.get(key) + return value + + +def get_json_value_or_throw_fatal_error(key: str, inspector_scan_json: dict): + value = get_json_value(key, inspector_scan_json) + if not value: + logging.fatal(f"expected JSON with key '{key}' but it was not found") + + return value + + +def get_inspector_scan_body(inspector_scan_json): + scan_json = json.loads(inspector_scan_json) + scan_body = get_json_value("sbom", scan_json) + if not scan_body: + logging.fatal("expected JSON with key 'sbom' but none was found") + return scan_body + + +def is_inspector_cyclonedx_scan(inspector_scan: str) -> bool: + scan_body = get_inspector_scan_body(inspector_scan) + + scan_format = get_json_value_or_throw_fatal_error("bomFormat", scan_body) + + if scan_format == "CycloneDX": + return True + + return False + + +def is_cyclonedx_json_v1_5(inspector_scan_json: str) -> bool: + scan_body = get_inspector_scan_body(inspector_scan_json) + spec_version = get_json_value_or_throw_fatal_error("specVersion", scan_body) + if spec_version == "1.5": + return True + + return False + + +def are_components_present(inspector_scan_json: str) -> bool: + scan_body = get_inspector_scan_body(inspector_scan_json) + components = get_json_value("components", scan_body) + if not components: + return False + + return True + + +def are_vulnerabilities_present(inspector_scan_json: str) -> bool: + scan_body = get_inspector_scan_body(inspector_scan_json) + vulnerabilities = get_json_value("vulnerabilities", scan_body) + if not vulnerabilities: + return False + + return True + + +def get_vuln_array(inspector_scan_json: str): + scan_body = get_inspector_scan_body(inspector_scan_json) + vulnerabilities = get_json_value("vulnerabilities", scan_body) + if not vulnerabilities: + return None + + return vulnerabilities + + +def get_components_array(inspector_scan_json: str): + scan_body = get_inspector_scan_body(inspector_scan_json) + components = get_json_value("components", scan_body) + if not components: + return None + + return components + + +def is_docker_vuln(vuln): + vuln_id = vuln["id"] + + if "IN-DOCKER-" in vuln_id: + return True + + return False + + +def parse_vuln(dockerfile_vulnerability, component_list) -> DockerfileVulnerability: + affected_components = get_affected_components(dockerfile_vulnerability) + affected_files = [] + affected_lines = [] + + v = DockerfileVulnerability() + v.vuln_id = dockerfile_vulnerability["id"] + + for each_component in affected_components: + filepath = get_affected_file(component_list, each_component) + affected_files.append(filepath) + + lines = get_affected_lines(component_list, each_component, v.vuln_id) + for each_line in lines: + affected_lines.append(each_line) + + v.severity = get_inspector_severity(dockerfile_vulnerability) + v.description = dockerfile_vulnerability["description"] + v.filepaths = affected_files + v.lines = affected_lines + + return v + + +def get_inspector_severity(vuln): + ratings = get_ratings(vuln) + if not ratings: + return None + + for rating in ratings: + source = get_source(rating) + if not source: + continue + + source_name = get_source_name(source) + if not source_name: + continue + + if "AMAZON_INSPECTOR" in source_name: + severity = get_severity(rating) + return severity + + return None + + +def get_ratings(vuln): + ratings = vuln["ratings"] + if not ratings: + logging.error(f"expected severity ratings in vuln but none was found: {vuln}") + return None + return ratings + + +def get_source(rating): + source = rating["source"] + if not source: + logging.error(f"expected rating source but none was found: {rating}") + return None + + return source + + +def get_source_name(source): + name = source["name"] + if not name: + logging.error(f"expected source name but none was found: {source}") + return None + + return name + + +def get_severity(rating): + severity = rating["severity"] + if not severity: + logging.error(f"expected severity in rating object but it was not found: {rating}") + return None + + return severity + + +def get_affected_file(components, comp_number): + for each_comp in components: + bom_ref = each_comp["bom-ref"] + if bom_ref == comp_number: + affected_dockerfile = each_comp["name"] + return affected_dockerfile + + +def get_affected_components(vuln): + affects = vuln['affects'] + if not affects: + logging.error(f"expected 'affects' list in vulnerability but it was not found: {vuln}") + return None + + affected_components = [] + for each_comp in affects: + comp_name = each_comp["ref"] + if not comp_name: + logging.error(f"expected value from key 'ref' but received None: {each_comp}") + continue + affected_components.append(comp_name) + + return affected_components + + +def get_affected_lines(component_list, bom_ref, docker_finding_id): + affected_prop = f"amazon:inspector:sbom_scanner:dockerfile_finding:{docker_finding_id}" + affected_lines_list = [] + + # get the affected lines from the component matching 'bom_ref' + # and 'docker_finding_id' + comp = get_matching_component(component_list, bom_ref) + properties = comp["properties"] + for prop in properties: + prop_name = prop["name"] + if prop_name != affected_prop: + continue + affected_lines = prop["value"] + affected_lines = extract_line_numbers(affected_lines) + affected_lines_list.append(affected_lines) + + return affected_lines_list + + +def get_matching_component(component_list, bom_ref): + for each_comp in component_list: + comp_name = each_comp["bom-ref"] + if comp_name == bom_ref: + return each_comp + + +def extract_line_numbers(affected_lines): + affected_lines = affected_lines.split(":") + affected_lines = affected_lines[1] + return affected_lines + + +def get_component(inspector_scan_cdx_json, comp_number): + components = get_components_array(inspector_scan_cdx_json) + for each_comp in components: + bom_ref = each_comp["bom-ref"] + if comp_number == bom_ref: + return each_comp + + +def vuln_to_markdown_row(vuln: DockerfileVulnerability) -> str: + if len(vuln.filepaths) == 1: + vuln.filepaths = vuln.filepaths[0] + + if len(vuln.lines) == 1: + vuln.lines = vuln.lines[0] + row = f"| {vuln.vuln_id} | {vuln.severity} | {vuln.description} | {vuln.filepaths} | {vuln.lines} |\n" + return row + + +def get_markdown_header() -> str: + s = "## Dockerfile Findings\n" + s += "|ID|SEVERITY|DESCRIPTION|FILE|LINES|\n" + s += "|---|---|---|---|---|\n" + return s + + +def get_dockerfile_vulns(inspector_scan_path): + vuln_objects = [] + inspector_scan_json = [] + with open(inspector_scan_path, "r") as f: + inspector_scan_json = f.read() + + components = get_components_array(inspector_scan_json) + if not components: return vuln_objects + + vulns = get_vuln_array(inspector_scan_json) + if not vulns: return vuln_objects + + for vuln in vulns: + if not is_docker_vuln(vuln): + continue + vuln_obj = parse_vuln(vuln, components) + vuln_objects.append(vuln_obj) + + return vuln_objects + + +def get_csv_report_header(): + header = "ID,SEVERITY,DESCRIPTION,FILE,LINE\n" + return header + + +def vuln_to_csv_row(vuln): + if len(vuln.filepaths) == 1: + vuln.filepaths = vuln.filepaths[0] + + if len(vuln.lines) == 1: + vuln.lines = vuln.lines[0] + + clean_description = f"{vuln.description.replace(',', '')}" + row = f"{vuln.vuln_id},{vuln.severity},{clean_description},{vuln.filepaths},{vuln.lines}\n" + return row + + +def dockerfile_vulns_to_csv(dockerfile_vulns): + csv_output = get_csv_report_header() + + for vuln in dockerfile_vulns: + csv_row = vuln_to_csv_row(vuln) + csv_output += csv_row + + return csv_output + + +def write_dockerfile_report_csv(inspector_scan_path, dst_file): + dockerfile_vulns = get_dockerfile_vulns(inspector_scan_path) + if len(dockerfile_vulns) == 0: + logging.info(f"skipping dockerfile vulnerability CSV report because no vulnerabilities were detected") + return False + + csv_output = dockerfile_vulns_to_csv(dockerfile_vulns) + + logging.info(f"writing Dockerfile vulnerability CSV report to: {dst_file}") + with open(dst_file, "w") as f: + f.write(csv_output) + return True + + +def write_dockerfile_report_md(inspector_scan_path, dst_file): + dockerfile_vulns = get_dockerfile_vulns(inspector_scan_path) + if len(dockerfile_vulns) == 0: + logging.info(f"skipping dockerfile vulnerability MD report because no vulnerabilities were detected") + return False + + markdown_report = get_markdown_header() + for vuln in dockerfile_vulns: + row = vuln_to_markdown_row(vuln) + markdown_report += row + + logging.info(f"writing Dockerfile vulnerability markdown report to: {dst_file}") + with open(dst_file, "w") as f: + f.write(markdown_report) + return True + + +def post_dockerfile_github_actions_step_summary(): + return diff --git a/entrypoint/entrypoint/installer.py b/entrypoint/entrypoint/installer.py index dceec59..bc8fe3f 100644 --- a/entrypoint/entrypoint/installer.py +++ b/entrypoint/entrypoint/installer.py @@ -47,6 +47,7 @@ def download_sbomgen(url: str, dst: str) -> str: return "" try: + logging.debug(f"downloading sbomgen from url: {url}") urllib.request.urlretrieve(url=url, filename=dst) return dst except Exception as e: diff --git a/entrypoint/entrypoint/orchestrator.py b/entrypoint/entrypoint/orchestrator.py index 27001e7..e3e9383 100644 --- a/entrypoint/entrypoint/orchestrator.py +++ b/entrypoint/entrypoint/orchestrator.py @@ -1,7 +1,3 @@ -from entrypoint import converter -from entrypoint import installer -from entrypoint import executor - import datetime import json import logging @@ -10,6 +6,69 @@ import shutil import tempfile +from entrypoint import dockerfile +from entrypoint import installer +from entrypoint import executor +from entrypoint import pkg_vuln + + +def execute(args) -> int: + logging.info(f"downloading and installing inspector-sbomgen version {args.sbomgen_version}") + ret = install_sbomgen(args) + require_true((ret == 0), "unable to download and install inspector-sbomgen") + + logging.info("generating SBOM from artifact") + ret = invoke_sbomgen(args) + require_true(ret == 0, "unable to generate SBOM with inspector-sbomgen") + + logging.info("scanning SBOM contents with Amazon Inspector") + ret = invoke_inspector_scan(args.out_sbom, args.out_scan) + require_true(ret == 0, "unable to scan SBOM contents with Amazon Inspector") + set_github_actions_output('inspector_scan_results', args.out_scan) + + logging.info("tallying vulnerabilities") + succeeded, total_vulns, criticals, highs, mediums, lows, others = get_vuln_counts(args.out_scan) + require_true(succeeded, "unable to tally vulnerabilities") + + print_vuln_count_summary(args, total_vulns, criticals, highs, mediums, lows, others) + + set_flag_if_vuln_threshold_exceeded(args, criticals, highs, mediums, lows, others) + + write_pkg_vuln_report_csv(args, criticals, highs, mediums, lows, others) + set_github_actions_output('inspector_scan_results_csv', args.out_scan_csv) + + pkg_vuln_markdown = write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others) + post_pkg_vuln_github_actions_step_summary(args, total_vulns, pkg_vuln_markdown) + set_github_actions_output('inspector_scan_results_markdown', args.out_scan_markdown) + + dockerfile.write_dockerfile_report_csv(args.out_scan, args.out_dockerfile_scan_csv) + set_github_actions_output('inspector_dockerile_scan_results_csv', args.out_dockerfile_scan_csv) + + dockerfile.write_dockerfile_report_md(args.out_scan, args.out_dockerfile_scan_md) + set_github_actions_output('inspector_dockerile_scan_results_markdown', args.out_dockerfile_scan_md) + post_dockerfile_step_summary(args, total_vulns) + + return 0 + + +def post_dockerfile_step_summary(args, total_vulns): + if args.display_vuln_findings == "enabled" and int(total_vulns) > 0: + logging.info("posting Inspector Dockerfile scan findings to GitHub Actions step summary page") + + dockerfile_markdown = "" + with open(args.out_dockerfile_scan_md, "r") as f: + dockerfile_markdown = f.read() + + if not dockerfile_markdown: + return + + job_summary_file = "/tmp/inspector.md" + if os.getenv('GITHUB_ACTIONS'): + job_summary_file = os.environ["GITHUB_STEP_SUMMARY"] + + with open(job_summary_file, "a") as f: + f.write(dockerfile_markdown) + def download_install_sbomgen(sbomgen_version: str, install_dst: str) -> bool: cpu_arch = platform.machine() @@ -32,6 +91,7 @@ def download_install_sbomgen(sbomgen_version: str, install_dst: str) -> bool: return False # unzip sbomgen + logging.debug(f"unpacking {dst}") extracted_src = dst extracted_dst = os.path.join(tempfile.gettempdir(), "inspector-sbomgen") ret = installer.extract_sbomgen(extracted_src, extracted_dst) @@ -39,31 +99,23 @@ def download_install_sbomgen(sbomgen_version: str, install_dst: str) -> bool: return False # find sbomgen ELF binary + logging.debug("locating inspector-sbomgen binary from unpacked archive") sbomgen_path = installer.find_file_in_dir("inspector-sbomgen", extracted_dst) if sbomgen_path == "": return False # install sbomgen # install_dst = "/usr/local/bin/inspector-sbomgen" + logging.debug(f"installing {sbomgen_path} to {install_dst}") ret = installer.install_sbomgen(sbomgen_path, install_dst) if ret == "": return False + logging.debug(f"setting inspector-sbomgen install path to: {install_dst}") installer.set_sbomgen_install_path(install_dst) return True -def set_github_actions_output(key, value): - if os.getenv('GITHUB_ACTIONS'): - # set env var to expose SBOM contents - # to github actions - # https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs - logging.debug(f"setting github actions output: {key}:{value}") - os.system(f'echo "{key}={value}" >> "$GITHUB_OUTPUT"') - - return - - def invoke_sbomgen(args) -> int: sbomgen = installer.get_sbomgen_install_path() if sbomgen == "": @@ -140,13 +192,23 @@ def invoke_inspector_scan(src_sbom, dst_scan): if ret != 0: return ret - set_github_actions_output('inspector_scan_results', dst_scan) - return ret +def set_github_actions_output(key, value): + if os.getenv('GITHUB_ACTIONS'): + # set env var to expose SBOM contents + # to github actions + # https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs + logging.info(f"setting github actions output: {key}:{value}") + os.system(f'echo "{key}={value}" >> "$GITHUB_OUTPUT"') + + return + + def get_vuln_counts(inspector_scan_path: str): # vuln severities + total_vulns = 0 criticals = 0 highs = 0 mediums = 0 @@ -166,17 +228,17 @@ def get_vuln_counts(inspector_scan_path: str): if scan_contents is None: logging.error( f"expected Inspector scan results with 'sbom' as root object, but it was not found in file {inspector_scan_path}") - return False, criticals, highs, mediums, lows, others + return False, total_vulns, criticals, highs, mediums, lows, others metadata = scan_contents.get("metadata") if metadata is None: # no vulnerabilities found - return True, criticals, highs, mediums, lows, others + return True, total_vulns, criticals, highs, mediums, lows, others props = metadata.get("properties") if props is None: logging.error(f"expected metadata properties, but none were found in file {inspector_scan_path}") - return False, criticals, highs, mediums, lows, others + return False, total_vulns, criticals, highs, mediums, lows, others # iterate over each property and extract vulnerability counts by severity for prop in props: @@ -262,11 +324,12 @@ def exceeds_threshold(criticals, critical_threshold, return is_threshold_exceed -def execute(args) -> int: +def install_sbomgen(args): os_name = platform.system() if "Linux" in os_name: - logging.info(f"downloading and installing inspector-sbomgen version {args.sbomgen_version}") - download_install_sbomgen(args.sbomgen_version, "/usr/local/bin/inspector-sbomgen") + ret = download_install_sbomgen(args.sbomgen_version, "/usr/local/bin/inspector-sbomgen") + if not ret: + return 1 else: logging.warning( @@ -279,72 +342,59 @@ def execute(args) -> int: "unable to find inspector-sbomgen; try downloading sbomgen for your platform and place in /usr/local/bin/inspector-sbomgen") return 1 - logging.info("generating SBOM from artifact") - ret = invoke_sbomgen(args) - if ret != 0: - logging.error("unable to generate SBOM with inspector-sbomgen") - return 1 - - logging.info("scanning SBOM contents with Amazon Inspector") - ret = invoke_inspector_scan(args.out_sbom, args.out_scan) - if ret != 0: - logging.error("unable to scan SBOM contents with Amazon Inspector") - return 1 - - # make scan results file world readable so - # github actions can upload the file as a job artifact - os.system(f"chmod 444 {args.out_scan}") + return 0 - logging.info("tallying vulnerabilities") - succeeded, total_vulns, criticals, highs, mediums, lows, others = get_vuln_counts(args.out_scan) - if not succeeded: - return 1 - findings = get_summarized_findings(args.artifact_type, args.artifact_path, total_vulns, criticals, highs, mediums, - lows, - others) - print(findings) +def write_pkg_vuln_report_csv(args, criticals, highs, mediums, lows, others): + total_vulns = int(criticals) + int(highs) + int(mediums) + int(lows) + int(others) + if total_vulns == 0: + logging.info(f"skipping package vulnerability CSV report because no vulnerabilities were detected") + return - # create CSV output csv_output = {} with open(args.out_scan, "r") as f: inspector_scan = json.load(f) - vulns = converter.vulns_to_obj(inspector_scan) - csv_output = converter.to_csv(vulns, artifact_name=args.artifact_path, - artifact_type=args.artifact_type, - criticals=criticals, - highs=highs, - mediums=mediums, - lows=lows, - others=others) + vulns = pkg_vuln.vulns_to_obj(inspector_scan) + + csv_output = pkg_vuln.to_csv(vulns, artifact_name=args.artifact_path, + artifact_type=args.artifact_type, + criticals=criticals, + highs=highs, + mediums=mediums, + lows=lows, + others=others) - logging.info(f"writing CSV report to: {args.out_scan_csv}") + logging.info(f"writing package vulnerability CSV report to: {args.out_scan_csv}") with open(args.out_scan_csv, "w") as f: f.write(csv_output) - set_github_actions_output('inspector_scan_results_csv', args.out_scan_csv) - # create markdown report - logging.info("creating Inspector scan job summary") - markdown = converter.to_markdown(vulns, artifact_name=args.artifact_path, - artifact_type=args.artifact_type, - criticals=criticals, - highs=highs, - mediums=mediums, - lows=lows, - others=others) +def write_pkg_vuln_report_markdown(args, total_vulns, criticals, highs, mediums, lows, others): + if int(total_vulns) == 0: + logging.info(f"skipping package vulnerability markdown report because no vulnerabilities were detected") + return - if args.display_vuln_findings == "enabled": + with open(args.out_scan, "r") as f: + inspector_scan = json.load(f) + vulns = pkg_vuln.vulns_to_obj(inspector_scan) - logging.info("posting Inspector scan findings to GitHub Actions step summary page") - converter.post_github_step_summary(markdown) + markdown = pkg_vuln.to_markdown(vulns, artifact_name=args.artifact_path, + artifact_type=args.artifact_type, + criticals=criticals, + highs=highs, + mediums=mediums, + lows=lows, + others=others) - logging.info(f"writing markdown report to: {args.out_scan_markdown}") + logging.info(f"writing package vulnerability markdown report to: {args.out_scan_markdown}") with open(args.out_scan_markdown, "w") as f: f.write(markdown) - set_github_actions_output('inspector_scan_results_markdown', args.out_scan_markdown) + return markdown + + +def set_flag_if_vuln_threshold_exceeded(args, criticals, highs, mediums, lows, others): is_exceeded = exceeds_threshold(criticals, args.critical, highs, args.high, mediums, args.medium, @@ -356,4 +406,21 @@ def execute(args) -> int: else: set_github_actions_output('vulnerability_threshold_exceeded', 0) - return 0 + +def print_vuln_count_summary(args, total_vulns, criticals, highs, mediums, lows, others): + findings = get_summarized_findings(args.artifact_type, args.artifact_path, total_vulns, criticals, highs, mediums, + lows, + others) + print(findings) + + +def post_pkg_vuln_github_actions_step_summary(args, total_vulns, markdown): + if args.display_vuln_findings == "enabled" and total_vulns > 0: + logging.info("posting Inspector scan findings to GitHub Actions step summary page") + pkg_vuln.post_github_step_summary(markdown) + + +def require_true(expr: bool, msg: str): + if not expr: + logging.error(msg) + exit(1) diff --git a/entrypoint/entrypoint/converter.py b/entrypoint/entrypoint/pkg_vuln.py similarity index 94% rename from entrypoint/entrypoint/converter.py rename to entrypoint/entrypoint/pkg_vuln.py index 215ddb1..73687f7 100644 --- a/entrypoint/entrypoint/converter.py +++ b/entrypoint/entrypoint/pkg_vuln.py @@ -1,10 +1,12 @@ """ -converter.py has functions for parsing +pkg_vuln.py has functions for parsing Inspector ScanSbom API JSON, and converting to different formats (CSV and markdown). """ import csv +import json +import logging import os import urllib.parse @@ -36,69 +38,6 @@ def __init__(self): self.cwes = "null" -def getPropertyValueFromKey(vuln_json, key): - """ - extracts cycloneDX properties from Inspector - ScanSbom components - :param vuln_json: the component from which you would like to extract a property value - :param key: the key to the property - :return: the value from the component's property key - """ - props = vuln_json.get("properties") - if props: - for each_prop in props: - name = each_prop.get("name") - if name: - if key == name: - value = each_prop.get("value") - if value: - return value - return None - - -def get_nvd_severity(ratings): - for rating in ratings: - source = rating.get("source") - if not source: - continue - - if source["name"] == "NVD": - severity = rating["severity"] - if severity: - return severity - return None - - -def get_nvd_score(ratings): - for rating in ratings: - source = rating.get("source") - if not source: - continue - - method = rating.get("method") - if not method: - continue - - if source["name"] == "NVD" and method == "CVSSv31": - score = rating["score"] - if score: - return score - return None - - -def get_epss_score(ratings): - for rating in ratings: - source = rating.get("source") - if not source: - continue - - if source["name"] == "EPSS": - epss_score = rating["score"] - if epss_score: - return epss_score - return None - - def vulns_to_obj(inspector_scan_json) -> List[Vulnerability]: """ this function parses JSON from Inspector's ScanSbom API @@ -110,18 +49,17 @@ def vulns_to_obj(inspector_scan_json) -> List[Vulnerability]: # check if the input has the fields we expect; anything without # these fields is assumed to be garbage and None is returned scan_contents = inspector_scan_json.get("sbom") - if not scan_contents: - return None + fatal_assert(scan_contents != None, "expected JSON with key 'sbom' but none was found") components = scan_contents.get("components") - if not components: - return None + if not components: return vuln_list vulns = scan_contents.get("vulnerabilities") - if not vulns: - return None + if not vulns: return vuln_list - for v in vulns: + pkg_vulns = get_pkg_vulns(vulns) + + for v in pkg_vulns: vuln_obj = Vulnerability() @@ -249,6 +187,69 @@ def vulns_to_obj(inspector_scan_json) -> List[Vulnerability]: return vuln_list +def getPropertyValueFromKey(vuln_json, key): + """ + extracts cycloneDX properties from Inspector + ScanSbom components + :param vuln_json: the component from which you would like to extract a property value + :param key: the key to the property + :return: the value from the component's property key + """ + props = vuln_json.get("properties") + if props: + for each_prop in props: + name = each_prop.get("name") + if name: + if key == name: + value = each_prop.get("value") + if value: + return value + return None + + +def get_nvd_severity(ratings): + for rating in ratings: + source = rating.get("source") + if not source: + continue + + if source["name"] == "NVD": + severity = rating["severity"] + if severity: + return severity + return None + + +def get_nvd_score(ratings): + for rating in ratings: + source = rating.get("source") + if not source: + continue + + method = rating.get("method") + if not method: + continue + + if source["name"] == "NVD" and method == "CVSSv31": + score = rating["score"] + if score: + return score + return None + + +def get_epss_score(ratings): + for rating in ratings: + source = rating.get("source") + if not source: + continue + + if source["name"] == "EPSS": + epss_score = rating["score"] + if epss_score: + return epss_score + return None + + def to_csv(vulns, artifact_name="null", artifact_type="null", @@ -288,6 +289,7 @@ def to_csv(vulns, # write each vuln into a CSV if vulns: for v in vulns: + # if package vuln row = [v.vuln_id, v.severity, v.cvss_score, v.installed_ver, v.fixed_ver, v.pkg_path, v.epss_score, v.exploit_available, @@ -429,3 +431,24 @@ def post_github_step_summary(markdown="null"): with open(job_summary_file, "a") as f: f.write(markdown) + + +def fatal_assert(expr: bool, msg: str): + if not expr: + logging.error(msg) + exit(1) + + +def get_pkg_vulns(inspector_scan_vulns: dict): + pkg_vulns = [] + + for vuln in inspector_scan_vulns: + # [!] at time of writing, we only have two vuln types: + # 1. pkg vulns, 2. Dockerfile vulns + # Therefore, we skip all Dockerfile vulns, leaving + # only pkg vulns. + if "IN-DOCKER" in vuln["id"]: + continue + pkg_vulns.append(vuln) + + return pkg_vulns diff --git a/entrypoint/setup.py b/entrypoint/setup.py new file mode 100644 index 0000000..9d282dd --- /dev/null +++ b/entrypoint/setup.py @@ -0,0 +1,7 @@ +from setuptools import setup, find_packages + +setup( + name="entrypoint", + version='1.1.0', + packages=find_packages() +) diff --git a/entrypoint/tests/test_csv.py b/entrypoint/tests/test_csv.py index a740d24..2adc165 100644 --- a/entrypoint/tests/test_csv.py +++ b/entrypoint/tests/test_csv.py @@ -2,7 +2,7 @@ import os import unittest -from entrypoint import converter +from entrypoint import pkg_vuln class TestCSV(unittest.TestCase): @@ -17,7 +17,7 @@ def test_json_to_csv(self): with open(path, 'r') as f: inspector_scan_json = json.load(f) - vulns = converter.vulns_to_obj(inspector_scan_json) + vulns = pkg_vuln.vulns_to_obj(inspector_scan_json) if not vulns: continue @@ -35,7 +35,7 @@ def test_json_to_csv(self): self.assertTrue(v.exploit_last_seen != "") self.assertTrue(v.cwes != "") - as_csv = converter.to_csv(vulns) + as_csv = pkg_vuln.to_csv(vulns) self.assertIsNotNone(as_csv) self.assertTrue(as_csv != "") diff --git a/entrypoint/tests/test_data/artifacts/binaries/test_go_binary b/entrypoint/tests/test_data/artifacts/binaries/test_go_binary new file mode 100755 index 0000000..a58b5e8 Binary files /dev/null and b/entrypoint/tests/test_data/artifacts/binaries/test_go_binary differ diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Dockerfile b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Dockerfile new file mode 100644 index 0000000..543d868 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Dockerfile @@ -0,0 +1,33 @@ +# This image is intended to test +# rendering of Dockerfile security checks. +# This image has security issues by design +# and should NOT be used for any production +# products or services. +FROM ubuntu:14.04 + +# IN-DOCKER-004 +# Use of apt: 'apt' does not have a stable CLI interface for non-interactive use +RUN apt update -y + +# IN-DOCKER-001 +# apt-get layer caching: Using apt-get update alone in a RUN statement causes caching issues and subsequent apt-get install instructions to fail. +RUN apt-get update + +# IN-DOCKER-003 +# Last USER is root: If a service can run without privileges, use USER to change to a non-root user +USER root + +# IN-DOCKER-002 +# Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems +RUN apt-get install sudo +RUN sudo whoami + +# IN-DOCKER-005-00X +# Weakened Shell Command Exec Flag: 'apt-get --allow-unauthenticated' installs Advantaged package tool (APT) packages on Debian-based Linux distributions without validating package signatures. +RUN apt-get install vim --allow-unauthenticated -y + +# IN-DOCKER-006-00X +# Weakened Environment Variable: 'NPM_CONFIG_STRICT_SSL' is false, disabling TLS certificate validation when 'npm' makes requests to the Node Package Manager registry via https. +ENV NPM_CONFIG_STRICT_SSL=false + +ENTRYPOINT ["/bin/bash"] diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Makefile b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Makefile new file mode 100644 index 0000000..c671cc1 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/Makefile @@ -0,0 +1,10 @@ +# build and scan vulnerable image +all: build scan + +# build the image under test / development +build: + docker build . -t dev:latest + +# scan image with inspector +scan: + inspector-sbomgen container --image "dev:latest" --scan-sbom --scanners dockerfile -o inspector-scan.json diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/dockerfile_component.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/dockerfile_component.json new file mode 100644 index 0000000..f17ab66 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/dockerfile_component.json @@ -0,0 +1,47 @@ +{ + "bom-ref": "comp-1", + "name": "dockerfile:Dockerfile", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-004", + "value": "affected_lines:10-10" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-003", + "value": "affected_lines:18-18" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-001", + "value": "affected_lines:22-22" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-005-003", + "value": "affected_lines:34-34" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-006-001", + "value": "affected_lines:38-38" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-001", + "value": "affected_lines:34-34" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-002", + "value": "affected_lines:23-23" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-003", + "value": "affected_lines:24-24" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-004", + "value": "affected_lines:25-25" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-002", + "value": "affected_lines:30-30" + } + ], + "type": "file" +} diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-dockerfile-only.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-dockerfile-only.json new file mode 100644 index 0000000..8372a73 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-dockerfile-only.json @@ -0,0 +1,426 @@ +{ + "sbom": { + "bomFormat": "CycloneDX", + "components": [ + { + "bom-ref": "comp-1", + "name": "dockerfile:Dockerfile", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-004", + "value": "affected_lines:10-10" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-003", + "value": "affected_lines:18-18" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-001", + "value": "affected_lines:22-22" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-005-003", + "value": "affected_lines:34-34" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-006-001", + "value": "affected_lines:38-38" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-001", + "value": "affected_lines:34-34" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-002", + "value": "affected_lines:23-23" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-003", + "value": "affected_lines:24-24" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-007-004", + "value": "affected_lines:25-25" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-002", + "value": "affected_lines:30-30" + } + ], + "type": "file" + } + ], + "metadata": { + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", + "value": "4" + }, + { + "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", + "value": "2" + }, + { + "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "4" + } + ], + "timestamp": "2024-05-20T16:10:27.985Z", + "tools": { + "services": [ + { + "name": "Amazon Inspector Scan SBOM API", + "version": "a679a626+9a9f9d12+3afcd0e8" + } + ] + } + }, + "serialNumber": "urn:uuid:4c38e68b-3698-45ea-8ae7-03f778e690b5", + "specVersion": "1.5", + "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-1", + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: AWS Access Key ID.", + "id": "IN-DOCKER-007-001", + "ratings": [ + { + "method": "other", + "severity": "critical", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.npmjs.com/cli/v10/using-npm/config" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-2", + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Environment Variable: 'NPM_CONFIG_STRICT_SSL' is false, disabling TLS certificate validation when 'npm' makes requests to the Node Package Manager registry via https.", + "id": "IN-DOCKER-006-001", + "ratings": [ + { + "method": "other", + "severity": "high", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-3", + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: GitHub Personal Access Token.", + "id": "IN-DOCKER-007-003", + "ratings": [ + { + "method": "other", + "severity": "critical", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-4", + "created": "2024-03-27T14:36:39Z", + "description": "Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.", + "id": "IN-DOCKER-002", + "ratings": [ + { + "method": "other", + "severity": "info", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://manpages.debian.org/stretch/apt/apt-get.8.en.html" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-5", + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Shell Command Exec Flag: 'apt-get --allow-unauthenticated' installs Advantaged package tool (APT) packages on Debian-based Linux distributions without validating package signatures.", + "id": "IN-DOCKER-005-003", + "ratings": [ + { + "method": "other", + "severity": "high", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://manpages.debian.org/stretch/apt/apt.8.en.html" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-6", + "created": "2024-03-27T14:36:39Z", + "description": "Use of apt: 'apt' does not have a stable CLI interface for non-interactive use.", + "id": "IN-DOCKER-004", + "ratings": [ + { + "method": "other", + "severity": "info", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-7", + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: GitLab Personal Access Token.", + "id": "IN-DOCKER-007-004", + "ratings": [ + { + "method": "other", + "severity": "critical", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/security/for-developers/access-tokens/" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-8", + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: Dockerhub Personal Access Token.", + "id": "IN-DOCKER-007-002", + "ratings": [ + { + "method": "other", + "severity": "critical", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-9", + "created": "2024-03-27T14:36:39Z", + "description": "apt-get layer caching: Using apt-get update alone in a RUN statement causes caching issues and subsequent apt-get install instructions to fail.", + "id": "IN-DOCKER-001", + "ratings": [ + { + "method": "other", + "severity": "info", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "affects": [ + { + "ref": "comp-1" + } + ], + "analysis": { + "state": "in_triage" + }, + "bom-ref": "vuln-10", + "created": "2024-03-27T14:36:39Z", + "description": "Last USER is root: If a service can run without privileges, use USER to change to a non-root user.", + "id": "IN-DOCKER-003", + "ratings": [ + { + "method": "other", + "severity": "info", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "updated": "2024-03-27T14:36:39Z" + } + ] + } +} \ No newline at end of file diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-components.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-components.json new file mode 100644 index 0000000..6d5b494 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-components.json @@ -0,0 +1,36 @@ +{ + "sbom": { + "bomFormat": "CycloneDX", + "metadata": { + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", + "value": "0" + } + ], + "timestamp": "2024-05-17T19:16:04.545Z", + "tools": { + "services": [ + { + "name": "Amazon Inspector Scan SBOM API", + "version": "a679a626+5e0c2381+bf336b8c" + } + ] + } + }, + "serialNumber": "urn:uuid:9e4b4ae6-d9b7-4d93-93d8-62a726fac6b0", + "specVersion": "1.5" + } +} \ No newline at end of file diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-vulns.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-vulns.json new file mode 100644 index 0000000..6d5b494 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx-no-vulns.json @@ -0,0 +1,36 @@ +{ + "sbom": { + "bomFormat": "CycloneDX", + "metadata": { + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", + "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", + "value": "0" + } + ], + "timestamp": "2024-05-17T19:16:04.545Z", + "tools": { + "services": [ + { + "name": "Amazon Inspector Scan SBOM API", + "version": "a679a626+5e0c2381+bf336b8c" + } + ] + } + }, + "serialNumber": "urn:uuid:9e4b4ae6-d9b7-4d93-93d8-62a726fac6b0", + "specVersion": "1.5" + } +} \ No newline at end of file diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx.json new file mode 100644 index 0000000..914b2c3 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan-cdx.json @@ -0,0 +1,46178 @@ +{ + "sbom": { + "specVersion": "1.5", + "metadata": { + "tools": { + "services": [ + { + "name": "Amazon Inspector Scan SBOM API", + "version": "77f08c14+799c166d+fb1e16f3" + } + ] + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", + "value": "41" + }, + { + "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", + "value": "201" + }, + { + "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", + "value": "106" + }, + { + "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", + "value": "6" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "16" + } + ], + "timestamp": "2024-05-22T15:04:01.713Z" + }, + "components": [ + { + "bom-ref": "comp-1", + "name": "Ubuntu", + "type": "operating-system", + "version": "14.04", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:end_of_life", + "value": "2024-04-01T00:00:00Z" + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-3", + "name": "python3-yaml", + "purl": "pkg:deb/ubuntu/python3-yaml@3.10-4ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=pyyaml", + "type": "application", + "version": "3.10-4ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-2", + "name": "pyyaml", + "purl": "pkg:deb/ubuntu/pyyaml@3.10-4ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.10-4ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-4", + "name": "libtext-wrapi18n-perl", + "purl": "pkg:deb/ubuntu/libtext-wrapi18n-perl@0.06-7?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.06-7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-5", + "name": "ucf", + "purl": "pkg:deb/ubuntu/ucf@3.0027%2Bnmu1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "3.0027%2Bnmu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-6", + "name": "libarchive-extract-perl", + "purl": "pkg:deb/ubuntu/libarchive-extract-perl@0.70-1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.70-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-8", + "name": "libp11-kit0", + "purl": "pkg:deb/ubuntu/libp11-kit0@0.20.2-2ubuntu2?arch=amd64&distro=14.04&epoch=0&source=p11-kit", + "type": "application", + "version": "0.20.2-2ubuntu2" + } + ], + "bom-ref": "comp-7", + "name": "p11-kit", + "purl": "pkg:deb/ubuntu/p11-kit@0.20.2-2ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.20.2-2ubuntu2" + }, + { + "bom-ref": "comp-9", + "name": "libtext-iconv-perl", + "purl": "pkg:deb/ubuntu/libtext-iconv-perl@1.7-5build2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.7-5build2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-11", + "name": "libattr1", + "purl": "pkg:deb/ubuntu/libattr1@2.4.47-1ubuntu1?arch=amd64&distro=14.04&epoch=1&source=attr", + "type": "application", + "version": "2.4.47-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-10", + "name": "attr", + "purl": "pkg:deb/ubuntu/attr@2.4.47-1ubuntu1?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "2.4.47-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-13", + "name": "iputils-ping", + "purl": "pkg:deb/ubuntu/iputils-ping@20121221-4ubuntu1.1?arch=amd64&distro=14.04&epoch=3&source=iputils", + "type": "application", + "version": "20121221-4ubuntu1.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-12", + "name": "iputils", + "purl": "pkg:deb/ubuntu/iputils@20121221-4ubuntu1.1?arch=amd64&distro=14.04&epoch=3", + "type": "application", + "version": "20121221-4ubuntu1.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-15", + "name": "libgdbm3", + "purl": "pkg:deb/ubuntu/libgdbm3@1.8.3-12build1?arch=amd64&distro=14.04&epoch=0&source=gdbm", + "type": "application", + "version": "1.8.3-12build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-14", + "name": "gdbm", + "purl": "pkg:deb/ubuntu/gdbm@1.8.3-12build1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.8.3-12build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-17", + "name": "libudev1", + "purl": "pkg:deb/ubuntu/libudev1@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0&source=systemd", + "type": "application", + "version": "204-5ubuntu20.31" + }, + { + "bom-ref": "comp-18", + "name": "udev", + "purl": "pkg:deb/ubuntu/udev@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0&source=systemd", + "type": "application", + "version": "204-5ubuntu20.31", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-16", + "name": "systemd", + "purl": "pkg:deb/ubuntu/systemd@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "204-5ubuntu20.31" + }, + { + "bom-ref": "comp-19", + "name": "adduser", + "purl": "pkg:deb/ubuntu/adduser@3.113%2Bnmu3ubuntu3?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "3.113%2Bnmu3ubuntu3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-21", + "name": "libgcc1", + "purl": "pkg:deb/ubuntu/libgcc1@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0&source=gccgo-4.9", + "type": "application", + "version": "4.9.3-0ubuntu4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-22", + "name": "gcc-4.9-base", + "purl": "pkg:deb/ubuntu/gcc-4.9-base@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0&source=gccgo-4.9", + "type": "application", + "version": "4.9.3-0ubuntu4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-20", + "name": "gccgo-4.9", + "purl": "pkg:deb/ubuntu/gccgo-4.9@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.9.3-0ubuntu4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-24", + "name": "libreadline6", + "purl": "pkg:deb/ubuntu/libreadline6@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0&source=readline6", + "type": "application", + "version": "6.3-4ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-25", + "name": "readline-common", + "purl": "pkg:deb/ubuntu/readline-common@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0&source=readline6", + "type": "application", + "version": "6.3-4ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-23", + "name": "readline6", + "purl": "pkg:deb/ubuntu/readline6@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "6.3-4ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-27", + "name": "libplymouth2", + "purl": "pkg:deb/ubuntu/libplymouth2@0.8.8-0ubuntu17.2?arch=amd64&distro=14.04&epoch=0&source=plymouth", + "type": "application", + "version": "0.8.8-0ubuntu17.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-26", + "name": "plymouth", + "purl": "pkg:deb/ubuntu/plymouth@0.8.8-0ubuntu17.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.8.8-0ubuntu17.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-29", + "name": "liblzma5", + "purl": "pkg:deb/ubuntu/liblzma5@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64&distro=14.04&epoch=0&source=xz-utils", + "type": "application", + "version": "5.1.1alpha%2B20120614-2ubuntu2" + } + ], + "bom-ref": "comp-28", + "name": "xz-utils", + "purl": "pkg:deb/ubuntu/xz-utils@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "5.1.1alpha%2B20120614-2ubuntu2" + }, + { + "bom-ref": "comp-30", + "name": "ca-certificates", + "purl": "pkg:deb/ubuntu/ca-certificates@20170717%7E14.04.2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "20170717%7E14.04.2" + }, + { + "components": [ + { + "bom-ref": "comp-32", + "name": "debconf-i18n", + "purl": "pkg:deb/ubuntu/debconf-i18n@1.5.51ubuntu2?arch=all&distro=14.04&epoch=0&source=debconf", + "type": "application", + "version": "1.5.51ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-31", + "name": "debconf", + "purl": "pkg:deb/ubuntu/debconf@1.5.51ubuntu2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "1.5.51ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-34", + "name": "libdebconfclient0", + "purl": "pkg:deb/ubuntu/libdebconfclient0@0.187ubuntu1?arch=amd64&distro=14.04&epoch=0&source=cdebconf", + "type": "application", + "version": "0.187ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-33", + "name": "cdebconf", + "purl": "pkg:deb/ubuntu/cdebconf@0.187ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.187ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-35", + "name": "dh-python", + "purl": "pkg:deb/ubuntu/dh-python@1.20140128-1ubuntu8.2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "1.20140128-1ubuntu8.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-36", + "name": "liblog-message-simple-perl", + "purl": "pkg:deb/ubuntu/liblog-message-simple-perl@0.10-1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.10-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-38", + "name": "libpcre3", + "purl": "pkg:deb/ubuntu/libpcre3@8.31-2ubuntu2.3?arch=amd64&distro=14.04&epoch=1&source=pcre3", + "type": "application", + "version": "8.31-2ubuntu2.3" + } + ], + "bom-ref": "comp-37", + "name": "pcre3", + "purl": "pkg:deb/ubuntu/pcre3@8.31-2ubuntu2.3?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "8.31-2ubuntu2.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-40", + "name": "libsemanage1", + "purl": "pkg:deb/ubuntu/libsemanage1@2.2-1?arch=amd64&distro=14.04&epoch=0&source=libsemanage", + "type": "application", + "version": "2.2-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-41", + "name": "libsemanage-common", + "purl": "pkg:deb/ubuntu/libsemanage-common@2.2-1?arch=amd64&distro=14.04&epoch=0&source=libsemanage", + "type": "application", + "version": "2.2-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-39", + "name": "libsemanage", + "purl": "pkg:deb/ubuntu/libsemanage@2.2-1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.2-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-43", + "name": "libsqlite3-0", + "purl": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=sqlite3", + "type": "application", + "version": "3.8.2-1ubuntu2.2" + } + ], + "bom-ref": "comp-42", + "name": "sqlite3", + "purl": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.8.2-1ubuntu2.2" + }, + { + "bom-ref": "comp-44", + "name": "sed", + "purl": "pkg:deb/ubuntu/sed@4.2.2-4ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.2.2-4ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-46", + "name": "libgnutls-openssl27", + "purl": "pkg:deb/ubuntu/libgnutls-openssl27@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0&source=gnutls26", + "type": "application", + "version": "2.12.23-12ubuntu2.8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-47", + "name": "libgnutls26", + "purl": "pkg:deb/ubuntu/libgnutls26@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0&source=gnutls26", + "type": "application", + "version": "2.12.23-12ubuntu2.8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-45", + "name": "gnutls26", + "purl": "pkg:deb/ubuntu/gnutls26@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.12.23-12ubuntu2.8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-49", + "name": "libffi6", + "purl": "pkg:deb/ubuntu/libffi6@3.1%7Erc1%2Br3.0.13-12ubuntu0.2?arch=amd64&distro=14.04&epoch=0&source=libffi", + "type": "application", + "version": "3.1%7Erc1%2Br3.0.13-12ubuntu0.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-48", + "name": "libffi", + "purl": "pkg:deb/ubuntu/libffi@3.1%7Erc1%2Br3.0.13-12ubuntu0.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.1%7Erc1%2Br3.0.13-12ubuntu0.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-51", + "name": "libmpdec2", + "purl": "pkg:deb/ubuntu/libmpdec2@2.4.0-6?arch=amd64&distro=14.04&epoch=0&source=mpdecimal", + "type": "application", + "version": "2.4.0-6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-50", + "name": "mpdecimal", + "purl": "pkg:deb/ubuntu/mpdecimal@2.4.0-6?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.4.0-6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-53", + "name": "libgssapi-krb5-2", + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4" + }, + { + "bom-ref": "comp-54", + "name": "libk5crypto3", + "purl": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4" + }, + { + "bom-ref": "comp-55", + "name": "krb5-locales", + "purl": "pkg:deb/ubuntu/krb5-locales@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4" + }, + { + "bom-ref": "comp-56", + "name": "libkrb5support0", + "purl": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4" + }, + { + "bom-ref": "comp-57", + "name": "libkrb5-3", + "purl": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4" + } + ], + "bom-ref": "comp-52", + "name": "krb5", + "purl": "pkg:deb/ubuntu/krb5@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.12%2Bdfsg-2ubuntu5.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-58", + "name": "tzdata", + "purl": "pkg:deb/ubuntu/tzdata@2019a-0ubuntu0.14.04?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2019a-0ubuntu0.14.04", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-60", + "name": "sysv-rc", + "purl": "pkg:deb/ubuntu/sysv-rc@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit", + "type": "application", + "version": "2.88dsf-41ubuntu6.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-61", + "name": "initscripts", + "purl": "pkg:deb/ubuntu/initscripts@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit", + "type": "application", + "version": "2.88dsf-41ubuntu6.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-62", + "name": "sysvinit-utils", + "purl": "pkg:deb/ubuntu/sysvinit-utils@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit", + "type": "application", + "version": "2.88dsf-41ubuntu6.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-59", + "name": "sysvinit", + "purl": "pkg:deb/ubuntu/sysvinit@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2.88dsf-41ubuntu6.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-63", + "name": "mountall", + "purl": "pkg:deb/ubuntu/mountall@2.53ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.53ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-65", + "name": "libfribidi0", + "purl": "pkg:deb/ubuntu/libfribidi0@0.19.6-1?arch=amd64&distro=14.04&epoch=0&source=fribidi", + "type": "application", + "version": "0.19.6-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-64", + "name": "fribidi", + "purl": "pkg:deb/ubuntu/fribidi@0.19.6-1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.19.6-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-67", + "name": "libkeyutils1", + "purl": "pkg:deb/ubuntu/libkeyutils1@1.5.6-1?arch=amd64&distro=14.04&epoch=0&source=keyutils", + "type": "application", + "version": "1.5.6-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-66", + "name": "keyutils", + "purl": "pkg:deb/ubuntu/keyutils@1.5.6-1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.5.6-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-69", + "name": "lsb-base", + "purl": "pkg:deb/ubuntu/lsb-base@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0&source=lsb", + "type": "application", + "version": "4.1%2BDebian11ubuntu6.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-70", + "name": "lsb-release", + "purl": "pkg:deb/ubuntu/lsb-release@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0&source=lsb", + "type": "application", + "version": "4.1%2BDebian11ubuntu6.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-68", + "name": "lsb", + "purl": "pkg:deb/ubuntu/lsb@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "4.1%2BDebian11ubuntu6.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-71", + "name": "ifupdown", + "purl": "pkg:deb/ubuntu/ifupdown@0.7.47.2ubuntu4.5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.7.47.2ubuntu4.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-72", + "name": "ubuntu-keyring", + "purl": "pkg:deb/ubuntu/ubuntu-keyring@2012.05.19?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2012.05.19", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-74", + "name": "librtmp0", + "purl": "pkg:deb/ubuntu/librtmp0@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=rtmpdump", + "type": "application", + "version": "2.4%2B20121230.gitdf6c518-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-73", + "name": "rtmpdump", + "purl": "pkg:deb/ubuntu/rtmpdump@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.4%2B20121230.gitdf6c518-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-75", + "name": "ureadahead", + "purl": "pkg:deb/ubuntu/ureadahead@0.100.0-16?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.100.0-16", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-77", + "name": "libldap-2.4-2", + "purl": "pkg:deb/ubuntu/libldap-2.4-2@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64&distro=14.04&epoch=0&source=openldap", + "type": "application", + "version": "2.4.31-1%2Bnmu2ubuntu8.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-76", + "name": "openldap", + "purl": "pkg:deb/ubuntu/openldap@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.4.31-1%2Bnmu2ubuntu8.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-78", + "name": "libtext-charwidth-perl", + "purl": "pkg:deb/ubuntu/libtext-charwidth-perl@0.04-7build3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.04-7build3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-80", + "name": "apt-transport-https", + "purl": "pkg:deb/ubuntu/apt-transport-https@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt", + "type": "application", + "version": "1.0.1ubuntu2.24", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-81", + "name": "libapt-pkg4.12", + "purl": "pkg:deb/ubuntu/libapt-pkg4.12@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt", + "type": "application", + "version": "1.0.1ubuntu2.24", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-82", + "name": "libapt-inst1.5", + "purl": "pkg:deb/ubuntu/libapt-inst1.5@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt", + "type": "application", + "version": "1.0.1ubuntu2.24", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-83", + "name": "apt-utils", + "purl": "pkg:deb/ubuntu/apt-utils@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt", + "type": "application", + "version": "1.0.1ubuntu2.24", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-79", + "name": "apt", + "purl": "pkg:deb/ubuntu/apt@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.0.1ubuntu2.24" + }, + { + "bom-ref": "comp-84", + "name": "findutils", + "purl": "pkg:deb/ubuntu/findutils@4.4.2-7?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.4.2-7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-85", + "name": "dpkg", + "purl": "pkg:deb/ubuntu/dpkg@1.17.5ubuntu5.8?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.17.5ubuntu5.8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-86", + "name": "less", + "purl": "pkg:deb/ubuntu/less@458-2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "458-2" + }, + { + "components": [ + { + "bom-ref": "comp-88", + "name": "whiptail", + "purl": "pkg:deb/ubuntu/whiptail@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0&source=newt", + "type": "application", + "version": "0.52.15-2ubuntu5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-89", + "name": "libnewt0.52", + "purl": "pkg:deb/ubuntu/libnewt0.52@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0&source=newt", + "type": "application", + "version": "0.52.15-2ubuntu5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-87", + "name": "newt", + "purl": "pkg:deb/ubuntu/newt@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.52.15-2ubuntu5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-91", + "name": "libhx509-5-heimdal", + "purl": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2" + }, + { + "bom-ref": "comp-92", + "name": "libroken18-heimdal", + "purl": "pkg:deb/ubuntu/libroken18-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-93", + "name": "libhcrypto4-heimdal", + "purl": "pkg:deb/ubuntu/libhcrypto4-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-94", + "name": "libwind0-heimdal", + "purl": "pkg:deb/ubuntu/libwind0-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2" + }, + { + "bom-ref": "comp-95", + "name": "libheimntlm0-heimdal", + "purl": "pkg:deb/ubuntu/libheimntlm0-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-96", + "name": "libheimbase1-heimdal", + "purl": "pkg:deb/ubuntu/libheimbase1-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-97", + "name": "libgssapi3-heimdal", + "purl": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2" + }, + { + "bom-ref": "comp-98", + "name": "libasn1-8-heimdal", + "purl": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2" + }, + { + "bom-ref": "comp-99", + "name": "libkrb5-26-heimdal", + "purl": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2" + } + ], + "bom-ref": "comp-90", + "name": "heimdal", + "purl": "pkg:deb/ubuntu/heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.6%7Egit20131207%2Bdfsg-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-100", + "name": "lockfile-progs", + "purl": "pkg:deb/ubuntu/lockfile-progs@0.1.17?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.1.17", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-101", + "name": "libtext-soundex-perl", + "purl": "pkg:deb/ubuntu/libtext-soundex-perl@3.4-1build1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.4-1build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-102", + "name": "sudo", + "purl": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.8.9p5-1ubuntu1.4" + }, + { + "components": [ + { + "bom-ref": "comp-104", + "name": "libcgmanager0", + "purl": "pkg:deb/ubuntu/libcgmanager0@0.24-0ubuntu7.5?arch=amd64&distro=14.04&epoch=0&source=cgmanager", + "type": "application", + "version": "0.24-0ubuntu7.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-103", + "name": "cgmanager", + "purl": "pkg:deb/ubuntu/cgmanager@0.24-0ubuntu7.5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.24-0ubuntu7.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-105", + "name": "liblocale-gettext-perl", + "purl": "pkg:deb/ubuntu/liblocale-gettext-perl@1.05-7build3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.05-7build3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-107", + "name": "python3-pkg-resources", + "purl": "pkg:deb/ubuntu/python3-pkg-resources@3.3-1ubuntu2?arch=all&distro=14.04&epoch=0&source=python-setuptools", + "type": "application", + "version": "3.3-1ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-106", + "name": "python-setuptools", + "purl": "pkg:deb/ubuntu/python-setuptools@3.3-1ubuntu2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "3.3-1ubuntu2" + }, + { + "bom-ref": "comp-108", + "name": "coreutils", + "purl": "pkg:deb/ubuntu/coreutils@8.21-1ubuntu5.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "8.21-1ubuntu5.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-110", + "name": "libdbus-1-3", + "purl": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64&distro=14.04&epoch=0&source=dbus", + "type": "application", + "version": "1.6.18-0ubuntu4.5" + } + ], + "bom-ref": "comp-109", + "name": "dbus", + "purl": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.6.18-0ubuntu4.5" + }, + { + "components": [ + { + "bom-ref": "comp-112", + "name": "libuuid1", + "purl": "pkg:deb/ubuntu/libuuid1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-113", + "name": "bsdutils", + "purl": "pkg:deb/ubuntu/bsdutils@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-114", + "name": "libmount1", + "purl": "pkg:deb/ubuntu/libmount1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-115", + "name": "mount", + "purl": "pkg:deb/ubuntu/mount@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-116", + "name": "libblkid1", + "purl": "pkg:deb/ubuntu/libblkid1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-111", + "name": "util-linux", + "purl": "pkg:deb/ubuntu/util-linux@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.20.1-5.1ubuntu20.9", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-117", + "name": "gzip", + "purl": "pkg:deb/ubuntu/gzip@1.6-3ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.6-3ubuntu1" + }, + { + "components": [ + { + "bom-ref": "comp-119", + "name": "libidn11", + "purl": "pkg:deb/ubuntu/libidn11@1.28-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=libidn", + "type": "application", + "version": "1.28-1ubuntu2.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-118", + "name": "libidn", + "purl": "pkg:deb/ubuntu/libidn@1.28-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.28-1ubuntu2.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-121", + "name": "initramfs-tools-bin", + "purl": "pkg:deb/ubuntu/initramfs-tools-bin@0.103ubuntu4.11?arch=all&distro=14.04&epoch=0&source=initramfs-tools", + "type": "application", + "version": "0.103ubuntu4.11", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-120", + "name": "initramfs-tools", + "purl": "pkg:deb/ubuntu/initramfs-tools@0.103ubuntu4.11?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.103ubuntu4.11", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-123", + "name": "libpython3-stdlib", + "purl": "pkg:deb/ubuntu/libpython3-stdlib@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults", + "type": "application", + "version": "3.4.0-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-124", + "name": "python3-minimal", + "purl": "pkg:deb/ubuntu/python3-minimal@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults", + "type": "application", + "version": "3.4.0-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-125", + "name": "python3", + "purl": "pkg:deb/ubuntu/python3@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults", + "type": "application", + "version": "3.4.0-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-122", + "name": "python3-defaults", + "purl": "pkg:deb/ubuntu/python3-defaults@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.4.0-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-126", + "name": "netbase", + "purl": "pkg:deb/ubuntu/netbase@5.2?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "5.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-127", + "name": "netcat-openbsd", + "purl": "pkg:deb/ubuntu/netcat-openbsd@1.105-7ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.105-7ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-129", + "name": "keyboard-configuration", + "purl": "pkg:deb/ubuntu/keyboard-configuration@1.70ubuntu8?arch=all&distro=14.04&epoch=0&source=console-setup", + "type": "application", + "version": "1.70ubuntu8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-128", + "name": "console-setup", + "purl": "pkg:deb/ubuntu/console-setup@1.70ubuntu8?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "1.70ubuntu8", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-131", + "name": "libpam-cap", + "purl": "pkg:deb/ubuntu/libpam-cap@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1&source=libcap2", + "type": "application", + "version": "2.24-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-132", + "name": "libcap2-bin", + "purl": "pkg:deb/ubuntu/libcap2-bin@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1&source=libcap2", + "type": "application", + "version": "2.24-0ubuntu2" + } + ], + "bom-ref": "comp-130", + "name": "libcap2", + "purl": "pkg:deb/ubuntu/libcap2@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "2.24-0ubuntu2" + }, + { + "bom-ref": "comp-133", + "name": "debianutils", + "purl": "pkg:deb/ubuntu/debianutils@4.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-135", + "name": "libcurl3-gnutls", + "purl": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64&distro=14.04&epoch=0&source=curl", + "type": "application", + "version": "7.35.0-1ubuntu2.20" + } + ], + "bom-ref": "comp-134", + "name": "curl", + "purl": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "7.35.0-1ubuntu2.20" + }, + { + "components": [ + { + "bom-ref": "comp-137", + "name": "libusb-0.1-4", + "purl": "pkg:deb/ubuntu/libusb-0.1-4@0.1.12-23.3ubuntu1?arch=amd64&distro=14.04&epoch=2&source=libusb", + "type": "application", + "version": "0.1.12-23.3ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-136", + "name": "libusb", + "purl": "pkg:deb/ubuntu/libusb@0.1.12-23.3ubuntu1?arch=amd64&distro=14.04&epoch=2", + "type": "application", + "version": "0.1.12-23.3ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-139", + "name": "libmagic1", + "purl": "pkg:deb/ubuntu/libmagic1@5.14-2ubuntu3.4?arch=amd64&distro=14.04&epoch=1&source=file", + "type": "application", + "version": "5.14-2ubuntu3.4" + } + ], + "bom-ref": "comp-138", + "name": "file", + "purl": "pkg:deb/ubuntu/file@5.14-2ubuntu3.4?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "5.14-2ubuntu3.4" + }, + { + "components": [ + { + "bom-ref": "comp-141", + "name": "zlib1g", + "purl": "pkg:deb/ubuntu/zlib1g@1.2.8.dfsg-1ubuntu1.1?arch=amd64&distro=14.04&epoch=1&source=zlib", + "type": "application", + "version": "1.2.8.dfsg-1ubuntu1.1" + } + ], + "bom-ref": "comp-140", + "name": "zlib", + "purl": "pkg:deb/ubuntu/zlib@1.2.8.dfsg-1ubuntu1.1?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "1.2.8.dfsg-1ubuntu1.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-142", + "name": "base-passwd", + "purl": "pkg:deb/ubuntu/base-passwd@3.5.33?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.5.33", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-143", + "name": "hostname", + "purl": "pkg:deb/ubuntu/hostname@3.15ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.15ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-144", + "name": "mime-support", + "purl": "pkg:deb/ubuntu/mime-support@3.54ubuntu1.1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "3.54ubuntu1.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-146", + "name": "gpgv", + "purl": "pkg:deb/ubuntu/gpgv@1.4.16-1ubuntu2.6?arch=amd64&distro=14.04&epoch=0&source=gnupg", + "type": "application", + "version": "1.4.16-1ubuntu2.6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-145", + "name": "gnupg", + "purl": "pkg:deb/ubuntu/gnupg@1.4.16-1ubuntu2.6?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.4.16-1ubuntu2.6" + }, + { + "components": [ + { + "bom-ref": "comp-148", + "name": "ncurses-base", + "purl": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1" + }, + { + "bom-ref": "comp-149", + "name": "ncurses-bin", + "purl": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1" + }, + { + "bom-ref": "comp-150", + "name": "libncurses5", + "purl": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1" + }, + { + "bom-ref": "comp-151", + "name": "libncursesw5", + "purl": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1" + }, + { + "bom-ref": "comp-152", + "name": "libtinfo5", + "purl": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1" + } + ], + "bom-ref": "comp-147", + "name": "ncurses", + "purl": "pkg:deb/ubuntu/ncurses@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "5.9%2B20140118-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-154", + "name": "libdrm2", + "purl": "pkg:deb/ubuntu/libdrm2@2.4.67-1ubuntu0.14.04.2?arch=amd64&distro=14.04&epoch=0&source=libdrm", + "type": "application", + "version": "2.4.67-1ubuntu0.14.04.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-153", + "name": "libdrm", + "purl": "pkg:deb/ubuntu/libdrm@2.4.67-1ubuntu0.14.04.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.4.67-1ubuntu0.14.04.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-155", + "name": "grep", + "purl": "pkg:deb/ubuntu/grep@2.16-1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.16-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-157", + "name": "isc-dhcp-common", + "purl": "pkg:deb/ubuntu/isc-dhcp-common@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0&source=isc-dhcp", + "type": "application", + "version": "4.2.4-7ubuntu12.13", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-158", + "name": "isc-dhcp-client", + "purl": "pkg:deb/ubuntu/isc-dhcp-client@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0&source=isc-dhcp", + "type": "application", + "version": "4.2.4-7ubuntu12.13" + } + ], + "bom-ref": "comp-156", + "name": "isc-dhcp", + "purl": "pkg:deb/ubuntu/isc-dhcp@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.2.4-7ubuntu12.13", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-160", + "name": "vim-common", + "purl": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2&source=vim", + "type": "application", + "version": "7.4.052-1ubuntu3.1" + }, + { + "bom-ref": "comp-161", + "name": "vim-tiny", + "purl": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2&source=vim", + "type": "application", + "version": "7.4.052-1ubuntu3.1" + } + ], + "bom-ref": "comp-159", + "name": "vim", + "purl": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2", + "type": "application", + "version": "7.4.052-1ubuntu3.1" + }, + { + "components": [ + { + "bom-ref": "comp-163", + "name": "libacl1", + "purl": "pkg:deb/ubuntu/libacl1@2.2.52-1?arch=amd64&distro=14.04&epoch=0&source=acl", + "type": "application", + "version": "2.2.52-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-162", + "name": "acl", + "purl": "pkg:deb/ubuntu/acl@2.2.52-1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.2.52-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-165", + "name": "libbsd0", + "purl": "pkg:deb/ubuntu/libbsd0@0.6.0-2ubuntu1?arch=amd64&distro=14.04&epoch=0&source=libbsd", + "type": "application", + "version": "0.6.0-2ubuntu1" + } + ], + "bom-ref": "comp-164", + "name": "libbsd", + "purl": "pkg:deb/ubuntu/libbsd@0.6.0-2ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.6.0-2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-167", + "name": "libexpat1", + "purl": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64&distro=14.04&epoch=0&source=expat", + "type": "application", + "version": "2.1.0-4ubuntu1.4" + } + ], + "bom-ref": "comp-166", + "name": "expat", + "purl": "pkg:deb/ubuntu/expat@2.1.0-4ubuntu1.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.1.0-4ubuntu1.4" + }, + { + "bom-ref": "comp-168", + "name": "eject", + "purl": "pkg:deb/ubuntu/eject@2.1.5%2Bdeb1%2Bcvs20081104-13.1ubuntu0.14.04.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.1.5%2Bdeb1%2Bcvs20081104-13.1ubuntu0.14.04.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-169", + "name": "rsyslog", + "purl": "pkg:deb/ubuntu/rsyslog@7.4.4-1ubuntu2.7?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "7.4.4-1ubuntu2.7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-170", + "name": "libgcrypt11", + "purl": "pkg:deb/ubuntu/libgcrypt11@1.5.3-2ubuntu4.6?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.5.3-2ubuntu4.6" + }, + { + "bom-ref": "comp-171", + "name": "sensible-utils", + "purl": "pkg:deb/ubuntu/sensible-utils@0.0.9ubuntu0.14.04.1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.0.9ubuntu0.14.04.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-172", + "name": "tar", + "purl": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.27.1-1ubuntu0.1" + }, + { + "bom-ref": "comp-173", + "name": "base-files", + "purl": "pkg:deb/ubuntu/base-files@7.2ubuntu5.6?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "7.2ubuntu5.6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-175", + "name": "libbz2-1.0", + "purl": "pkg:deb/ubuntu/libbz2-1.0@1.0.6-5?arch=amd64&distro=14.04&epoch=0&source=bzip2", + "type": "application", + "version": "1.0.6-5" + } + ], + "bom-ref": "comp-174", + "name": "bzip2", + "purl": "pkg:deb/ubuntu/bzip2@1.0.6-5?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.0.6-5" + }, + { + "bom-ref": "comp-176", + "name": "libterm-ui-perl", + "purl": "pkg:deb/ubuntu/libterm-ui-perl@0.42-1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.42-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-177", + "name": "upstart", + "purl": "pkg:deb/ubuntu/upstart@1.12.1-0ubuntu4.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.12.1-0ubuntu4.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-179", + "name": "libnih1", + "purl": "pkg:deb/ubuntu/libnih1@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0&source=libnih", + "type": "application", + "version": "1.0.3-4ubuntu25", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-180", + "name": "libnih-dbus1", + "purl": "pkg:deb/ubuntu/libnih-dbus1@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0&source=libnih", + "type": "application", + "version": "1.0.3-4ubuntu25", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-178", + "name": "libnih", + "purl": "pkg:deb/ubuntu/libnih@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.0.3-4ubuntu25", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-181", + "name": "dash", + "purl": "pkg:deb/ubuntu/dash@0.5.7-4ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.5.7-4ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-182", + "name": "net-tools", + "purl": "pkg:deb/ubuntu/net-tools@1.60-25ubuntu2.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.60-25ubuntu2.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-184", + "name": "libklibc", + "purl": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0&source=klibc", + "type": "application", + "version": "2.0.3-0ubuntu1.14.04.3" + }, + { + "bom-ref": "comp-185", + "name": "klibc-utils", + "purl": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0&source=klibc", + "type": "application", + "version": "2.0.3-0ubuntu1.14.04.3" + } + ], + "bom-ref": "comp-183", + "name": "klibc", + "purl": "pkg:deb/ubuntu/klibc@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.0.3-0ubuntu1.14.04.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-187", + "name": "ntpdate", + "purl": "pkg:deb/ubuntu/ntpdate@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64&distro=14.04&epoch=1&source=ntp", + "type": "application", + "version": "4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-186", + "name": "ntp", + "purl": "pkg:deb/ubuntu/ntp@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13" + }, + { + "bom-ref": "comp-188", + "name": "iproute2", + "purl": "pkg:deb/ubuntu/iproute2@3.12.0-2ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.12.0-2ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-190", + "name": "libpam0g", + "purl": "pkg:deb/ubuntu/libpam0g@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam", + "type": "application", + "version": "1.1.8-1ubuntu2.2" + }, + { + "bom-ref": "comp-191", + "name": "libpam-modules", + "purl": "pkg:deb/ubuntu/libpam-modules@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam", + "type": "application", + "version": "1.1.8-1ubuntu2.2" + }, + { + "bom-ref": "comp-192", + "name": "libpam-runtime", + "purl": "pkg:deb/ubuntu/libpam-runtime@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam", + "type": "application", + "version": "1.1.8-1ubuntu2.2" + }, + { + "bom-ref": "comp-193", + "name": "libpam-modules-bin", + "purl": "pkg:deb/ubuntu/libpam-modules-bin@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam", + "type": "application", + "version": "1.1.8-1ubuntu2.2" + } + ], + "bom-ref": "comp-189", + "name": "pam", + "purl": "pkg:deb/ubuntu/pam@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.1.8-1ubuntu2.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-195", + "name": "perl-modules", + "purl": "pkg:deb/ubuntu/perl-modules@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0&source=perl", + "type": "application", + "version": "5.18.2-2ubuntu1.7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-196", + "name": "perl-base", + "purl": "pkg:deb/ubuntu/perl-base@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0&source=perl", + "type": "application", + "version": "5.18.2-2ubuntu1.7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-194", + "name": "perl", + "purl": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "5.18.2-2ubuntu1.7" + }, + { + "components": [ + { + "bom-ref": "comp-198", + "name": "libsepol1", + "purl": "pkg:deb/ubuntu/libsepol1@2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=libsepol", + "type": "application", + "version": "2.2-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-197", + "name": "libsepol", + "purl": "pkg:deb/ubuntu/libsepol@2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.2-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-199", + "name": "cron", + "purl": "pkg:deb/ubuntu/cron@3.0pl1-124ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.0pl1-124ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-201", + "name": "ubuntu-minimal", + "purl": "pkg:deb/ubuntu/ubuntu-minimal@1.325.1?arch=amd64&distro=14.04&epoch=0&source=ubuntu-meta", + "type": "application", + "version": "1.325.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-200", + "name": "ubuntu-meta", + "purl": "pkg:deb/ubuntu/ubuntu-meta@1.325.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.325.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-202", + "name": "makedev", + "purl": "pkg:deb/ubuntu/makedev@2.3.1-93ubuntu2%7Eubuntu14.04.1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2.3.1-93ubuntu2%7Eubuntu14.04.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-204", + "name": "libpopt0", + "purl": "pkg:deb/ubuntu/libpopt0@1.16-8ubuntu1?arch=amd64&distro=14.04&epoch=0&source=popt", + "type": "application", + "version": "1.16-8ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-203", + "name": "popt", + "purl": "pkg:deb/ubuntu/popt@1.16-8ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.16-8ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-206", + "name": "libjson-c2", + "purl": "pkg:deb/ubuntu/libjson-c2@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=json-c", + "type": "application", + "version": "0.11-3ubuntu1.2" + }, + { + "bom-ref": "comp-207", + "name": "libjson0", + "purl": "pkg:deb/ubuntu/libjson0@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=json-c", + "type": "application", + "version": "0.11-3ubuntu1.2" + } + ], + "bom-ref": "comp-205", + "name": "json-c", + "purl": "pkg:deb/ubuntu/json-c@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.11-3ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-209", + "name": "libslang2", + "purl": "pkg:deb/ubuntu/libslang2@2.2.4-15ubuntu1?arch=amd64&distro=14.04&epoch=0&source=slang2", + "type": "application", + "version": "2.2.4-15ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-208", + "name": "slang2", + "purl": "pkg:deb/ubuntu/slang2@2.2.4-15ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.2.4-15ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-210", + "name": "libtasn1-6", + "purl": "pkg:deb/ubuntu/libtasn1-6@3.4-3ubuntu0.6?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.4-3ubuntu0.6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-212", + "name": "libdevmapper1.02.1", + "purl": "pkg:deb/ubuntu/libdevmapper1.02.1@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0&source=lvm2", + "type": "application", + "version": "2.02.98-6ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-213", + "name": "dmsetup", + "purl": "pkg:deb/ubuntu/dmsetup@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0&source=lvm2", + "type": "application", + "version": "2.02.98-6ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-211", + "name": "lvm2", + "purl": "pkg:deb/ubuntu/lvm2@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.02.98-6ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-214", + "name": "libmodule-pluggable-perl", + "purl": "pkg:deb/ubuntu/libmodule-pluggable-perl@5.1-1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "5.1-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-216", + "name": "libc-bin", + "purl": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc", + "type": "application", + "version": "2.19-0ubuntu6.15" + }, + { + "bom-ref": "comp-217", + "name": "multiarch-support", + "purl": "pkg:deb/ubuntu/multiarch-support@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc", + "type": "application", + "version": "2.19-0ubuntu6.15", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-218", + "name": "libc6", + "purl": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc", + "type": "application", + "version": "2.19-0ubuntu6.15" + } + ], + "bom-ref": "comp-215", + "name": "eglibc", + "purl": "pkg:deb/ubuntu/eglibc@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.19-0ubuntu6.15", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-220", + "name": "libaudit1", + "purl": "pkg:deb/ubuntu/libaudit1@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1&source=audit", + "type": "application", + "version": "2.3.2-2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-221", + "name": "libaudit-common", + "purl": "pkg:deb/ubuntu/libaudit-common@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1&source=audit", + "type": "application", + "version": "2.3.2-2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-219", + "name": "audit", + "purl": "pkg:deb/ubuntu/audit@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "2.3.2-2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-223", + "name": "libpng12-0", + "purl": "pkg:deb/ubuntu/libpng12-0@1.2.50-1ubuntu2.14.04.3?arch=amd64&distro=14.04&epoch=0&source=libpng", + "type": "application", + "version": "1.2.50-1ubuntu2.14.04.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-222", + "name": "libpng", + "purl": "pkg:deb/ubuntu/libpng@1.2.50-1ubuntu2.14.04.3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.2.50-1ubuntu2.14.04.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-225", + "name": "libpython3.4-minimal", + "purl": "pkg:deb/ubuntu/libpython3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4", + "type": "application", + "version": "3.4.3-1ubuntu1%7E14.04.7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "bom-ref": "comp-226", + "name": "python3.4-minimal", + "purl": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4", + "type": "application", + "version": "3.4.3-1ubuntu1%7E14.04.7" + }, + { + "bom-ref": "comp-227", + "name": "libpython3.4-stdlib", + "purl": "pkg:deb/ubuntu/libpython3.4-stdlib@3.4.3-1ubuntu1%7E14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4", + "type": "application", + "version": "3.4.3-1ubuntu1%7E14.04.7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-224", + "name": "python3.4", + "purl": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.4.3-1ubuntu1%7E14.04.7" + }, + { + "bom-ref": "comp-228", + "name": "diffutils", + "purl": "pkg:deb/ubuntu/diffutils@3.3-1?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "3.3-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-229", + "name": "logrotate", + "purl": "pkg:deb/ubuntu/logrotate@3.8.7-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "3.8.7-1ubuntu1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-230", + "name": "ubuntu-advantage-tools", + "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@19.6%7Eubuntu14.04.3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "19.6%7Eubuntu14.04.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-232", + "name": "libssl1.0.0", + "purl": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64&distro=14.04&epoch=0&source=openssl", + "type": "application", + "version": "1.0.1f-1ubuntu2.27" + } + ], + "bom-ref": "comp-231", + "name": "openssl", + "purl": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.0.1f-1ubuntu2.27" + }, + { + "components": [ + { + "bom-ref": "comp-234", + "name": "libestr0", + "purl": "pkg:deb/ubuntu/libestr0@0.1.9-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=libestr", + "type": "application", + "version": "0.1.9-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-233", + "name": "libestr", + "purl": "pkg:deb/ubuntu/libestr@0.1.9-0ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.1.9-0ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-235", + "name": "kbd", + "purl": "pkg:deb/ubuntu/kbd@1.15.5-1ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.15.5-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-237", + "name": "libustr-1.0-1", + "purl": "pkg:deb/ubuntu/libustr-1.0-1@1.0.4-3ubuntu2?arch=amd64&distro=14.04&epoch=0&source=ustr", + "type": "application", + "version": "1.0.4-3ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-236", + "name": "ustr", + "purl": "pkg:deb/ubuntu/ustr@1.0.4-3ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.0.4-3ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-238", + "name": "mawk", + "purl": "pkg:deb/ubuntu/mawk@1.3.3-17ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.3.3-17ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-240", + "name": "gcc-4.8-base", + "purl": "pkg:deb/ubuntu/gcc-4.8-base@4.8.4-2ubuntu1%7E14.04.4?arch=amd64&distro=14.04&epoch=0&source=gcc-4.8", + "type": "application", + "version": "4.8.4-2ubuntu1%7E14.04.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-241", + "name": "libstdc%2B%2B6", + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@4.8.4-2ubuntu1%7E14.04.4?arch=amd64&distro=14.04&epoch=0&source=gcc-4.8", + "type": "application", + "version": "4.8.4-2ubuntu1%7E14.04.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-239", + "name": "gcc-4.8", + "purl": "pkg:deb/ubuntu/gcc-4.8@4.8.4-2ubuntu1%7E14.04.4?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.8.4-2ubuntu1%7E14.04.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-242", + "name": "insserv", + "purl": "pkg:deb/ubuntu/insserv@1.14.0-5ubuntu2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.14.0-5ubuntu2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-243", + "name": "init-system-helpers", + "purl": "pkg:deb/ubuntu/init-system-helpers@1.14ubuntu1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "1.14ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-244", + "name": "resolvconf", + "purl": "pkg:deb/ubuntu/resolvconf@1.69ubuntu1.4?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "1.69ubuntu1.4", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-246", + "name": "xkb-data", + "purl": "pkg:deb/ubuntu/xkb-data@2.10.1-1ubuntu1?arch=all&distro=14.04&epoch=0&source=xkeyboard-config", + "type": "application", + "version": "2.10.1-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-245", + "name": "xkeyboard-config", + "purl": "pkg:deb/ubuntu/xkeyboard-config@2.10.1-1ubuntu1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2.10.1-1ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-248", + "name": "libdb5.3", + "purl": "pkg:deb/ubuntu/libdb5.3@5.3.28-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0&source=db5.3", + "type": "application", + "version": "5.3.28-3ubuntu3.1" + } + ], + "bom-ref": "comp-247", + "name": "db5.3", + "purl": "pkg:deb/ubuntu/db5.3@5.3.28-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "5.3.28-3ubuntu3.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-249", + "name": "bash", + "purl": "pkg:deb/ubuntu/bash@4.3-7ubuntu1.7?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "4.3-7ubuntu1.7" + }, + { + "components": [ + { + "bom-ref": "comp-251", + "name": "module-init-tools", + "purl": "pkg:deb/ubuntu/module-init-tools@15-0ubuntu7?arch=all&distro=14.04&epoch=0&source=kmod", + "type": "application", + "version": "15-0ubuntu7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-252", + "name": "libkmod2", + "purl": "pkg:deb/ubuntu/libkmod2@15-0ubuntu7?arch=all&distro=14.04&epoch=0&source=kmod", + "type": "application", + "version": "15-0ubuntu7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-250", + "name": "kmod", + "purl": "pkg:deb/ubuntu/kmod@15-0ubuntu7?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "15-0ubuntu7", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-254", + "name": "libprocps3", + "purl": "pkg:deb/ubuntu/libprocps3@3.3.9-1ubuntu2.3?arch=amd64&distro=14.04&epoch=1&source=procps", + "type": "application", + "version": "3.3.9-1ubuntu2.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-253", + "name": "procps", + "purl": "pkg:deb/ubuntu/procps@3.3.9-1ubuntu2.3?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "3.3.9-1ubuntu2.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-256", + "name": "liblockfile-bin", + "purl": "pkg:deb/ubuntu/liblockfile-bin@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0&source=liblockfile", + "type": "application", + "version": "1.09-6ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-257", + "name": "liblockfile1", + "purl": "pkg:deb/ubuntu/liblockfile1@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0&source=liblockfile", + "type": "application", + "version": "1.09-6ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-255", + "name": "liblockfile", + "purl": "pkg:deb/ubuntu/liblockfile@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.09-6ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-258", + "name": "libpod-latex-perl", + "purl": "pkg:deb/ubuntu/libpod-latex-perl@0.61-1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "0.61-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-260", + "name": "libyaml-0-2", + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.1.4-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0&source=libyaml", + "type": "application", + "version": "0.1.4-3ubuntu3.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] + } + ], + "bom-ref": "comp-259", + "name": "libyaml", + "purl": "pkg:deb/ubuntu/libyaml@0.1.4-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "0.1.4-3ubuntu3.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-262", + "name": "busybox-initramfs", + "purl": "pkg:deb/ubuntu/busybox-initramfs@1.21.0-1ubuntu1.4?arch=amd64&distro=14.04&epoch=1&source=busybox", + "type": "application", + "version": "1.21.0-1ubuntu1.4" + } + ], + "bom-ref": "comp-261", + "name": "busybox", + "purl": "pkg:deb/ubuntu/busybox@1.21.0-1ubuntu1.4?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "1.21.0-1ubuntu1.4" + }, + { + "components": [ + { + "bom-ref": "comp-264", + "name": "libselinux1", + "purl": "pkg:deb/ubuntu/libselinux1@2.2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=libselinux", + "type": "application", + "version": "2.2.2-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-263", + "name": "libselinux", + "purl": "pkg:deb/ubuntu/libselinux@2.2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.2.2-1ubuntu0.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-265", + "name": "cpio", + "purl": "pkg:deb/ubuntu/cpio@2.11%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.11%2Bdfsg-1ubuntu1.2" + }, + { + "components": [ + { + "bom-ref": "comp-267", + "name": "login", + "purl": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1&source=shadow", + "type": "application", + "version": "4.1.5.1-1ubuntu9.5" + }, + { + "bom-ref": "comp-268", + "name": "passwd", + "purl": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1&source=shadow", + "type": "application", + "version": "4.1.5.1-1ubuntu9.5" + } + ], + "bom-ref": "comp-266", + "name": "shadow", + "purl": "pkg:deb/ubuntu/shadow@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1", + "type": "application", + "version": "4.1.5.1-1ubuntu9.5", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-270", + "name": "libgpg-error0", + "purl": "pkg:deb/ubuntu/libgpg-error0@1.12-0.2ubuntu1?arch=amd64&distro=14.04&epoch=0&source=libgpg-error", + "type": "application", + "version": "1.12-0.2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-269", + "name": "libgpg-error", + "purl": "pkg:deb/ubuntu/libgpg-error@1.12-0.2ubuntu1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.12-0.2ubuntu1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-272", + "name": "locales", + "purl": "pkg:deb/ubuntu/locales@2.13%2Bgit20120306-12.1?arch=all&distro=14.04&epoch=0&source=langpack-locales", + "type": "application", + "version": "2.13%2Bgit20120306-12.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-271", + "name": "langpack-locales", + "purl": "pkg:deb/ubuntu/langpack-locales@2.13%2Bgit20120306-12.1?arch=all&distro=14.04&epoch=0", + "type": "application", + "version": "2.13%2Bgit20120306-12.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "components": [ + { + "bom-ref": "comp-274", + "name": "e2fslibs", + "purl": "pkg:deb/ubuntu/e2fslibs@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs", + "type": "application", + "version": "1.42.9-3ubuntu1.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-275", + "name": "libcomerr2", + "purl": "pkg:deb/ubuntu/libcomerr2@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs", + "type": "application", + "version": "1.42.9-3ubuntu1.3", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-276", + "name": "libss2", + "purl": "pkg:deb/ubuntu/libss2@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs", + "type": "application", + "version": "1.42.9-3ubuntu1.3" + } + ], + "bom-ref": "comp-273", + "name": "e2fsprogs", + "purl": "pkg:deb/ubuntu/e2fsprogs@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "1.42.9-3ubuntu1.3" + }, + { + "components": [ + { + "bom-ref": "comp-278", + "name": "libsasl2-modules", + "purl": "pkg:deb/ubuntu/libsasl2-modules@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2", + "type": "application", + "version": "2.1.25.dfsg1-17build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-279", + "name": "libsasl2-2", + "purl": "pkg:deb/ubuntu/libsasl2-2@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2", + "type": "application", + "version": "2.1.25.dfsg1-17build1" + }, + { + "bom-ref": "comp-280", + "name": "libsasl2-modules-db", + "purl": "pkg:deb/ubuntu/libsasl2-modules-db@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2", + "type": "application", + "version": "2.1.25.dfsg1-17build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + } + ], + "bom-ref": "comp-277", + "name": "cyrus-sasl2", + "purl": "pkg:deb/ubuntu/cyrus-sasl2@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0", + "type": "application", + "version": "2.1.25.dfsg1-17build1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-281", + "name": "Python", + "purl": "pkg:pypi/Python@2.7.6", + "type": "library", + "version": "2.7.6", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:path", + "value": "/usr/lib/python2.7/lib-dynload/Python-2.7.egg-info" + }, + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-282", + "name": "argparse", + "purl": "pkg:pypi/argparse@1.2.1", + "type": "library", + "version": "1.2.1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:path", + "value": "/usr/lib/python2.7/argparse.egg-info" + }, + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-283", + "name": "wsgiref", + "purl": "pkg:pypi/wsgiref@0.1.2", + "type": "library", + "version": "0.1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:path", + "value": "/usr/lib/python2.7/wsgiref.egg-info" + }, + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component skipped: no rules found." + } + ] + }, + { + "bom-ref": "comp-284", + "name": "dockerfile:comp-1.Dockerfile", + "type": "file", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-006-001", + "value": "affected_lines:2-2" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-004", + "value": "affected_lines:8-8" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-001", + "value": "affected_lines:7-7" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-003", + "value": "affected_lines:6-6" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-002", + "value": "affected_lines:4-4" + }, + { + "name": "amazon:inspector:sbom_scanner:dockerfile_finding:IN-DOCKER-005-003", + "value": "affected_lines:3-3" + } + ] + } + ], + "serialNumber": "urn:uuid:559d8374-21ea-4fcc-83c3-6df414e4973f", + "bomFormat": "CycloneDX", + "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=18036" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61(glibc-2.22)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2015-20109" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-1", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-20109.html" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2015-20109" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20109" + } + } + ], + "created": "2023-06-25T17:15:14Z", + "description": "end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "id": "CVE-2015-20109", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20109" + }, + "cwes": [ + 120 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-07-31T19:15:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T05:13:34Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5" + }, + { + "url": "https://kernel.org/pub/linux/libs/klibc/2.0/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-31871" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5379-1" + } + ], + "bom-ref": "vuln-2", + "references": [ + { + "id": "USN-5379-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5379-1" + } + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. An integer overflow in the cpio command may result in a NULL pointer dereference on 64-bit systems.", + "affects": [ + { + "ref": "comp-184" + }, + { + "ref": "comp-185" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31871" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31871.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31871" + } + }, + { + "severity": "none", + "score": 0.002, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31871" + } + } + ], + "id": "CVE-2021-31871", + "updated": "2022-04-19T03:52:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2023-11-27T17:15:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff" + }, + { + "url": "https://kernel.org/pub/linux/libs/klibc/2.0/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-31872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5379-1" + } + ], + "bom-ref": "vuln-3", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31872" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31872.html" + } + }, + { + "severity": "none", + "score": 0.00244, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31872" + } + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact.", + "affects": [ + { + "ref": "comp-184" + }, + { + "ref": "comp-185" + } + ], + "id": "CVE-2021-31872", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31872" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-04-19T03:53:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://bugs.python.org/issue38243" + }, + { + "url": "https://usn.ubuntu.com/4151-1/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://usn.ubuntu.com/4151-2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4433" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4151-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4151-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1605" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3911" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-16935" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3888" + } + ], + "bom-ref": "vuln-4", + "ratings": [ + { + "severity": "low", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16935.html" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" + } + }, + { + "severity": "none", + "score": 0.00214, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16935" + } + } + ], + "created": "2019-09-28T02:15:10Z", + "description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2019-16935", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935" + }, + "cwes": [ + 79 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:06:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464692" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-10685" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10685.html" + } + }, + { + "severity": "none", + "score": 0.02138, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-10685" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685" + } + } + ], + "created": "2017-06-29T23:29:00Z", + "description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-10685", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685" + }, + "cwes": [ + 134 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-10-03T00:03:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0318" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5433-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004859" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0318" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0894" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0318.html" + } + }, + { + "severity": "none", + "score": 0.00906, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0318" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0318" + } + } + ], + "created": "2022-01-21T12:15:10Z", + "description": "Heap-based Buffer Overflow in vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0318", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0318" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-29T22:12:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2946" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2946" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "none", + "score": 0.00073, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2946" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2946.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2946" + } + } + ], + "created": "2022-08-23T17:15:14Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0246.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2946", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2946" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:47:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T13:18:48Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2085.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6154-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-194.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1761.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035955" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2610" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610" + } + }, + { + "severity": "none", + "score": 0.00053, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2610" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-2610.html" + } + } + ], + "created": "2023-05-09T22:15:10Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-2610", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-12-23T07:15:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T13:40:42Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm10" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-518.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-469.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2384.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48706" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2452.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48706.html" + } + }, + { + "severity": "none", + "score": 0.00049, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48706" + } + } + ], + "created": "2023-11-22T22:15:08Z", + "description": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48706", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-05T18:15:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1643754" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-19211" + } + ], + "bom-ref": "vuln-10", + "references": [ + { + "id": "USN-5477-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5477-1" + } + } + ], + "created": "2018-11-12T19:29:00Z", + "description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", + "affects": [ + { + "ref": "comp-149" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-152" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-19211.html" + } + }, + { + "severity": "none", + "score": 0.00056, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-19211" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211" + } + } + ], + "id": "CVE-2018-19211", + "updated": "2019-04-23T13:15:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://hackerone.com/reports/1223882" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://support.apple.com/kb/HT212805" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://support.apple.com/kb/HT212804" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1700.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5021-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5021-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5894-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-22925" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4511" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00296, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22925" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22925.html" + } + } + ], + "created": "2021-08-05T21:15:11Z", + "description": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2021-22925", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925" + }, + "cwes": [ + 908, + 200 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T15:11:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://support.apple.com/HT207800" + }, + { + "url": "https://support.apple.com/HT207798" + }, + { + "url": "https://support.apple.com/HT207797" + }, + { + "url": "https://support.apple.com/HT207801" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-2518" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + } + ], + "bom-ref": "vuln-12", + "references": [ + { + "id": "USN-4019-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4019-2" + } + } + ], + "created": "2017-05-22T05:29:01Z", + "description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted SQL statement.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2518" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2518" + } + }, + { + "severity": "none", + "score": 0.01142, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-2518" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2518.html" + } + } + ], + "id": "CVE-2017-2518", + "updated": "2019-10-03T00:03:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5085" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0847" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0824" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0845" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0843" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-25315" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1012" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5320-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0816" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1759.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0815" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1309" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1570.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25315" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0850" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1263" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1053" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1070" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0818" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0817" + } + ], + "bom-ref": "vuln-13", + "references": [ + { + "id": "USN-5320-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5320-1" + } + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", + "affects": [ + { + "ref": "comp-167" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25315.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315" + } + }, + { + "severity": "none", + "score": 0.02003, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25315" + } + } + ], + "id": "CVE-2022-25315", + "updated": "2023-11-07T03:44:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2982" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-14", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2982.html" + } + }, + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2982" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2982" + } + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0260.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2982", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2982" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:47:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T08:20:29Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://support.apple.com/kb/HT213343" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://support.apple.com/kb/HT213183" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-4166" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4166" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + } + ], + "bom-ref": "vuln-15", + "ratings": [ + { + "severity": "medium", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-4166.html" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4166" + } + }, + { + "severity": "none", + "score": 0.00092, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4166" + } + } + ], + "created": "2021-12-25T19:15:07Z", + "description": "vim is vulnerable to Out-of-bounds Read", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-4166", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4166" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:40:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6099-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-39537" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1893.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-023.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-39537" + } + ], + "bom-ref": "vuln-16", + "ratings": [ + { + "severity": "info", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-39537.html" + } + }, + { + "severity": "none", + "score": 0.00859, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-39537" + } + }, + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537" + } + } + ], + "created": "2021-09-20T16:15:12Z", + "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + } + ], + "id": "CVE-2021-39537", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-03T20:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4638" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0514" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-19926" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-17", + "ratings": [ + { + "severity": "none", + "score": 0.01382, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19926" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19926.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926" + } + } + ], + "created": "2019-12-23T01:15:13Z", + "description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "id": "CVE-2019-19926", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-04-15T16:17:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2849" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2849" + } + ], + "bom-ref": "vuln-18", + "ratings": [ + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2849" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2849" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2849.html" + } + } + ], + "created": "2022-08-17T18:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2849", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2849" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DVWBI4BVTBUMNW4NMB3WZZDQJBKIGXI3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LLK2RMZEECKKWUQK7J46D2FQZOXFQLTC/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3099" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3099" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-19", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3099.html" + } + }, + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3099" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099" + } + } + ], + "created": "2022-09-03T16:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0360.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3099", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:50:47Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html" + }, + { + "url": "https://security.gentoo.org/glsa/202101-28" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6099-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-17595" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4426" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + } + ], + "bom-ref": "vuln-20", + "ratings": [ + { + "severity": "none", + "score": 0.00151, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-17595" + } + }, + { + "severity": "medium", + "score": 5.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595" + } + }, + { + "severity": "info", + "score": 5.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html" + } + } + ], + "created": "2019-10-14T21:15:11Z", + "description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + } + ], + "id": "CVE-2019-17595", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2021-02-08T20:52:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2021/dsa-4963" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" + }, + { + "url": "https://security.gentoo.org/glsa/202209-02" + }, + { + "url": "https://www.openssl.org/news/secadv/20210824.txt" + }, + { + "url": "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11" + }, + { + "url": "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1721.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3712" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1541.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0064" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3712" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5051-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5051-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4614" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5051-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4618" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:5226" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4613" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1714.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5051-4(regressiononlyintrusty/esm)" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4863" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5088-1" + } + ], + "bom-ref": "vuln-21", + "references": [ + { + "id": "USN-5051-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5051-2" + } + } + ], + "created": "2021-08-24T15:15:09Z", + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "affects": [ + { + "ref": "comp-232" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712" + } + }, + { + "severity": "medium", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3712.html" + } + }, + { + "severity": "none", + "score": 0.00411, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3712" + } + } + ], + "id": "CVE-2021-3712", + "updated": "2023-11-07T03:38:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:26:42Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3520" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3335" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1260" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2030" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/" + }, + { + "url": "https://bugs.python.org/issue35906" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1268" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1242.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1462" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1346" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1247.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1243.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1230.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1204.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9947" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + } + ], + "bom-ref": "vuln-22", + "ratings": [ + { + "severity": "none", + "score": 0.00252, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9947" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9947.html" + } + } + ], + "created": "2019-03-23T18:29:02Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2019-9947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947" + }, + "cwes": [ + 93 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:13:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T17:54:29Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882620" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-16879" + } + ], + "bom-ref": "vuln-23", + "ratings": [ + { + "severity": "info", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16879.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879" + } + }, + { + "severity": "none", + "score": 0.00364, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-16879" + } + } + ], + "created": "2017-11-22T22:29:00Z", + "description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", + "affects": [ + { + "ref": "comp-149" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-152" + } + ], + "id": "CVE-2017-16879", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:40:56Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4881" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://hackerone.com/reports/887462" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8177" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4599" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1451.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4402-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5002" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965281" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5417" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8177" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1411.html" + } + ], + "bom-ref": "vuln-24", + "references": [ + { + "id": "USN-4402-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4402-1" + } + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177" + }, + "cwes": [ + 99, + 74 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00099, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8177" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8177.html" + } + } + ], + "id": "CVE-2020-8177", + "updated": "2024-03-27T16:04:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-29458" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6099-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29458" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1893.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-023.html" + } + ], + "bom-ref": "vuln-25", + "references": [ + { + "id": "USN-6099-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6099-1" + } + } + ], + "created": "2022-04-18T21:15:07Z", + "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00102, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29458" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458" + } + }, + { + "severity": "info", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-29458.html" + } + } + ], + "id": "CVE-2022-29458", + "updated": "2023-11-07T03:46:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GOY5YWTP5QUY2EFLCL7AUWA2CV57C37/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0572" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0572" + } + ], + "bom-ref": "vuln-26", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572" + } + }, + { + "severity": "none", + "score": 0.00124, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0572" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0572.html" + } + } + ], + "created": "2022-02-14T12:15:23Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0572", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202006-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-2" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-10543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1678" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2792" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1032" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0883" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1266" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0343" + } + ], + "bom-ref": "vuln-27", + "references": [ + { + "id": "USN-4602-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4602-2" + } + } + ], + "created": "2020-06-05T14:15:10Z", + "description": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.", + "affects": [ + { + "ref": "comp-194" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543" + }, + "cwes": [ + 787, + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 8.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543" + } + }, + { + "severity": "low", + "score": 8.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10543.html" + } + }, + { + "severity": "none", + "score": 0.00308, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10543" + } + } + ], + "id": "CVE-2020-10543", + "updated": "2023-11-07T03:14:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-194", + "value": "0:5.18.2-2ubuntu1.7+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3872" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1728.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0366" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5147-1" + } + ], + "bom-ref": "vuln-28", + "ratings": [ + { + "severity": "none", + "score": 0.00127, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3872" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3872.html" + } + } + ], + "created": "2021-10-19T13:15:11Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-3872", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:38:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3591" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1663.html" + } + ], + "bom-ref": "vuln-29", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3591" + } + }, + { + "severity": "none", + "score": 0.00062, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3591" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3591.html" + } + } + ], + "created": "2022-12-02T17:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0789.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3591", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3591" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2021-4189" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-4189" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://bugs.python.org/issue43285" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2036020" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1593.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-4189" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1986" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1663" + } + ], + "bom-ref": "vuln-30", + "references": [ + { + "id": "USN-5342-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5342-1" + } + } + ], + "created": "2022-08-24T16:15:09Z", + "description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" + }, + "cwes": [ + 252 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-4189.html" + } + }, + { + "severity": "none", + "score": 0.00182, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4189" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189" + } + } + ], + "id": "CVE-2021-4189", + "updated": "2023-06-30T23:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://www.openssl.org/news/secadv/20230328.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7626" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7625" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7623" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2073.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7622" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-181.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0466" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1762.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0466" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2039.html" + } + ], + "bom-ref": "vuln-31", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466" + } + }, + { + "severity": "none", + "score": 0.00127, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0466" + } + }, + { + "severity": "info", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0466.html" + } + } + ], + "created": "2023-03-28T15:15:06Z", + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "affects": [ + { + "ref": "comp-232" + }, + { + "ref": "comp-231" + } + ], + "id": "CVE-2023-0466", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466" + }, + "cwes": [ + 295 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-04T09:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:25:09Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-231", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2020/dsa-4606" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4238" + }, + { + "url": "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-08" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/27" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13752" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1810" + } + ], + "bom-ref": "vuln-32", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13752.html" + } + }, + { + "severity": "none", + "score": 0.00743, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13752" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13752" + } + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "id": "CVE-2019-13752", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13752" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:04:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFAZTAT5CZC2R6KYDYA2HBAVEDSIX6MW/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODXVYZC5Z4XRRZK7CK6B6IURYVYHA25U/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1674" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1674" + } + ], + "bom-ref": "vuln-33", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674" + } + }, + { + "severity": "none", + "score": 0.00094, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1674" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1674.html" + } + } + ], + "created": "2022-05-12T11:15:07Z", + "description": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1674", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.suse.com/security/cve/CVE-2022-28321.html" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1197654" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5825-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5825-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-28321" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-34", + "references": [ + { + "id": "USN-5825-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5825-2" + } + }, + { + "id": "USN-5825-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5825-1" + } + } + ], + "created": "2022-09-19T22:15:10Z", + "description": "The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.", + "affects": [ + { + "ref": "comp-193" + }, + { + "ref": "comp-190" + }, + { + "ref": "comp-191" + }, + { + "ref": "comp-192" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28321" + }, + "cwes": [ + 287 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.0022, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-28321" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28321" + } + }, + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-28321.html" + } + } + ], + "id": "CVE-2022-28321", + "updated": "2023-08-08T14:21:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-05T08:27:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-193", + "value": "0:1.1.8-1ubuntu2.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-190", + "value": "0:1.1.8-1ubuntu2.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-191", + "value": "0:1.1.8-1ubuntu2.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-192", + "value": "0:1.1.8-1ubuntu2.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1796" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1796" + } + ], + "bom-ref": "vuln-35", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1796" + } + }, + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1796" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1796.html" + } + } + ], + "created": "2022-05-19T16:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.4979.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1796", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1796" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-15T21:28:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484284" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13730" + } + ], + "bom-ref": "vuln-36", + "ratings": [ + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13730.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730" + } + }, + { + "severity": "none", + "score": 0.00224, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13730" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13730", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EX6N2DB75A73MQGVW3CS4VTNPAYVM2M/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5836-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-47024" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0958" + } + ], + "bom-ref": "vuln-37", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-47024" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-47024.html" + } + } + ], + "created": "2023-01-20T19:15:17Z", + "description": "A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-47024", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:56:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-19T02:56:04Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484285" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13731" + } + ], + "bom-ref": "vuln-38", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731" + } + }, + { + "severity": "none", + "score": 0.00224, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13731" + } + }, + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13731.html" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13731", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/" + }, + { + "url": "https://hackerone.com/reports/1895135" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html" + }, + { + "url": "https://security.gentoo.org/glsa/202310-12" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-27536" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2070.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5964-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6679" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5964-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4523" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-27536" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1727.html" + } + ], + "bom-ref": "vuln-39", + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27536" + } + }, + { + "severity": "low", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-27536.html" + } + }, + { + "severity": "none", + "score": 0.00219, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27536" + } + } + ], + "created": "2023-03-30T20:15:07Z", + "description": "An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "id": "CVE-2023-27536", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27536" + }, + "cwes": [ + 305, + 287 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-27T14:46:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:26:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2064.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9923" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1755.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925286" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4692-1" + } + ], + "bom-ref": "vuln-40", + "references": [ + { + "id": "USN-4692-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4692-1" + } + } + ], + "created": "2019-03-22T08:29:00Z", + "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "affects": [ + { + "ref": "comp-172" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9923" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9923" + } + }, + { + "severity": "none", + "score": 0.01086, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9923" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9923.html" + } + } + ], + "id": "CVE-2019-9923", + "updated": "2023-11-07T03:13:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-172", + "value": "0:1.27.1-1ubuntu0.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2289" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2289" + } + ], + "bom-ref": "vuln-41", + "ratings": [ + { + "severity": "none", + "score": 0.00124, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2289" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2289" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2289.html" + } + } + ], + "created": "2022-07-03T15:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2289", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2289" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1170" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1170" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + } + ], + "bom-ref": "vuln-42", + "ratings": [ + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1170" + } + }, + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-1170.html" + } + }, + { + "severity": "none", + "score": 0.00053, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1170" + } + } + ], + "created": "2023-03-03T23:15:11Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-1170", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1170" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:02:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T12:25:03Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30" + }, + { + "url": "https://usn.ubuntu.com/4398-1/" + }, + { + "url": "https://usn.ubuntu.com/4398-2/" + }, + { + "url": "https://security.gentoo.org/glsa/202007-46" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/294" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4398-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4398-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-12049" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3014" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2894" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3298" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3044" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1870.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-43", + "references": [ + { + "id": "USN-4398-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4398-2" + } + } + ], + "created": "2020-06-08T17:15:09Z", + "description": "An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.", + "affects": [ + { + "ref": "comp-110" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049" + }, + "cwes": [ + 404 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12049.html" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-12049" + } + } + ], + "id": "CVE-2020-12049", + "updated": "2023-06-12T07:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-02-13T02:06:45Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-110", + "value": "0:1.6.18-0ubuntu4.5+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2CJLY3CF55I2ULG2X4ENXLSXAXYW5J4/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4FFQARG3LGREPDZRI4C7ERQL3RJKEWQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNTMVZCN4TRTTCAXRLVQ7H2P7FYAIZQ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5093-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3770" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994076" + } + ], + "bom-ref": "vuln-44", + "references": [ + { + "id": "USN-5093-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5093-1" + } + } + ], + "created": "2021-09-06T12:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "affects": [ + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.0007, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3770" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3770.html" + } + } + ], + "id": "CVE-2021-3770", + "updated": "2023-11-07T03:38:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2023-12-04T21:11:48Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2287" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2287" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-45", + "ratings": [ + { + "severity": "none", + "score": 0.00115, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2287" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2287" + } + }, + { + "severity": "low", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2287.html" + } + } + ], + "created": "2022-07-02T22:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2287", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2287" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3931" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2304" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://security.gentoo.org/glsa/201903-10" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4400" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "url": "https://support.f5.com/csp/article/K18549143" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2439" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2437" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3929" + }, + { + "url": "https://usn.ubuntu.com/3899-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10282" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2471" + }, + { + "url": "https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://www.openssl.org/news/secadv/20190226.txt" + }, + { + "url": "https://usn.ubuntu.com/4376-2/" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4376-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3899-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1188.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-1559" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1362.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1188.html" + } + ], + "bom-ref": "vuln-46", + "ratings": [ + { + "severity": "none", + "score": 0.01023, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-1559" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1559.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559" + } + } + ], + "created": "2019-02-27T23:29:00Z", + "description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "CVE-2019-1559", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:08:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:48:01Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html" + }, + { + "url": "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5064-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-38185" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-021.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5064-3" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992045" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5064-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1991" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1972.html" + } + ], + "bom-ref": "vuln-47", + "references": [ + { + "id": "USN-5064-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5064-3" + } + } + ], + "created": "2021-08-08T00:15:07Z", + "description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.", + "affects": [ + { + "ref": "comp-265" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185" + } + }, + { + "severity": "none", + "score": 0.0025, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-38185" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-38185.html" + } + } + ], + "id": "CVE-2021-38185", + "updated": "2023-06-04T22:15:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-265", + "value": "0:2.11+dfsg-1ubuntu1.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2980" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2980" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + } + ], + "bom-ref": "vuln-48", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2980" + } + }, + { + "severity": "none", + "score": 0.00093, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2980" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2980.html" + } + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2980", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2980" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:47:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T08:19:30Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202105-29" + }, + { + "url": "https://savannah.gnu.org/bugs/?59897" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1917565" + }, + { + "url": "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980525" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-20193" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5329-1" + } + ], + "bom-ref": "vuln-49", + "references": [ + { + "id": "USN-5329-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5329-1" + } + } + ], + "created": "2021-03-26T17:15:12Z", + "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.", + "affects": [ + { + "ref": "comp-172" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193" + }, + "cwes": [ + 125, + 401 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-20193.html" + } + }, + { + "severity": "none", + "score": 0.00076, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-20193" + } + } + ], + "id": "CVE-2021-20193", + "updated": "2023-11-07T03:28:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-15T20:18:49Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-172", + "value": "0:1.27.1-1ubuntu0.1+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2598" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2598" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-50", + "references": [ + { + "id": "USN-6302-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6302-1" + } + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.\n\n", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598" + } + }, + { + "severity": "none", + "score": 0.00081, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2598" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2598.html" + } + } + ], + "id": "CVE-2022-2598", + "updated": "2023-07-11T08:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e" + }, + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b" + }, + { + "url": "https://www.openssl.org/news/secadv/20230322.txt" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5417" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3722" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7626" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7625" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7623" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2073.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7622" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-181.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0464" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1762.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2039.html" + } + ], + "bom-ref": "vuln-51", + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0464.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464" + } + }, + { + "severity": "none", + "score": 0.00256, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0464" + } + } + ], + "created": "2023-03-22T17:15:13Z", + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "affects": [ + { + "ref": "comp-232" + }, + { + "ref": "comp-231" + } + ], + "id": "CVE-2023-0464", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464" + }, + "cwes": [ + 295 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-04T09:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:25:09Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-231", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1851" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1851" + } + ], + "bom-ref": "vuln-52", + "ratings": [ + { + "severity": "none", + "score": 0.00122, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1851" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1851" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1851.html" + } + } + ], + "created": "2022-05-25T13:15:07Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1851", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1851" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3234" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3234" + } + ], + "bom-ref": "vuln-53", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3234.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3234" + } + }, + { + "severity": "none", + "score": 0.00092, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3234" + } + } + ], + "created": "2022-09-17T22:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3234", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3234" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:50:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "bom-ref": "vuln-54", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2019-07-04T15:48:25Z", + "description": "USN-4038-1 fixed a vulnerability in bzip2. The update introduced\na regression causing bzip2 to incorrect raises CRC errors for some\nfiles. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that bzip2 incorrectly handled certain files.\n An attacker could possibly use this issue to execute arbitrary code.\n", + "affects": [ + { + "ref": "comp-175" + }, + { + "ref": "comp-174" + } + ], + "id": "USN-4038-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4038-4" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-175", + "value": "0:1.0.6-5ubuntu0.1~esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-174", + "value": "0:1.0.6-5ubuntu0.1~esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00025.html" + }, + { + "url": "https://twitter.com/thatcks/status/1076166645708668928" + }, + { + "url": "https://security.gentoo.org/glsa/201903-05" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20482" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4692-1" + } + ], + "bom-ref": "vuln-55", + "ratings": [ + { + "severity": "low", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20482" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20482" + } + } + ], + "created": "2018-12-26T18:29:00Z", + "description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", + "affects": [ + { + "ref": "comp-172" + } + ], + "id": "CVE-2018-20482", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20482" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2021-11-30T19:52:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-05T01:18:03Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-172", + "value": "0:1.27.1-1ubuntu0.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UURGABNDL77YR5FRQKTFBYNBDQX2KO7Q/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0629" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0629" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-56", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0629.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0629" + } + }, + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0629" + } + } + ], + "created": "2022-02-17T12:15:07Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0629" + }, + "cwes": [ + 787, + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3R36VSLO4TRX72SWB6IDJOD24BQXPX2/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0943" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0943" + } + ], + "bom-ref": "vuln-57", + "ratings": [ + { + "severity": "none", + "score": 0.00054, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0943" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0943.html" + } + } + ], + "created": "2022-03-14T21:15:07Z", + "description": "Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0943", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:41:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-19T03:02:51Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Y752EAVACVC5XY2TMGGOAIU25VQRPDW/" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T33LLWHLH63XDCO5OME7NWN63RA4U5HF/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5836-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1681.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0049" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0049" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1927.html" + } + ], + "bom-ref": "vuln-58", + "references": [ + { + "id": "USN-5963-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5963-1" + } + } + ], + "created": "2023-01-04T16:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049" + } + }, + { + "severity": "none", + "score": 0.00072, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0049" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0049.html" + } + } + ], + "id": "CVE-2023-0049", + "updated": "2023-11-07T03:59:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T10:07:58Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484287" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13732" + } + ], + "bom-ref": "vuln-59", + "ratings": [ + { + "severity": "none", + "score": 0.00224, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13732" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732" + } + }, + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13732.html" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13732", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15216" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5178" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6335-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48174" + } + ], + "bom-ref": "vuln-60", + "references": [ + { + "id": "USN-6335-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6335-1" + } + } + ], + "created": "2023-08-22T19:16:31Z", + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "affects": [ + { + "ref": "comp-262" + }, + { + "ref": "comp-261" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48174.html" + } + }, + { + "severity": "none", + "score": 0.00134, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48174" + } + } + ], + "id": "CVE-2022-48174", + "updated": "2023-08-28T18:53:37Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T18:45:34Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-262", + "value": "1:1.21.0-1ubuntu1.4+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-261", + "value": "1:1.21.0-1ubuntu1.4+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7076" + }, + { + "url": "https://usn.ubuntu.com/3968-3/" + }, + { + "url": "https://usn.ubuntu.com/3968-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3968-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-7076" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2016:2872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842507" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3968-1" + } + ], + "bom-ref": "vuln-61", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-7076" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7076" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7076.html" + } + } + ], + "created": "2018-05-29T13:29:00Z", + "description": "sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.", + "affects": [ + { + "ref": "comp-102" + } + ], + "id": "CVE-2016-7076", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7076" + }, + "cwes": [ + 77, + 184 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:34:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4416-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2018:3092" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:0327" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22786" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899071" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2018-1109.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4416-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-11236" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html" + } + ], + "bom-ref": "vuln-62", + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11236.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11236" + } + }, + { + "severity": "none", + "score": 0.01414, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-11236" + } + } + ], + "created": "2018-05-18T16:29:00Z", + "description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "id": "CVE-2018-11236", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11236" + }, + "cwes": [ + 787, + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:51:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213843" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-29491" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0416" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6099-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5249" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6698" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1778.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-220.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2096.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7361" + } + ], + "bom-ref": "vuln-63", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29491" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-29491.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491" + } + } + ], + "created": "2023-04-14T01:15:08Z", + "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + } + ], + "id": "CVE-2023-29491", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-01-31T03:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:26:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3297" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3297" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + } + ], + "bom-ref": "vuln-64", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3297" + } + }, + { + "severity": "none", + "score": 0.00124, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3297" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3297.html" + } + } + ], + "created": "2022-09-25T19:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0579.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3297", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3297" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:51:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T08:54:37Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2344" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2344" + } + ], + "bom-ref": "vuln-65", + "ratings": [ + { + "severity": "none", + "score": 0.00123, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2344" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2344.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2344" + } + } + ], + "created": "2022-07-08T19:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2344", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2344" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1785" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5942" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5813" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1785" + } + ], + "bom-ref": "vuln-66", + "references": [ + { + "id": "USN-5995-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5995-1" + } + } + ], + "created": "2022-05-19T13:15:07Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00051, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1785" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1785.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785" + } + } + ], + "id": "CVE-2022-1785", + "updated": "2023-05-03T12:15:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3256" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3256" + } + ], + "bom-ref": "vuln-67", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256" + } + }, + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3256" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3256.html" + } + } + ], + "created": "2022-09-22T13:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0530.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3256", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:51:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU64FUVG2PRZBSHFOQRSP7KDVEIZ23OS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPTAR76EIZY7NQFENSOZO7U473257OVZ/" + }, + { + "url": "https://dev.gnupg.org/T6027" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VN63GBTMRWO36Y7BKA2WQHROAKCXKCBL/" + }, + { + "url": "https://bugs.debian.org/1014157" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRLWJQ76A4UKHI3Q36BKSJKS4LFLQO33/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5174" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-34903" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1630.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6602" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5503-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-087.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1834.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34903" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5503-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6463" + } + ], + "bom-ref": "vuln-68", + "references": [ + { + "id": "USN-5503-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5503-2" + } + } + ], + "created": "2022-07-01T22:15:08Z", + "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", + "affects": [ + { + "ref": "comp-145" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903" + }, + "cwes": [ + 74 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-34903.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903" + } + }, + { + "severity": "none", + "score": 0.00422, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-34903" + } + } + ], + "id": "CVE-2022-34903", + "updated": "2023-11-07T03:48:47Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-145", + "value": "0:1.4.16-1ubuntu2.6+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4058-2/" + }, + { + "url": "https://usn.ubuntu.com/4058-1/" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1113" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3474" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1379.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1539" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3803" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1540" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4058-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4058-2" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00077.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9924" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3592" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1503.html" + } + ], + "bom-ref": "vuln-69", + "references": [ + { + "id": "USN-4058-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4058-2" + } + } + ], + "created": "2019-03-22T08:29:00Z", + "description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", + "affects": [ + { + "ref": "comp-249" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9924" + }, + "cwes": [ + 862 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9924.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9924" + } + }, + { + "severity": "none", + "score": 0.00063, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9924" + } + } + ], + "id": "CVE-2019-9924", + "updated": "2022-04-05T20:11:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-249", + "value": "0:4.3-7ubuntu1.8+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2019-13627" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00001.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html" + }, + { + "url": "https://usn.ubuntu.com/4236-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-32" + }, + { + "url": "https://usn.ubuntu.com/4236-3/" + }, + { + "url": "https://usn.ubuntu.com/4236-2/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938938" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4236-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13627" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4482" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4236-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4236-2" + } + ], + "bom-ref": "vuln-70", + "references": [ + { + "id": "USN-4236-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4236-3" + } + } + ], + "created": "2019-09-25T15:15:11Z", + "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", + "affects": [ + { + "ref": "comp-170" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13627" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13627" + } + }, + { + "severity": "none", + "score": 0.0021, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13627" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13627.html" + } + } + ], + "id": "CVE-2019-13627", + "updated": "2021-07-21T11:39:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-170", + "value": "0:1.5.3-2ubuntu4.6+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/HT208112" + }, + { + "url": "https://support.apple.com/HT208113" + }, + { + "url": "https://support.apple.com/HT208115" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html" + }, + { + "url": "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" + }, + { + "url": "https://security.gentoo.org/glsa/201701-56" + }, + { + "url": "https://support.apple.com/HT208144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3046" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1220" + }, + { + "url": "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1222" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1221" + }, + { + "url": "https://usn.ubuntu.com/4292-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3047" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:2999" + }, + { + "url": "https://security.gentoo.org/glsa/202007-54" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402346" + }, + { + "url": "https://usn.ubuntu.com/4246-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4246-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6736-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4292-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-9841" + } + ], + "bom-ref": "vuln-71", + "ratings": [ + { + "severity": "none", + "score": 0.01161, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9841" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9841.html" + } + } + ], + "created": "2017-05-23T04:29:01Z", + "description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", + "affects": [ + { + "ref": "comp-185" + }, + { + "ref": "comp-184" + } + ], + "id": "CVE-2016-9841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T02:37:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T15:58:51Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630" + }, + { + "url": "https://security.gentoo.org/glsa/201710-16" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-12424" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5254-1" + } + ], + "bom-ref": "vuln-72", + "references": [ + { + "id": "USN-5254-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5254-1" + } + } + ], + "created": "2017-08-04T09:29:00Z", + "description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", + "affects": [ + { + "ref": "comp-267" + }, + { + "ref": "comp-268" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12424" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12424" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-12424.html" + } + }, + { + "severity": "none", + "score": 0.0054, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-12424" + } + } + ], + "id": "CVE-2017-12424", + "updated": "2021-03-23T20:02:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-267", + "value": "1:4.1.5.1-1ubuntu9.5+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-268", + "value": "1:4.1.5.1-1ubuntu9.5+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/" + }, + { + "url": "https://bugs.python.org/issue34155" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3948" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://usn.ubuntu.com/4151-2/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://usn.ubuntu.com/4151-1/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2520" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4151-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1132" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1539" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1131" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4151-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940901" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1605" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1540" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1314.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1764" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1368.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-16056" + } + ], + "bom-ref": "vuln-73", + "references": [ + { + "id": "USN-4151-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4151-2" + } + } + ], + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16056.html" + } + }, + { + "severity": "none", + "score": 0.00153, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-16056" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" + } + } + ], + "created": "2019-09-06T18:15:15Z", + "description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2019-16056", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:05:37Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4781" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4781" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1826.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + } + ], + "bom-ref": "vuln-74", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4781.html" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4781" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781" + } + } + ], + "created": "2023-09-05T19:15:49Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4781", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-01T17:57:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/HT208112" + }, + { + "url": "https://support.apple.com/HT208113" + }, + { + "url": "https://support.apple.com/HT208115" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html" + }, + { + "url": "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf" + }, + { + "url": "https://security.gentoo.org/glsa/201701-56" + }, + { + "url": "https://support.apple.com/HT208144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3046" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1220" + }, + { + "url": "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1222" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1221" + }, + { + "url": "https://usn.ubuntu.com/4292-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:3047" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:2999" + }, + { + "url": "https://security.gentoo.org/glsa/202007-54" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1402345" + }, + { + "url": "https://usn.ubuntu.com/4246-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4246-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6736-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4292-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-9840" + } + ], + "bom-ref": "vuln-75", + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840" + } + }, + { + "severity": "low", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9840.html" + } + }, + { + "severity": "none", + "score": 0.0135, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9840" + } + } + ], + "created": "2017-05-23T04:29:01Z", + "description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", + "affects": [ + { + "ref": "comp-185" + }, + { + "ref": "comp-184" + } + ], + "id": "CVE-2016-9840", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T02:37:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:41:54Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFAZTAT5CZC2R6KYDYA2HBAVEDSIX6MW/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKIX5HYKWXWG6QBCPPTPQ53GNOFHSAIS/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1733" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1733" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-76", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1733" + } + }, + { + "severity": "none", + "score": 0.00054, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1733" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1733.html" + } + } + ], + "created": "2022-05-17T17:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1733", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1733" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20221213.txt" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3996" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027102" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-095.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6039-1" + } + ], + "bom-ref": "vuln-77", + "references": [ + { + "id": "USN-6039-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6039-1" + } + } + ], + "created": "2022-12-13T16:15:22Z", + "description": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.", + "affects": [ + { + "ref": "comp-232" + }, + { + "ref": "comp-231" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996" + }, + "cwes": [ + 667 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3996" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3996.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996" + } + } + ], + "id": "CVE-2022-3996", + "updated": "2023-11-07T03:52:05Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-231", + "value": "0:1.0.1f-1ubuntu2.27+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213843" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/" + }, + { + "url": "https://hackerone.com/reports/1950627" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://security.gentoo.org/glsa/202310-12" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6292" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6237-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5598" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4523" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-270.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-28321" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4354" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6237-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4628" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2230.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4629" + } + ], + "bom-ref": "vuln-78", + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321" + } + }, + { + "severity": "low", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-28321.html" + } + }, + { + "severity": "none", + "score": 0.00087, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28321" + } + } + ], + "created": "2023-05-26T21:15:16Z", + "description": "An improper certificate validation vulnerability exists in curl " + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://www.openldap.org/its/index.cgi/Incoming?id=9123" + }, + { + "url": "https://usn.ubuntu.com/4256-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4256-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-19906" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4497" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947043" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-19906" + } + ], + "bom-ref": "vuln-85", + "references": [ + { + "id": "USN-4256-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4256-1" + } + } + ], + "created": "2019-12-19T18:15:12Z", + "description": "cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.", + "affects": [ + { + "ref": "comp-279" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19906" + }, + "cwes": [ + 787, + 193 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19906.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19906" + } + }, + { + "severity": "none", + "score": 0.00685, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19906" + } + } + ], + "id": "CVE-2019-19906", + "updated": "2023-11-07T03:07:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-279", + "value": "0:2.1.25.dfsg1-17ubuntu0.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1629" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5319" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1629" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-86", + "ratings": [ + { + "severity": "none", + "score": 0.00266, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1629" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1629" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1629.html" + } + } + ], + "created": "2022-05-10T14:15:08Z", + "description": "Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1629" + }, + "cwes": [ + 125, + 126 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-08" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/417" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5704-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8812" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8977" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-42012" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0335" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1730.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0096" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42012" + } + ], + "bom-ref": "vuln-87", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-42012.html" + } + }, + { + "severity": "none", + "score": 0.00113, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42012" + } + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.", + "affects": [ + { + "ref": "comp-110" + }, + { + "ref": "comp-109" + } + ], + "id": "CVE-2022-42012", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-27T16:49:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-110", + "value": "0:1.6.18-0ubuntu4.5+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-109", + "value": "0:1.6.18-0ubuntu4.5+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2019/dsa-4455" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jun/1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-12098" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5675-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929064" + } + ], + "bom-ref": "vuln-88", + "references": [ + { + "id": "USN-5675-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5675-1" + } + } + ], + "ratings": [ + { + "severity": "high", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12098" + } + }, + { + "severity": "low", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12098.html" + } + }, + { + "severity": "none", + "score": 0.00393, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12098" + } + } + ], + "created": "2019-05-15T23:29:00Z", + "description": "In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.", + "affects": [ + { + "ref": "comp-97" + }, + { + "ref": "comp-99" + } + ], + "id": "CVE-2019-12098", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12098" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:03:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C2CQXRLBIC4S7JQVEIN5QXKQPYWB5E3J/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5433-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1154" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1154" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1552" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + } + ], + "bom-ref": "vuln-89", + "ratings": [ + { + "severity": "none", + "score": 0.00181, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1154" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1154.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1154" + } + } + ], + "created": "2022-03-30T12:15:07Z", + "description": "Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1154", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1154" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202402-04" + }, + { + "url": "https://bugs.python.org/issue41944" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1670.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2317.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3252" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4151" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4162" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-009.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-27619" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1633" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-27619" + } + ], + "bom-ref": "vuln-90", + "ratings": [ + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27619.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" + } + }, + { + "severity": "none", + "score": 0.0066, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-27619" + } + } + ], + "created": "2020-10-22T03:16:31Z", + "description": "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2020-27619", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-03T07:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm10" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3927" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3927" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5147-1" + } + ], + "bom-ref": "vuln-91", + "references": [ + { + "id": "USN-5147-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5147-1" + } + } + ], + "created": "2021-11-05T15:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "affects": [ + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00102, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3927" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3927.html" + } + } + ], + "id": "CVE-2021-3927", + "updated": "2023-11-07T03:38:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://kernel.org/pub/linux/libs/klibc/2.0/" + }, + { + "url": "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5379-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-31870" + } + ], + "bom-ref": "vuln-92", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31870" + } + }, + { + "severity": "none", + "score": 0.00244, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31870" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31870.html" + } + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow.", + "affects": [ + { + "ref": "comp-184" + }, + { + "ref": "comp-185" + } + ], + "id": "CVE-2021-31870", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31870" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-04-19T03:51:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2023-11-27T17:15:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT212147" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@" + }, + { + "url": "https://bugs.gentoo.org/717920" + }, + { + "url": "https://support.apple.com/kb/HT211931" + }, + { + "url": "https://www.pcre.org/original/changelog.txt" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4614" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4373" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-20838" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5425-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4613" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20838" + } + ], + "bom-ref": "vuln-93", + "ratings": [ + { + "severity": "none", + "score": 0.01026, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20838" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20838.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20838" + } + } + ], + "created": "2020-06-15T17:15:09Z", + "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", + "affects": [ + { + "ref": "comp-38" + } + ], + "id": "CVE-2019-20838", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20838" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T16:05:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-38", + "value": "1:8.31-2ubuntu2.3+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2024637" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-3999" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3999" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=28769" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5310-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5310-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3999" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1857.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3999" + } + ], + "bom-ref": "vuln-94", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3999" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3999.html" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3999" + } + } + ], + "created": "2022-08-24T16:15:09Z", + "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "id": "CVE-2021-3999", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3999" + }, + "cwes": [ + 193 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-02-12T23:43:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-29" + }, + { + "url": "https://support.f5.com/csp/article/K55133295" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4633" + }, + { + "url": "https://seclists.org/bugtraq/2020/Feb/36" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3993-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3993-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1020" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1792" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1539" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1233.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1233.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2505" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1540" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929351" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-5436" + } + ], + "bom-ref": "vuln-95", + "references": [ + { + "id": "USN-3993-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/3993-2" + } + } + ], + "created": "2019-05-28T19:29:06Z", + "description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.06967, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5436" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5436.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436" + } + } + ], + "id": "CVE-2019-5436", + "updated": "2023-11-07T03:11:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/" + }, + { + "url": "https://savannah.gnu.org/patch/?10307" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/" + }, + { + "url": "https://savannah.gnu.org/bugs/?62387" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1994.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5900-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5900-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0842" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-153.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1704.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5610" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48303" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0959" + } + ], + "bom-ref": "vuln-96", + "references": [ + { + "id": "USN-5900-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5900-1" + } + } + ], + "created": "2023-01-30T04:15:08Z", + "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", + "affects": [ + { + "ref": "comp-172" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-48303.html" + } + }, + { + "severity": "none", + "score": 0.00049, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48303" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" + } + } + ], + "id": "CVE-2022-48303", + "updated": "2023-05-30T17:16:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-10T12:52:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-172", + "value": "0:1.27.1-1ubuntu0.1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.python.org/issue36260" + }, + { + "url": "https://www.python.org/news/security/" + }, + { + "url": "https://usn.ubuntu.com/4428-1/" + }, + { + "url": "https://bugs.python.org/issue36462" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9674" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4428-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-9674" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-97", + "ratings": [ + { + "severity": "info", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9674.html" + } + }, + { + "severity": "none", + "score": 0.01303, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9674" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674" + } + } + ], + "created": "2020-02-04T15:15:11Z", + "description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2019-9674", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674" + }, + "cwes": [ + 400 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-03-01T16:40:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5800-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-44640" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44640" + } + ], + "bom-ref": "vuln-98", + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-44640.html" + } + }, + { + "severity": "none", + "score": 0.0145, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-44640" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44640" + } + } + ], + "created": "2022-12-25T05:15:11Z", + "description": "Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).", + "affects": [ + { + "ref": "comp-99" + }, + { + "ref": "comp-97" + }, + { + "ref": "comp-91" + }, + { + "ref": "comp-98" + } + ], + "id": "CVE-2022-44640", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44640" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2023-10-08T09:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-91", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-98", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0554" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0554" + } + ], + "bom-ref": "vuln-99", + "ratings": [ + { + "severity": "none", + "score": 0.00098, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0554" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0554" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0554.html" + } + } + ], + "created": "2022-02-10T22:15:07Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0554", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0554" + }, + "cwes": [ + 823, + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2285" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2285" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + } + ], + "bom-ref": "vuln-100", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2285.html" + } + }, + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2285" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2285" + } + } + ], + "created": "2022-07-02T16:15:08Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2285", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2285" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT211289" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html" + }, + { + "url": "https://usn.ubuntu.com/4582-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4582-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20807" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4453" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-20807" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5147-1" + } + ], + "bom-ref": "vuln-101", + "ratings": [ + { + "severity": "low", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20807.html" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20807" + } + }, + { + "severity": "none", + "score": 0.00048, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20807" + } + } + ], + "created": "2020-05-28T14:15:11Z", + "description": "In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2019-20807", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20807" + }, + "cwes": [ + 78 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-09-01T15:14:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHBA-2019:0763" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2980" + }, + { + "url": "https://bugs.python.org/issue36216" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0981" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3170" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0710" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0997" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:0764" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1467" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0806" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:0959" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0765" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:0902" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924072" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1243.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1230.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1204.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1204.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1202.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9636" + } + ], + "bom-ref": "vuln-102", + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9636.html" + } + }, + { + "severity": "none", + "score": 0.00724, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9636" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" + } + } + ], + "created": "2019-03-08T21:29:00Z", + "description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2019-9636", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:13:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:35:05Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:2599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20217" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5828-1" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + } + ], + "bom-ref": "vuln-103", + "references": [ + { + "id": "USN-5828-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5828-1" + } + } + ], + "created": "2018-12-26T21:29:02Z", + "description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", + "affects": [ + { + "ref": "comp-54" + }, + { + "ref": "comp-57" + }, + { + "ref": "comp-56" + }, + { + "ref": "comp-53" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20217" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20217" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html" + } + }, + { + "severity": "none", + "score": 0.00306, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20217" + } + } + ], + "id": "CVE-2018-20217", + "updated": "2023-11-07T02:56:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-56", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-53", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5433-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0261" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0261" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0894" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + } + ], + "bom-ref": "vuln-104", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0261" + } + }, + { + "severity": "none", + "score": 0.00089, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0261" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0261.html" + } + } + ], + "created": "2022-01-18T16:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0261", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0261" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2264" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2264" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-105", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2264" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2264.html" + } + }, + { + "severity": "none", + "score": 0.00131, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2264" + } + } + ], + "created": "2022-07-01T11:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2264", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2264" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html" + }, + { + "url": "https://web.mit.edu/kerberos/www/advisories/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043431" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-36054" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6699" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-321.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36054" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2225.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1818.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6467-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6467-1" + } + ], + "bom-ref": "vuln-106", + "references": [ + { + "id": "USN-6467-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6467-1" + } + } + ], + "created": "2023-08-07T19:15:09Z", + "description": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", + "affects": [ + { + "ref": "comp-56" + }, + { + "ref": "comp-53" + }, + { + "ref": "comp-54" + }, + { + "ref": "comp-57" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054" + }, + "cwes": [ + 824 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-36054.html" + } + }, + { + "severity": "none", + "score": 0.00267, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36054" + } + } + ], + "id": "CVE-2023-36054", + "updated": "2023-11-15T03:23:27Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-56", + "value": "0:1.12+dfsg-2ubuntu5.4+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-53", + "value": "0:1.12+dfsg-2ubuntu5.4+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:1.12+dfsg-2ubuntu5.4+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:1.12+dfsg-2ubuntu5.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1735" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1735" + } + ], + "bom-ref": "vuln-107", + "ratings": [ + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1735" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1735.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735" + } + } + ], + "created": "2022-05-17T19:15:08Z", + "description": "Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1735", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735" + }, + "cwes": [ + 120 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-05-03T12:15:27Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T08:50:02Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/" + }, + { + "url": "https://security.gentoo.org/glsa/202105-36" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/" + }, + { + "url": "https://hackerone.com/reports/1101882" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-22876" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1509.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4898-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2471" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1653.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4903-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2472" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1354" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986269" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4511" + } + ], + "bom-ref": "vuln-108", + "references": [ + { + "id": "USN-4903-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4903-1" + } + } + ], + "created": "2021-04-01T18:15:12Z", + "description": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876" + }, + "cwes": [ + 359, + 200 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876" + } + }, + { + "severity": "none", + "score": 0.00927, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22876" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22876.html" + } + } + ], + "id": "CVE-2021-22876", + "updated": "2024-03-27T15:47:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0408" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0408" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-109", + "ratings": [ + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0408" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0408" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0408.html" + } + } + ], + "created": "2022-01-30T15:15:07Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0408", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0408" + }, + "cwes": [ + 787, + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-46143" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-46143" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-110", + "ratings": [ + { + "severity": "none", + "score": 0.00127, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-46143" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-46143.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143" + } + } + ], + "created": "2022-01-06T04:15:07Z", + "description": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2021-46143", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-10-06T19:11:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2304" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2304" + } + ], + "bom-ref": "vuln-111", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2304" + } + }, + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2304" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2304.html" + } + } + ], + "created": "2022-07-05T13:15:08Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2304", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2304" + }, + "cwes": [ + 787, + 121 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:46:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/" + }, + { + "url": "https://kb.isc.org/docs/cve-2022-2929" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-22" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1874.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2502" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021320" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2929" + }, + { + "url": "https://lists.isc.org/pipermail/dhcp-announce/2022-October/000437.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3000" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-3" + } + ], + "bom-ref": "vuln-112", + "references": [ + { + "id": "USN-5658-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5658-3" + } + } + ], + "created": "2022-10-07T05:15:11Z", + "description": "In ISC DHCP 1.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.", + "affects": [ + { + "ref": "comp-158" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2929" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00099, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2929" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2929.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2929" + } + } + ], + "id": "CVE-2022-2929", + "updated": "2023-11-07T03:47:05Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-158", + "value": "0:4.2.4-7ubuntu12.13+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2817" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2817" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-113", + "ratings": [ + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2817" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2817.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2817" + } + } + ], + "created": "2022-08-15T23:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0213.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2817", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2817" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013080," + }, + { + "url": "https://bugzilla.samba.org/show_bug.cgi?id=14770," + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5287" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3671" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5174-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5675-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996586" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5142-1" + } + ], + "bom-ref": "vuln-114", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3671" + } + }, + { + "severity": "low", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3671.html" + } + }, + { + "severity": "none", + "score": 0.00525, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3671" + } + } + ], + "created": "2021-10-12T18:15:08Z", + "description": "A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.", + "affects": [ + { + "ref": "comp-97" + }, + { + "ref": "comp-99" + } + ], + "id": "CVE-2021-3671", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3671" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:38:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T12:42:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7" + }, + { + "url": "https://bugs.freedesktop.org/show_bug.cgi?id=93881" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KJE5SPSX7HEKLZ34LUTZLXWPEL2K353/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00036.html" + }, + { + "url": "https://blog.fuzzing-project.org/36-Heap-buffer-overflow-in-fgetwln-function-of-libbsd.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIQKQ42Z7553D46QY3IMIQKS52QTNIHY/" + }, + { + "url": "https://security.gentoo.org/glsa/201607-13" + }, + { + "url": "https://usn.ubuntu.com/4243-1/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-2090" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4243-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-115", + "references": [ + { + "id": "USN-4243-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4243-1" + } + } + ], + "created": "2017-01-13T16:59:00Z", + "description": "Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.", + "affects": [ + { + "ref": "comp-165" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2090" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2090" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2090.html" + } + }, + { + "severity": "none", + "score": 0.01181, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-2090" + } + } + ], + "id": "CVE-2016-2090", + "updated": "2023-11-07T02:30:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-165", + "value": "0:0.6.0-2ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.apache.org/thread.html/r0e913668380f59bcbd14fdd8ae8d24f95f99995e290cd18a7822c6e5@" + }, + { + "url": "https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b" + }, + { + "url": "https://lists.apache.org/thread.html/ra781e51cf1ec40381c98cddc073b3576fb56c3978f4564d2fa431550@" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00027.html" + }, + { + "url": "https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html" + }, + { + "url": "https://usn.ubuntu.com/4243-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4243-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-20367" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-116", + "ratings": [ + { + "severity": "none", + "score": 0.00465, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20367" + } + }, + { + "severity": "medium", + "score": 9.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20367.html" + } + }, + { + "severity": "critical", + "score": 9.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20367" + } + } + ], + "created": "2020-01-08T17:15:11Z", + "description": "nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).", + "affects": [ + { + "ref": "comp-165" + } + ], + "id": "CVE-2019-20367", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20367" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:09:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-165", + "value": "0:0.6.0-2ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" + }, + { + "url": "https://hackerone.com/reports/1590071" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5197" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6159" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5499-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32208" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1875.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5495-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1646.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8840" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6157" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-32208" + } + ], + "bom-ref": "vuln-117", + "references": [ + { + "id": "USN-5499-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5499-1" + } + } + ], + "created": "2022-07-07T13:15:08Z", + "description": "When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208" + }, + "cwes": [ + 840, + 787 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-32208.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208" + } + }, + { + "severity": "none", + "score": 0.00296, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-32208" + } + } + ], + "id": "CVE-2022-32208", + "updated": "2024-03-27T15:00:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@" + }, + { + "url": "https://security.gentoo.org/glsa/202105-34" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1679" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-18276" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5380-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-18276" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-118", + "references": [ + { + "id": "USN-5380-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5380-1" + } + } + ], + "created": "2019-11-28T01:15:10Z", + "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "affects": [ + { + "ref": "comp-249" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276" + }, + "cwes": [ + 273 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18276.html" + } + }, + { + "severity": "none", + "score": 0.00108, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18276" + } + } + ], + "id": "CVE-2019-18276", + "updated": "2023-11-07T03:06:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-249", + "value": "0:4.3-7ubuntu1.8+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://hackerone.com/reports/1334763" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://support.apple.com/kb/HT213183" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5197" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0635" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1724.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-22947" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1354" + }, + { + "url": "https://support.microsoft.com/help/5009566" + }, + { + "url": "https://support.microsoft.com/help/5009555" + }, + { + "url": "https://support.microsoft.com/help/5009543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009557" + }, + { + "url": "https://support.microsoft.com/help/5009557" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1549.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4059" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-3" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009543" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009566" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009555" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009545" + }, + { + "url": "https://launchpad.net/bugs/1944120(regressionbug)" + } + ], + "bom-ref": "vuln-119", + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22947.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22947" + } + } + ], + "created": "2021-09-29T20:15:08Z", + "description": "When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2021-22947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947" + }, + "cwes": [ + 345, + 310 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-27T15:03:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202105-09" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/" + }, + { + "url": "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28831" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5179-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985674" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5179-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-28831" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6335-1" + } + ], + "bom-ref": "vuln-120", + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-28831.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831" + } + }, + { + "severity": "none", + "score": 0.00767, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-28831" + } + } + ], + "created": "2021-03-19T05:15:13Z", + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "affects": [ + { + "ref": "comp-262" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2021-28831", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831" + }, + "cwes": [ + 755 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:32:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-262", + "value": "1:1.21.0-1ubuntu1.4+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-261", + "value": "1:1.21.0-1ubuntu1.4+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464691" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-11113" + } + ], + "bom-ref": "vuln-121", + "ratings": [ + { + "severity": "none", + "score": 0.00222, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-11113" + } + }, + { + "severity": "info", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11113.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113" + } + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-11113", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-05-06T15:00:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://hackerone.com/reports/1334111" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://support.apple.com/kb/HT213183" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5197" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22946" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0635" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-22946" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1724.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4059" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1354" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017589" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5079-1" + } + ], + "bom-ref": "vuln-122", + "references": [ + { + "id": "USN-5079-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5079-2" + } + } + ], + "created": "2021-09-29T20:15:08Z", + "description": "A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946" + }, + "cwes": [ + 325, + 319 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22946.html" + } + }, + { + "severity": "none", + "score": 0.00279, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22946" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946" + } + } + ], + "id": "CVE-2021-22946", + "updated": "2024-03-27T15:12:52Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-123", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2126" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2126" + } + ], + "bom-ref": "vuln-124", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2126" + } + }, + { + "severity": "none", + "score": 0.0017, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2126" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2126.html" + } + } + ], + "created": "2022-06-19T13:15:07Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2126", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2126" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.python.org/issue34656" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1204.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20406" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1202.html" + } + ], + "bom-ref": "vuln-125", + "ratings": [ + { + "severity": "none", + "score": 0.00655, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20406" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20406.html" + } + } + ], + "created": "2018-12-23T23:29:00Z", + "description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2018-20406", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:56:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/" + }, + { + "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1587" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1700" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2437" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-10160" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1258.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1258.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1259.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1259.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + } + ], + "bom-ref": "vuln-126", + "references": [ + { + "id": "USN-4127-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4127-2" + } + } + ], + "created": "2019-06-07T18:29:00Z", + "description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" + }, + "cwes": [ + 522, + 172 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160" + } + }, + { + "severity": "none", + "score": 0.00291, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-10160" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10160.html" + } + } + ], + "id": "CVE-2019-10160", + "updated": "2023-02-12T23:33:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-28T04:45:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00002.html" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4822" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1601.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-29361" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-29361" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4677-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4677-1" + }, + { + "url": "https://lists.freedesktop.org/archives/p11-glue/2020-December/000712.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1609" + } + ], + "bom-ref": "vuln-127", + "references": [ + { + "id": "USN-4677-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4677-2" + } + } + ], + "created": "2020-12-16T14:15:12Z", + "description": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.", + "affects": [ + { + "ref": "comp-7" + }, + { + "ref": "comp-8" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29361" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-29361.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29361" + } + }, + { + "severity": "none", + "score": 0.00562, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-29361" + } + } + ], + "id": "CVE-2020-29361", + "updated": "2023-11-07T03:21:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-01-31T20:51:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-7", + "value": "0:0.20.2-2ubuntu2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "0:0.20.2-2ubuntu2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/201710-04" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2017:1574" + }, + { + "url": "https://usn.ubuntu.com/3968-1/" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10205" + }, + { + "url": "https://usn.ubuntu.com/3968-2/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3968-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863897" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3968-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-1000368" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1315.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2017-855.html" + } + ], + "bom-ref": "vuln-128", + "references": [ + { + "id": "USN-3968-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/3968-2" + } + } + ], + "created": "2017-06-05T16:29:00Z", + "description": "Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000368" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 8.2, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000368.html" + } + }, + { + "severity": "none", + "score": 0.00065, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-1000368" + } + }, + { + "severity": "high", + "score": 8.2, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000368" + } + } + ], + "id": "CVE-2017-1000368", + "updated": "2019-05-29T19:29:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/25" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/0" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/1" + }, + { + "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4540" + }, + { + "url": "https://security.gentoo.org/glsa/201911-04" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" + }, + { + "url": "https://www.openssl.org/news/secadv/20190910.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://usn.ubuntu.com/4504-1/" + }, + { + "url": "https://usn.ubuntu.com/4376-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4539" + }, + { + "url": "https://arxiv.org/abs/1909.01785" + }, + { + "url": "https://usn.ubuntu.com/4376-2/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1456.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-1547" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1840" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4376-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4376-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4504-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1336" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1337" + } + ], + "bom-ref": "vuln-129", + "references": [ + { + "id": "USN-4376-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4376-2" + } + } + ], + "ratings": [ + { + "severity": "low", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-1547" + } + } + ], + "created": "2019-09-10T17:15:11Z", + "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "CVE-2019-1547", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:08:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU4NZ6DDU4BEM3ACM3FM6GLEPX56ZQXK/" + }, + { + "url": "https://www.sqlite.org/releaselog/3_13_0.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00022.html" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-6153" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + } + ], + "bom-ref": "vuln-130", + "ratings": [ + { + "severity": "none", + "score": 0.00115, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-6153" + } + }, + { + "severity": "info", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6153.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153" + } + } + ], + "created": "2016-09-26T16:59:03Z", + "description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2016-6153", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:33:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "bom-ref": "vuln-131", + "ratings": [ + { + "severity": "info", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-002", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3928" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3928" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5147-1" + } + ], + "bom-ref": "vuln-132", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3928.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3928" + } + }, + { + "severity": "none", + "score": 0.00054, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3928" + } + } + ], + "created": "2021-11-05T15:15:08Z", + "description": "vim is vulnerable to Use of Uninitialized Variable", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-3928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3928" + }, + "cwes": [ + 457, + 908 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-12T13:30:31Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2862" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2862" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-133", + "ratings": [ + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2862" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2862.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2862" + } + } + ], + "created": "2022-08-17T20:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0221.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2862", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2862" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0361" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0361" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0894" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-134", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0361" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0361.html" + } + }, + { + "severity": "none", + "score": 0.00089, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0361" + } + } + ], + "created": "2022-01-26T13:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0361", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0361" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-09T18:57:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-42" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5111" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5739-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-25032" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0976" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0975" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2201" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4592" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5359-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5359-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2197" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1772.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2192" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5439" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1602.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7813" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6736-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1640.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-002.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0943" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1642" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2214" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2213" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1661" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-25032" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8420" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4584" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2198" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1591" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5355-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5355-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4896" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-003.html" + } + ], + "bom-ref": "vuln-135", + "references": [ + { + "id": "USN-5355-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5355-2" + } + } + ], + "created": "2022-03-25T09:15:08Z", + "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "affects": [ + { + "ref": "comp-141" + }, + { + "ref": "comp-185" + }, + { + "ref": "comp-184" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00278, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-25032" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-25032.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032" + } + } + ], + "id": "CVE-2018-25032", + "updated": "2023-11-07T02:56:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-141", + "value": "1:1.2.8.dfsg-1ubuntu1.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-403.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5441" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1893.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-5441" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2319.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + } + ], + "bom-ref": "vuln-136", + "references": [ + { + "id": "USN-6452-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6452-1" + } + } + ], + "created": "2023-10-05T21:15:11Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5441" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5441" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-5441.html" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5441" + } + } + ], + "id": "CVE-2023-5441", + "updated": "2023-11-15T02:33:52Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE62UMYBZE4AE53K6OBBWK32XQ7544QM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4517" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5093-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3796" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1728.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994497" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3796" + } + ], + "bom-ref": "vuln-137", + "ratings": [ + { + "severity": "high", + "score": 7.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796" + } + }, + { + "severity": "none", + "score": 0.00099, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3796" + } + }, + { + "severity": "medium", + "score": 7.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3796.html" + } + } + ], + "created": "2021-09-15T13:15:08Z", + "description": "vim is vulnerable to Use After Free", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-3796", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:38:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202011-17" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4795" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-28196" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2239" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4635-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1593" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973880" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-28196" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1845.html" + } + ], + "bom-ref": "vuln-138", + "references": [ + { + "id": "USN-4635-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4635-1" + } + } + ], + "created": "2020-11-06T08:15:13Z", + "description": "MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.", + "affects": [ + { + "ref": "comp-56" + }, + { + "ref": "comp-53" + }, + { + "ref": "comp-55" + }, + { + "ref": "comp-54" + }, + { + "ref": "comp-57" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28196" + }, + "cwes": [ + 674 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28196" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-28196.html" + } + }, + { + "severity": "none", + "score": 0.0052, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-28196" + } + } + ], + "id": "CVE-2020-28196", + "updated": "2023-11-07T03:21:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:34:12Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-56", + "value": "0:1.12+dfsg-2ubuntu5.4+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-53", + "value": "0:1.12+dfsg-2ubuntu5.4+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:1.12+dfsg-2ubuntu5.4+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:1.12+dfsg-2ubuntu5.4+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:1.12+dfsg-2ubuntu5.4+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4416-1/" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22343" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2018:3092" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:0327" + }, + { + "url": "https://usn.ubuntu.com/4218-1/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2018-1109.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4416-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4218-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-6485" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878159" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2018-992.html" + } + ], + "bom-ref": "vuln-139", + "references": [ + { + "id": "USN-4218-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4218-1" + } + } + ], + "created": "2018-02-01T14:29:00Z", + "description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6485" + }, + "cwes": [ + 787, + 190 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html" + } + }, + { + "severity": "none", + "score": 0.00548, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-6485" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6485" + } + } + ], + "id": "CVE-2018-6485", + "updated": "2020-08-24T17:37:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3278" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3278" + } + ], + "bom-ref": "vuln-140", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3278" + } + }, + { + "severity": "none", + "score": 0.00119, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3278" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3278.html" + } + } + ], + "created": "2022-09-23T22:15:09Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3278", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3278" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:51:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T08:48:35Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.launchpad.net/bugs/1899193" + }, + { + "url": "https://usn.ubuntu.com/usn/usn-4667-1" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4808" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4667-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4667-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-27350" + } + ], + "bom-ref": "vuln-141", + "references": [ + { + "id": "USN-4667-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4667-2" + } + } + ], + "created": "2020-12-10T04:15:11Z", + "description": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;", + "affects": [ + { + "ref": "comp-79" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27350" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27350" + } + }, + { + "severity": "none", + "score": 0.00048, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-27350" + } + }, + { + "severity": "medium", + "score": 5.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-27350.html" + } + } + ], + "id": "CVE-2020-27350", + "updated": "2022-10-29T02:41:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-15T20:18:49Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-79", + "value": "0:1.0.1ubuntu2.24+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0319" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-142", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0319" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0319.html" + } + }, + { + "severity": "none", + "score": 0.00086, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0319" + } + } + ], + "created": "2022-01-21T14:15:07Z", + "description": "Out-of-bounds Read in vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0319", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0319" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-11-09T03:32:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T13:17:18Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5085" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0847" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0824" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0845" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-25236" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0843" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1012" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25236" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0816" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0815" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1309" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005895" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1764.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0850" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1573.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1263" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1053" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1070" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0818" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0817" + } + ], + "bom-ref": "vuln-143", + "ratings": [ + { + "severity": "none", + "score": 0.03475, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25236" + } + }, + { + "severity": "high", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25236.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236" + } + } + ], + "created": "2022-02-16T01:15:07Z", + "description": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-25236", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236" + }, + "cwes": [ + 668 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:44:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5836-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0054" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0054" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031875" + } + ], + "bom-ref": "vuln-144", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0054.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054" + } + }, + { + "severity": "none", + "score": 0.00071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0054" + } + } + ], + "created": "2023-01-04T19:15:09Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-0054", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-06-12T20:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T10:10:34Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2124" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2124" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-145", + "ratings": [ + { + "severity": "none", + "score": 0.0017, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2124" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2124.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124" + } + } + ], + "created": "2022-06-19T10:15:09Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2124", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124" + }, + "cwes": [ + 125, + 126 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3520" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1663.html" + } + ], + "bom-ref": "vuln-146", + "ratings": [ + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3520.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3520" + } + }, + { + "severity": "none", + "score": 0.00147, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3520" + } + } + ], + "created": "2022-12-02T19:15:11Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3520", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3520" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2845" + } + ], + "bom-ref": "vuln-147", + "ratings": [ + { + "severity": "none", + "score": 0.00105, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2845" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2845.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845" + } + } + ], + "created": "2022-08-17T15:15:07Z", + "description": "Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.\n\n", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2845", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845" + }, + "cwes": [ + 1284 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-07-10T16:15:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://web.mit.edu/kerberos/krb5-1.19/" + }, + { + "url": "https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt" + }, + { + "url": "https://bugzilla.samba.org/show_bug.cgi?id=15203" + }, + { + "url": "https://web.mit.edu/kerberos/advisories/" + }, + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://www.samba.org/samba/security/CVE-2022-42898.html" + }, + { + "url": "https://security.gentoo.org/glsa/202309-06" + }, + { + "url": "https://access.redhat.com/errata/RHEA-2023:3850" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5936-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8640" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8662" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8663" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8641" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8669" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:9029" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5800-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5828-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-42898" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42898" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8639" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5822-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8637" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5822-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8638" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1915.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1667.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-103.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1680.html" + } + ], + "bom-ref": "vuln-148", + "references": [ + { + "id": "USN-5800-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5800-1" + } + } + ], + "created": "2022-12-25T06:15:09Z", + "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has \"a similar bug.\"", + "affects": [ + { + "ref": "comp-54" + }, + { + "ref": "comp-99" + }, + { + "ref": "comp-57" + }, + { + "ref": "comp-97" + }, + { + "ref": "comp-56" + }, + { + "ref": "comp-91" + }, + { + "ref": "comp-53" + }, + { + "ref": "comp-98" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42898" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42898" + } + }, + { + "severity": "none", + "score": 0.00491, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42898" + } + }, + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-42898.html" + } + } + ], + "id": "CVE-2022-42898", + "updated": "2023-10-08T09:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:39Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-56", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-91", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-53", + "value": "0:1.12+dfsg-2ubuntu5.4+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-98", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6154-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2085.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-194.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2609" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1761.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-149", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2609" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-2609.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2609" + } + } + ], + "created": "2023-05-09T18:15:14Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-2609", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2609" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-12-23T07:15:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T06:05:12Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm10" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48231" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-150", + "ratings": [ + { + "severity": "none", + "score": 0.00071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48231" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48231" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48231.html" + } + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48231", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48231" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-28T17:39:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://bugs.python.org/issue43882" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0391" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1764" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0391" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1663" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6457" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + } + ], + "bom-ref": "vuln-151", + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0391.html" + } + }, + { + "severity": "none", + "score": 0.00213, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0391" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" + } + } + ], + "created": "2022-02-09T23:15:16Z", + "description": "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2022-0391", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391" + }, + "cwes": [ + 74 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2020:0540" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0487" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0726" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/44" + }, + { + "url": "https://seclists.org/bugtraq/2020/Feb/3" + }, + { + "url": "https://seclists.org/bugtraq/2020/Feb/2" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-12" + }, + { + "url": "https://usn.ubuntu.com/4263-2/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html" + }, + { + "url": "https://support.apple.com/kb/HT210919" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0509" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4614" + }, + { + "url": "https://usn.ubuntu.com/4263-1/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950371" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4263-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4263-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1404.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-18634" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1356.html" + } + ], + "bom-ref": "vuln-152", + "references": [ + { + "id": "USN-4263-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4263-2" + } + } + ], + "created": "2020-01-29T18:15:12Z", + "description": "In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18634" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18634" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18634.html" + } + }, + { + "severity": "none", + "score": 0.00184, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18634" + } + } + ], + "id": "CVE-2019-18634", + "updated": "2023-11-07T03:06:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T06:53:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1217609" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1788.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1588.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-45960" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-45960" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002994" + } + ], + "bom-ref": "vuln-153", + "references": [ + { + "id": "USN-5288-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5288-1" + } + } + ], + "created": "2022-01-01T19:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).", + "affects": [ + { + "ref": "comp-167" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960" + }, + "cwes": [ + 682 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960" + } + }, + { + "severity": "low", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-45960.html" + } + }, + { + "severity": "none", + "score": 0.01022, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-45960" + } + } + ], + "id": "CVE-2021-45960", + "updated": "2022-10-06T19:08:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html" + }, + { + "url": "https://bugs.python.org/issue39017" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://usn.ubuntu.com/4428-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/" + }, + { + "url": "https://security.gentoo.org/glsa/202008-01" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1483.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4654" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4433" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4428-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4641" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4299" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1429.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-008.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1427.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1484.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5009" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20907" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1432.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0528" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-20907" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4273" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5010" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1428.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0761" + } + ], + "bom-ref": "vuln-154", + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20907.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" + } + }, + { + "severity": "none", + "score": 0.01206, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20907" + } + } + ], + "created": "2020-07-13T13:15:10Z", + "description": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2019-20907", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:09:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5236" + }, + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html" + }, + { + "url": "https://security.gentoo.org/glsa/202211-06" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1877.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7021" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7022" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7020" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7025" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8598" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7026" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7023" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7024" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-40674" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7019" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1654.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6921" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6967" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5726-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019761" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASFIREFOX-2023-010.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1900.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6995" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6832" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6997" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6996" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6878" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6834" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6998" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6833" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6838" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-40674" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-4" + } + ], + "bom-ref": "vuln-155", + "references": [ + { + "id": "USN-5638-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5638-4" + } + } + ], + "created": "2022-09-14T11:15:54Z", + "description": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.", + "affects": [ + { + "ref": "comp-166" + }, + { + "ref": "comp-167" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-40674.html" + } + }, + { + "severity": "high", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674" + } + }, + { + "severity": "none", + "score": 0.00562, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40674" + } + } + ], + "id": "CVE-2022-40674", + "updated": "2023-11-07T03:52:34Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:39Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-166", + "value": "0:2.1.0-4ubuntu1.4+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4472" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226" + }, + { + "url": "https://security.gentoo.org/glsa/201911-08" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html" + }, + { + "url": "https://usn.ubuntu.com/4040-2/" + }, + { + "url": "https://usn.ubuntu.com/4040-1/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jun/39" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://support.f5.com/csp/article/K51011533" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3952" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1513.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4484" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2646" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4846" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2644" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1459.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20843" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-20843" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4040-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4040-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4852-1" + } + ], + "bom-ref": "vuln-156", + "references": [ + { + "id": "USN-4040-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4040-2" + } + } + ], + "created": "2019-06-24T17:15:09Z", + "description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", + "affects": [ + { + "ref": "comp-167" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843" + }, + "cwes": [ + 611 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20843.html" + } + }, + { + "severity": "none", + "score": 0.6091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20843" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843" + } + } + ], + "id": "CVE-2018-20843", + "updated": "2023-11-07T02:56:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYC22GGZ6QA66HLNLHCTAJU265TT3O33/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1681.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4292" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1927.html" + } + ], + "bom-ref": "vuln-157", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-4292.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292" + } + }, + { + "severity": "none", + "score": 0.00079, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-4292" + } + } + ], + "created": "2022-12-05T19:15:10Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0882.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-4292", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:57:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://docs.npmjs.com/cli/v10/using-npm/config" + } + ], + "bom-ref": "vuln-158", + "ratings": [ + { + "severity": "high", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Environment Variable: 'NPM_CONFIG_STRICT_SSL' is false, disabling TLS certificate validation when 'npm' makes requests to the Node Package Manager registry via https.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-006-001", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5516-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2207" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2207" + } + ], + "bom-ref": "vuln-159", + "ratings": [ + { + "severity": "none", + "score": 0.00131, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2207" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2207" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2207.html" + } + } + ], + "created": "2022-06-27T12:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2207", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2207" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/" + }, + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4733" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1837.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4733" + } + ], + "bom-ref": "vuln-160", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4733.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4733" + } + }, + { + "severity": "none", + "score": 0.00056, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4733" + } + } + ], + "created": "2023-09-04T14:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1840.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4733", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4733" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-01T17:56:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5085" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25314" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5314" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5320-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-25314" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5244" + } + ], + "bom-ref": "vuln-161", + "ratings": [ + { + "severity": "none", + "score": 0.00891, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25314" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25314.html" + } + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-25314", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:44:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484290" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13733" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873746" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + } + ], + "bom-ref": "vuln-162", + "ratings": [ + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13733.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733" + } + }, + { + "severity": "none", + "score": 0.00224, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13733" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13733", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-23990" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1882.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2280.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-163", + "ratings": [ + { + "severity": "none", + "score": 0.00642, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23990" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-23990.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990" + } + } + ], + "created": "2022-01-26T19:15:08Z", + "description": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-23990", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:44:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1720" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-164", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1720" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1720.html" + } + }, + { + "severity": "none", + "score": 0.00649, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1720" + } + } + ], + "created": "2022-06-20T15:15:10Z", + "description": "Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1720", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1720" + }, + "cwes": [ + 125, + 126 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/" + }, + { + "url": "https://www.sqlite.org/src/info/90acdbfce9c08858" + }, + { + "url": "https://www.sqlite.org/releaselog/3_28_0.html" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/" + }, + { + "url": "https://usn.ubuntu.com/4004-1/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://usn.ubuntu.com/4004-2/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4004-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4004-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929775" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-8457" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1810" + } + ], + "bom-ref": "vuln-165", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457" + } + }, + { + "severity": "none", + "score": 0.00527, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-8457" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-8457.html" + } + } + ], + "created": "2019-05-30T16:29:01Z", + "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-248" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2019-8457", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:13:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-248", + "value": "0:5.3.28-3ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4738" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4738" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1826.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + } + ], + "bom-ref": "vuln-166", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4738" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4738" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4738.html" + } + } + ], + "created": "2023-09-02T20:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4738", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4738" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-01T16:16:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2022-2928" + }, + { + "url": "https://security.gentoo.org/glsa/202305-22" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1874.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2502" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021320" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2928" + }, + { + "url": "https://lists.isc.org/pipermail/dhcp-announce/2022-October/000437.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3000" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5658-3" + } + ], + "bom-ref": "vuln-167", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2928" + } + }, + { + "severity": "none", + "score": 0.00107, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2928" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2928.html" + } + } + ], + "created": "2022-10-07T05:15:08Z", + "description": "In ISC DHCP 4.4.0 -> 4.4.3, ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.", + "affects": [ + { + "ref": "comp-158" + } + ], + "id": "CVE-2022-2928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2928" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:47:05Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-158", + "value": "0:4.2.4-7ubuntu12.13+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCCZTAYZATTNSNEAXWA7U3HCO2OVQKT5/" + }, + { + "url": "https://usn.ubuntu.com/4428-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X36Y523UAZY5QFXZAAORNFY63HLBWX7N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00016.html" + }, + { + "url": "https://bugs.python.org/issue41004" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://security.gentoo.org/glsa/202008-01" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4433" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4428-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-14422" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4641" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4299" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-008.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1484.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2151.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1432.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-14422" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5010" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2174.html" + } + ], + "bom-ref": "vuln-168", + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" + } + }, + { + "severity": "low", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14422.html" + } + }, + { + "severity": "none", + "score": 0.00883, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-14422" + } + } + ], + "created": "2020-06-18T14:15:11Z", + "description": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2020-14422", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422" + }, + "cwes": [ + 330, + 682 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:17:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1616" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1616" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-169", + "ratings": [ + { + "severity": "none", + "score": 0.00403, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1616" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1616.html" + } + } + ], + "created": "2022-05-07T19:15:07Z", + "description": "Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1616", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/HT209443" + }, + { + "url": "https://sqlite.org/src/info/940f2adc8541a838" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://support.apple.com/HT209446" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365" + }, + { + "url": "https://support.apple.com/HT209450" + }, + { + "url": "https://support.apple.com/HT209451" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00012.html" + }, + { + "url": "https://support.apple.com/HT209447" + }, + { + "url": "https://support.apple.com/HT209448" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1659379" + }, + { + "url": "https://access.redhat.com/articles/3758321" + }, + { + "url": "https://chromium.googlesource.com/chromium/src/+/c368e30ae55600a1c3c9cb1710a54f9c55de786e" + }, + { + "url": "https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU4NZ6DDU4BEM3ACM3FM6GLEPX56ZQXK/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1659677" + }, + { + "url": "https://security.gentoo.org/glsa/201904-21" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://www.sqlite.org/releaselog/3_25_3.html" + }, + { + "url": "https://sqlite.org/src/info/d44318f59044162e" + }, + { + "url": "https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20346" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-170", + "ratings": [ + { + "severity": "high", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346" + } + }, + { + "severity": "none", + "score": 0.89999, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20346" + } + }, + { + "severity": "medium", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20346.html" + } + } + ], + "created": "2018-12-21T21:29:00Z", + "description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2018-20346", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T02:56:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:36:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.exploit-db.com/exploits/44909/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2077" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2018:3854" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2018:3853" + }, + { + "url": "https://security.gentoo.org/glsa/201903-15" + }, + { + "url": "https://usn.ubuntu.com/4229-1/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-12327" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1470" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2018-1083.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4229-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1367.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4229-2" + } + ], + "bom-ref": "vuln-171", + "references": [ + { + "id": "USN-4229-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4229-1" + } + } + ], + "created": "2018-06-20T14:29:00Z", + "description": "Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.", + "affects": [ + { + "ref": "comp-186" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12327" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12327.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12327" + } + }, + { + "severity": "none", + "score": 0.0265, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-12327" + } + } + ], + "id": "CVE-2018-12327", + "updated": "2020-08-24T17:37:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-11T23:23:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-186", + "value": "1:4.2.6.p5+dfsg-3ubuntu2.14.04.13+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4333-2/" + }, + { + "url": "https://usn.ubuntu.com/4333-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/" + }, + { + "url": "https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da@" + }, + { + "url": "https://bugs.python.org/issue39503" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://security.gentoo.org/glsa/202005-09" + }, + { + "url": "https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5@" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4433" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4641" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4333-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5200-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8492" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4333-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1406.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-006.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3888" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1432.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1471.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1407.html" + } + ], + "bom-ref": "vuln-172", + "ratings": [ + { + "severity": "low", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8492.html" + } + }, + { + "severity": "none", + "score": 0.00837, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8492" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" + } + } + ], + "created": "2020-01-30T19:15:12Z", + "description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2020-8492", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492" + }, + "cwes": [ + 400 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:26:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/" + }, + { + "url": "https://hackerone.com/reports/1176461" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5197" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-22898" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1509.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1700.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1653.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5021-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5021-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5894-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22898" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989228" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4511" + } + ], + "bom-ref": "vuln-173", + "references": [ + { + "id": "USN-5894-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5894-1" + } + } + ], + "created": "2021-06-11T16:15:11Z", + "description": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898" + }, + "cwes": [ + 909, + 200 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "low", + "score": 3.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-22898.html" + } + }, + { + "severity": "none", + "score": 0.00201, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22898" + } + }, + { + "severity": "low", + "score": 3.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898" + } + } + ], + "id": "CVE-2021-22898", + "updated": "2024-03-27T15:47:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://support.apple.com/kb/HT212325" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4881" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html" + }, + { + "url": "https://support.apple.com/kb/HT212327" + }, + { + "url": "https://security.gentoo.org/glsa/202012-14" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/" + }, + { + "url": "https://support.apple.com/kb/HT212326" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://hackerone.com/reports/1040166" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2471" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977163" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4665-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8284" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2472" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8284" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1610" + } + ], + "bom-ref": "vuln-174", + "ratings": [ + { + "severity": "none", + "score": 0.00115, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8284" + } + }, + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284" + } + }, + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8284.html" + } + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2020-8284", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284" + }, + "cwes": [ + 200 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-08T22:50:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5492-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2042" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-175", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2042" + } + }, + { + "severity": "none", + "score": 0.00102, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2042" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2042.html" + } + } + ], + "created": "2022-06-10T19:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2042", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2042" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:15:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2571" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2571" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + } + ], + "bom-ref": "vuln-176", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2571.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2571" + } + }, + { + "severity": "none", + "score": 0.00074, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2571" + } + } + ], + "created": "2022-08-01T15:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2571", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2571" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-08-04T23:31:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48235" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-177", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48235.html" + } + }, + { + "severity": "none", + "score": 0.00164, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48235" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48235" + } + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48235", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48235" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:33:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20786" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-178", + "references": [ + { + "id": "USN-4309-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4309-1" + } + } + ], + "created": "2019-02-24T14:29:00Z", + "description": "libvterm through 0+bzr726, as used in Vim and other products, mishandles certain out-of-memory conditions, leading to a denial of service (application crash), related to screen.c, state.c, and vterm.c.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20786" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00258, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20786" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20786" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20786.html" + } + } + ], + "id": "CVE-2018-20786", + "updated": "2020-03-30T20:15:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://support.apple.com/kb/HT213343" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://support.apple.com/kb/HT213183" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5433-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0366" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-4192" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4192" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + } + ], + "bom-ref": "vuln-179", + "ratings": [ + { + "severity": "none", + "score": 0.00137, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4192" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-4192.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192" + } + } + ], + "created": "2021-12-31T15:15:08Z", + "description": "vim is vulnerable to Use After Free", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-4192", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:40:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3896" + } + ], + "bom-ref": "vuln-180", + "ratings": [ + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3896" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3896" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-3896.html" + } + } + ], + "created": "2023-08-07T13:15:12Z", + "description": "Divide By Zero in vim/vim from 9.0.1367-1 to 9.0.1367-3\n", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-3896", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3896" + }, + "cwes": [ + 369 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-08-31T19:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5085" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0847" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1539" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0824" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-25235" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0845" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0843" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-068.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1012" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1585.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0816" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0815" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1309" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25235" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1795.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1644" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1764.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1643" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005894" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0850" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1068" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1573.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1540" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1263" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1053" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1070" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0818" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0817" + } + ], + "bom-ref": "vuln-181", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235" + } + }, + { + "severity": "none", + "score": 0.01471, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25235" + } + }, + { + "severity": "high", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25235.html" + } + } + ], + "created": "2022-02-16T01:15:07Z", + "description": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-25235", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235" + }, + "cwes": [ + 116 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:44:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3324" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3324" + } + ], + "bom-ref": "vuln-182", + "references": [ + { + "id": "USN-6420-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6420-1" + } + } + ], + "created": "2022-09-27T23:15:15Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324" + }, + "cwes": [ + 787, + 121 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324" + } + }, + { + "severity": "none", + "score": 0.00103, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3324" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3324.html" + } + } + ], + "id": "CVE-2022-3324", + "updated": "2023-11-07T03:51:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1725" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-183", + "ratings": [ + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1725.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725" + } + }, + { + "severity": "none", + "score": 0.00076, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1725" + } + } + ], + "created": "2022-09-29T03:15:15Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1725", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:05:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc" + }, + { + "url": "https://www.openssl.org/news/secadv/20201208.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202012-13" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e" + }, + { + "url": "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@" + }, + { + "url": "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4807" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5623" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5566" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5588" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5642" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5422" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5641" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5640" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-1971" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4745-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1971" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0494" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0495" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0056" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5476" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0491" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5639" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1573.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:5637" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1456.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0489" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4662-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0488" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0486" + } + ], + "bom-ref": "vuln-184", + "references": [ + { + "id": "USN-4745-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4745-1" + } + } + ], + "created": "2020-12-08T16:15:11Z", + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "affects": [ + { + "ref": "comp-232" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971" + } + }, + { + "severity": "none", + "score": 0.00425, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-1971" + } + }, + { + "severity": "high", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1971.html" + } + } + ], + "id": "CVE-2020-1971", + "updated": "2023-11-07T03:19:39Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2023/dsa-5321" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-12" + }, + { + "url": "https://support.apple.com/kb/HT213758" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1985.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0287" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1682.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0859" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-22809" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5811-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5811-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5811-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0291" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0280" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3262" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3276" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-106.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3264" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0284" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0283" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0293" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0282" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0292" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0281" + } + ], + "bom-ref": "vuln-185", + "references": [ + { + "id": "USN-5811-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5811-3" + } + } + ], + "created": "2023-01-18T17:15:10Z", + "description": "In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22809" + }, + "cwes": [ + 269 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-22809.html" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-22809" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22809" + } + } + ], + "id": "CVE-2023-22809", + "updated": "2023-11-17T19:32:56Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T23:53:18Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079" + }, + { + "url": "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4" + }, + { + "url": "https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-39804" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-475.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6543-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2390.html" + } + ], + "bom-ref": "vuln-186", + "references": [ + { + "id": "USN-6543-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6543-1" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39804" + } + } + ], + "created": "2024-03-27T04:15:08Z", + "description": "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.", + "affects": [ + { + "ref": "comp-172" + } + ], + "id": "CVE-2023-39804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-172", + "value": "0:1.27.1-1ubuntu0.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2021/dsa-4881" + }, + { + "url": "https://hackerone.com/reports/874778" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2471" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4402-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965280" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2472" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8169" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8169" + } + ], + "bom-ref": "vuln-187", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8169.html" + } + }, + { + "severity": "none", + "score": 0.00653, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8169" + } + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2020-8169", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169" + }, + "cwes": [ + 200 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-27T16:04:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-03-28T12:17:35Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT209451" + }, + { + "url": "https://support.apple.com/kb/HT209450" + }, + { + "url": "https://sqlite.org/src/info/940f2adc8541a838" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365" + }, + { + "url": "https://support.apple.com/kb/HT209443" + }, + { + "url": "https://support.apple.com/kb/HT209446" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/28" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/39" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/29" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/33" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/31" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jan/32" + }, + { + "url": "https://support.apple.com/kb/HT209448" + }, + { + "url": "https://support.apple.com/kb/HT209447" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20506" + } + ], + "bom-ref": "vuln-188", + "ratings": [ + { + "severity": "none", + "score": 0.01782, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20506" + } + }, + { + "severity": "medium", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20506.html" + } + }, + { + "severity": "high", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506" + } + } + ], + "created": "2019-04-03T18:29:01Z", + "description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2018-20506", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2021-07-31T08:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:36:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/25" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/0" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/1" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4540" + }, + { + "url": "https://security.gentoo.org/glsa/201911-04" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/" + }, + { + "url": "https://www.openssl.org/news/secadv/20190910.txt" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://usn.ubuntu.com/4504-1/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4539" + }, + { + "url": "https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://usn.ubuntu.com/4376-1/" + }, + { + "url": "https://usn.ubuntu.com/4376-2/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1456.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1840" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4376-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4376-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4504-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1336" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-1563" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1344.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1337" + } + ], + "bom-ref": "vuln-189", + "ratings": [ + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563" + } + }, + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1563.html" + } + }, + { + "severity": "none", + "score": 0.01508, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-1563" + } + } + ], + "created": "2019-09-10T17:15:11Z", + "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "CVE-2019-1563", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563" + }, + "cwes": [ + 203, + 327 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:08:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm1" + } + ] + }, + { + "bom-ref": "vuln-190", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2022-12-06T12:56:08Z", + "description": "USN-5761-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n Due to security concerns, the TrustCor certificate authority has been\n marked as distrusted in Mozilla's root store. This update removes the\n TrustCor CA certificates from the ca-certificates package.\n", + "affects": [ + { + "ref": "comp-30" + } + ], + "id": "USN-5761-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5761-2" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-30", + "value": "0:20211016~14.04.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT214038" + }, + { + "url": "https://support.apple.com/kb/HT214036" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/" + }, + { + "url": "https://support.apple.com/kb/HT214037" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOXBUJLJ5VSPN3YXWN7XZA4JDYKNE7GZ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4W665GQBN6S6ZDMYWVF4X7KMFI7AQKJL/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-378.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053694" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1893.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2288.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5344" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-5344" + } + ], + "bom-ref": "vuln-191", + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-5344.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344" + } + }, + { + "severity": "none", + "score": 0.00182, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5344" + } + } + ], + "created": "2023-10-02T20:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-5344", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-13T01:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "bom-ref": "vuln-192", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2022-11-29T17:23:51Z", + "description": "USN-5745-1 fixed vulnerabilities in shadow. Unfortunately that update\nintroduced a regression that caused useradd to behave incorrectly in Ubuntu\n14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This\nupdate reverts the security fix pending further investigation.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n Florian Weimer discovered that shadow was not properly copying and removing\n user directory trees, which could lead to a race condition. A local attacker\n could possibly use this issue to setup a symlink attack and alter or remove\n directories without authorization.\n", + "affects": [ + { + "ref": "comp-267" + }, + { + "ref": "comp-268" + } + ], + "id": "USN-5745-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5745-2" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-267", + "value": "1:4.1.5.1-1ubuntu9.5+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-268", + "value": "1:4.1.5.1-1ubuntu9.5+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2139327" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-15" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0100" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0336" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3821" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5928-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1899.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1105" + } + ], + "bom-ref": "vuln-193", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3821" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3821.html" + } + } + ], + "created": "2022-11-08T22:15:16Z", + "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", + "affects": [ + { + "ref": "comp-16" + }, + { + "ref": "comp-17" + } + ], + "id": "CVE-2022-3821", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821" + }, + "cwes": [ + 193 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:51:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:31Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-16", + "value": "0:204-5ubuntu20.31+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-17", + "value": "0:204-5ubuntu20.31+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4359-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/" + }, + { + "url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/" + }, + { + "url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6" + }, + { + "url": "https://bugs.launchpad.net/bugs/1878177" + }, + { + "url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html" + }, + { + "url": "https://usn.ubuntu.com/4359-2/" + }, + { + "url": "https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-3810" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4359-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4359-1" + } + ], + "bom-ref": "vuln-194", + "references": [ + { + "id": "USN-4359-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4359-2" + } + } + ], + "created": "2020-05-15T14:15:11Z", + "description": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.", + "affects": [ + { + "ref": "comp-79" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3810" + }, + "cwes": [ + 125, + 20 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-3810.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3810" + } + }, + { + "severity": "none", + "score": 0.00125, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-3810" + } + } + ], + "id": "CVE-2020-3810", + "updated": "2023-11-07T03:23:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2023-06-07T12:15:06Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-79", + "value": "0:1.0.1ubuntu2.24+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ57ICDLMVYEREXQGZWL4GWI7FRJCRQT/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209113" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPEGCFMCN5KGCFX5Y2VTKR732TTD4ADW/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5071" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036114" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4524" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6166-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6166-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2603" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2603" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7400" + }, + { + "url": "https://sites.google.com/site/fullycapable/release-notes-for-libcap" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0436" + } + ], + "bom-ref": "vuln-195", + "references": [ + { + "id": "USN-6166-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6166-2" + } + } + ], + "created": "2023-06-06T20:15:13Z", + "description": "A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.", + "affects": [ + { + "ref": "comp-130" + }, + { + "ref": "comp-132" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-2603.html" + } + }, + { + "severity": "none", + "score": 0.00051, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2603" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603" + } + } + ], + "id": "CVE-2023-2603", + "updated": "2023-11-30T05:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-130", + "value": "1:2.24-0ubuntu2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-132", + "value": "1:2.24-0ubuntu2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2020/dsa-4606" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4238" + }, + { + "url": "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-08" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/27" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13751" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4396" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-196", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13751.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13751" + } + }, + { + "severity": "none", + "score": 0.01021, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13751" + } + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "id": "CVE-2019-13751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13751" + }, + "cwes": [ + 908 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:04:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32487" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6756-1" + } + ], + "bom-ref": "vuln-197", + "references": [ + { + "id": "USN-6756-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6756-1" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32487" + } + } + ], + "created": "2024-04-13T15:15:52Z", + "description": "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-32487", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:458-2ubuntu0.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1754.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23852" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4834" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-23852" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1569.html" + } + ], + "bom-ref": "vuln-198", + "ratings": [ + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-23852.html" + } + }, + { + "severity": "none", + "score": 0.01423, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-23852" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852" + } + } + ], + "created": "2022-01-24T02:15:06Z", + "description": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-23852", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-10-29T02:44:33Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://kb.isc.org/docs/cve-2021-25217" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5QI4DYC7J4BGHEW3NH4XHMWTHYC36UK4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LB42JWIV4M4WDNXX5VGIP26FEYWKIF/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-22" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-406691.pdf" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00002.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1510.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4969-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4969-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2405" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2416" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2415" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2469" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2414" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2359" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989157" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2519" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-25217" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2419" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2418" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2420" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25217" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1654.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2555" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2357" + } + ], + "bom-ref": "vuln-199", + "references": [ + { + "id": "USN-4969-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4969-2" + } + } + ], + "created": "2021-05-26T22:15:07Z", + "description": "In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.", + "affects": [ + { + "ref": "comp-158" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25217" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00277, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25217" + } + }, + { + "severity": "high", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25217" + } + }, + { + "severity": "medium", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-25217.html" + } + } + ], + "id": "CVE-2021-25217", + "updated": "2023-11-07T03:31:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-25T15:54:42Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-158", + "value": "0:4.2.4-7ubuntu12.13+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5085" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25313" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7811" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5314" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5320-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-25313" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2280.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5244" + } + ], + "bom-ref": "vuln-200", + "ratings": [ + { + "severity": "none", + "score": 0.00641, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25313" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25313.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313" + } + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-25313", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313" + }, + "cwes": [ + 674 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:44:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484291" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13734" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + } + ], + "bom-ref": "vuln-201", + "ratings": [ + { + "severity": "none", + "score": 0.00092, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13734" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734" + } + }, + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13734.html" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13734", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2018-10-21T10:29:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873762" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13685" + } + ], + "bom-ref": "vuln-202", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685" + } + }, + { + "severity": "info", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13685.html" + } + }, + { + "severity": "none", + "score": 0.00621, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13685" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2017-13685", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2017-08-31T01:29:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/" + }, + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1837.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4752" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4752" + } + ], + "bom-ref": "vuln-203", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4752" + } + }, + { + "severity": "none", + "score": 0.00055, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4752" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4752.html" + } + } + ], + "created": "2023-09-04T14:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1858.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4752", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4752" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-01T17:59:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T16:40:08Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://support.apple.com/kb/HT213343" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://support.apple.com/kb/HT213183" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4193" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-4193" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0366" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + } + ], + "bom-ref": "vuln-204", + "ratings": [ + { + "severity": "none", + "score": 0.00119, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-4193" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-4193.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4193" + } + } + ], + "created": "2021-12-31T16:15:07Z", + "description": "vim is vulnerable to Out-of-bounds Read", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-4193", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4193" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:40:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0351" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-205", + "ratings": [ + { + "severity": "none", + "score": 0.00077, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0351" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0351" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0351.html" + } + } + ], + "created": "2022-01-25T18:15:08Z", + "description": "Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0351", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0351" + }, + "cwes": [ + 786, + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-09T19:20:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4335-1/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3756" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3210" + }, + { + "url": "https://usn.ubuntu.com/4165-1/" + }, + { + "url": "https://support.apple.com/kb/HT210785" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3237" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://support.apple.com/kb/HT210789" + }, + { + "url": "https://support.apple.com/kb/HT210788" + }, + { + "url": "https://seclists.org/bugtraq/2019/Dec/21" + }, + { + "url": "https://seclists.org/bugtraq/2019/Dec/23" + }, + { + "url": "https://security.gentoo.org/glsa/201911-08" + }, + { + "url": "https://usn.ubuntu.com/4132-2/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4549" + }, + { + "url": "https://usn.ubuntu.com/4202-1/" + }, + { + "url": "https://support.apple.com/kb/HT210790" + }, + { + "url": "https://seclists.org/bugtraq/2019/Nov/24" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/37" + }, + { + "url": "https://support.apple.com/kb/HT210795" + }, + { + "url": "https://support.apple.com/kb/HT210794" + }, + { + "url": "https://support.apple.com/kb/HT210793" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4571" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/30" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/29" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4530" + }, + { + "url": "https://seclists.org/bugtraq/2019/Nov/1" + }, + { + "url": "https://seclists.org/bugtraq/2019/Dec/17" + }, + { + "url": "https://usn.ubuntu.com/4132-1/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3952" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1513.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4165-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4132-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4335-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4484" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4132-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3193" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-15903" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2646" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1459.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2644" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3196" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1376.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4202-1" + }, + { + "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4852-1" + } + ], + "bom-ref": "vuln-206", + "references": [ + { + "id": "USN-4132-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4132-2" + } + } + ], + "created": "2019-09-04T06:15:10Z", + "description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "affects": [ + { + "ref": "comp-167" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" + }, + "cwes": [ + 125, + 776 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15903.html" + } + }, + { + "severity": "none", + "score": 0.00505, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-15903" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903" + } + } + ], + "id": "CVE-2019-15903", + "updated": "2023-11-07T03:05:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/" + }, + { + "url": "https://support.apple.com/kb/HT214057" + }, + { + "url": "https://support.apple.com/kb/HT214036" + }, + { + "url": "https://support.apple.com/kb/HT214058" + }, + { + "url": "https://support.apple.com/kb/HT214063" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2287.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7626" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7625" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5700" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6745" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5763" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASECS-2023-016.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-420.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-38546" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6292" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6429-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6429-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6429-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2101" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-377.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38546" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7540" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1601" + } + ], + "bom-ref": "vuln-207", + "references": [ + { + "id": "USN-6429-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6429-2" + } + } + ], + "ratings": [ + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38546" + } + }, + { + "severity": "none", + "score": 0.00081, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38546" + } + }, + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-38546.html" + } + } + ], + "created": "2023-10-18T04:15:11Z", + "description": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.\n", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "id": "CVE-2023-38546", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38546" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-01-26T17:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:37:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm17" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm17" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484274" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13728" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + } + ], + "bom-ref": "vuln-208", + "ratings": [ + { + "severity": "info", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13728.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728" + } + }, + { + "severity": "none", + "score": 0.00563, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13728" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13728", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3520" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1169.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1169.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-5010" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921040" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2030" + } + ], + "bom-ref": "vuln-209", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5010.html" + } + }, + { + "severity": "none", + "score": 0.01845, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5010" + } + } + ], + "created": "2019-10-31T21:15:13Z", + "description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2019-5010", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:11:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://hackerone.com/reports/1613943" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://support.apple.com/kb/HT213603" + }, + { + "url": "https://support.apple.com/kb/HT213604" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5587-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2478" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2963" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-35252" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1875.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1646.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8840" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35252" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + } + ], + "bom-ref": "vuln-210", + "references": [ + { + "id": "USN-5587-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5587-1" + } + } + ], + "created": "2022-09-23T14:15:12Z", + "description": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252" + } + }, + { + "severity": "low", + "score": 3.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-35252.html" + } + }, + { + "severity": "none", + "score": 0.00146, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35252" + } + } + ], + "id": "CVE-2022-35252", + "updated": "2024-03-27T15:00:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3520" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3335" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/29" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2030" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/" + }, + { + "url": "https://bugs.python.org/issue35907" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1700" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1268" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1291.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1462" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1346" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1258.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9948" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + } + ], + "bom-ref": "vuln-211", + "ratings": [ + { + "severity": "critical", + "score": 9.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" + } + }, + { + "severity": "none", + "score": 0.0046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9948" + } + }, + { + "severity": "medium", + "score": 9.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9948.html" + } + } + ], + "created": "2019-03-23T18:29:02Z", + "description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2019-9948", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948" + }, + "cwes": [ + 22 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:13:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-11T23:22:21Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4360-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W226TSCJBEOXDUFVKNWNH7ETG7AR6MCS/" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4741" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CQQRRGBQCAWNCCJ2HN3W5SSCZ4QGMXQI/" + }, + { + "url": "https://usn.ubuntu.com/4360-4/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBR36IXYBHITAZFB5PFBJTED22WO5ONB/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00032.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00031.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00023.html" + }, + { + "url": "https://security.gentoo.org/glsa/202006-13" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4360-4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-12762" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960326" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1086" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6976" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-12762" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4382" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-205.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4360-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1381.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1442.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0573" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-232.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6431" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0411" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2079.html" + } + ], + "bom-ref": "vuln-212", + "references": [ + { + "id": "USN-4360-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4360-1" + } + }, + { + "id": "USN-4360-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4360-4" + } + } + ], + "created": "2020-05-09T18:15:11Z", + "description": "json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.", + "affects": [ + { + "ref": "comp-206" + }, + { + "ref": "comp-207" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762" + }, + "cwes": [ + 787, + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-12762" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12762.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762" + } + } + ], + "id": "CVE-2020-12762", + "updated": "2023-11-07T03:15:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-206", + "value": "0:0.11-3ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-207", + "value": "0:0.11-3ubuntu1.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2182" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2182" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-213", + "ratings": [ + { + "severity": "none", + "score": 0.00131, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2182" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2182" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2182.html" + } + } + ], + "created": "2022-06-23T18:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2182", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2182" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "bom-ref": "vuln-214", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2020-06-01T17:05:10Z", + "description": "USN-4377-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained an expired CA certificate that caused\n connectivity issues. This update removes the \"AddTrust External Root\" CA.\n\n In addition, on Ubuntu 12.04 ESM and Ubuntu 14.04 ESM, this update\n refreshes the included certificates to those contained in the 20190110\n package.\n", + "affects": [ + { + "ref": "comp-30" + } + ], + "id": "USN-4377-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4377-2" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-30", + "value": "0:20190110~14.04.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2231" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-215", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2231" + } + }, + { + "severity": "none", + "score": 0.00119, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2231" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2231.html" + } + } + ], + "created": "2022-06-28T20:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2231", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2231" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2069726" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7720" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010263" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5464-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1884.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8361" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1304" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1304" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-044.html" + } + ], + "bom-ref": "vuln-216", + "references": [ + { + "id": "USN-5464-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5464-1" + } + } + ], + "created": "2022-04-14T21:15:08Z", + "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", + "affects": [ + { + "ref": "comp-276" + }, + { + "ref": "comp-273" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304" + }, + "cwes": [ + 125, + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1304.html" + } + }, + { + "severity": "none", + "score": 0.00065, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1304" + } + } + ], + "id": "CVE-2022-1304", + "updated": "2023-11-07T03:41:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:39Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-276", + "value": "0:1.42.9-3ubuntu1.3+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-273", + "value": "0:1.42.9-3ubuntu1.3+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DU26T75PYA3OF7XJGNKMT2ZCQEU4UKP5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN4EX7BPQU7RP6PXCNCSDORUZBXQ4JUH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3903" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3903" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1557.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5147-1" + } + ], + "bom-ref": "vuln-217", + "ratings": [ + { + "severity": "none", + "score": 0.00054, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3903" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3903.html" + } + } + ], + "created": "2021-10-27T21:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2021-3903", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:38:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213675" + }, + { + "url": "https://support.apple.com/kb/HT213677" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EX6N2DB75A73MQGVW3CS4VTNPAYVM2M/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5836-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0433" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1703.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0433" + } + ], + "bom-ref": "vuln-218", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0433.html" + } + }, + { + "severity": "none", + "score": 0.0008, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0433" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433" + } + } + ], + "created": "2023-01-21T15:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-0433", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:00:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T09:48:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48234" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-219", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48234.html" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48234" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48234" + } + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48234", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48234" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:33:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1621" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1621" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5319" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-220", + "ratings": [ + { + "severity": "none", + "score": 0.00355, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1621" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1621.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1621" + } + } + ], + "created": "2022-05-10T14:15:08Z", + "description": "Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1621", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1621" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T09:47:53Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1619" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1619" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-221", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1619.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1619" + } + }, + { + "severity": "none", + "score": 0.0104, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1619" + } + } + ], + "created": "2022-05-08T10:15:07Z", + "description": "Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1619", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1619" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T09:47:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JJNUS4AEVYSEJMCK6JZB57QHD5V2G4O/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2000" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5516-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-222", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2000.html" + } + }, + { + "severity": "none", + "score": 0.0018, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2000" + } + } + ], + "created": "2022-06-09T16:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2000", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://hackerone.com/reports/1764858" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://security.gentoo.org/glsa/202310-12" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2478" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2963" + }, + { + "url": "https://support.microsoft.com/help/5025229" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025229" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026830" + }, + { + "url": "https://support.microsoft.com/help/5025239" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3355" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3354" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7743" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5788-1" + }, + { + "url": "https://support.microsoft.com/help/5025221" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1924.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5894-1" + }, + { + "url": "https://support.microsoft.com/help/5025224" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025230" + }, + { + "url": "https://support.microsoft.com/help/5025230" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-43552" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1729.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025224" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025221" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025239" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43552" + } + ], + "bom-ref": "vuln-223", + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-43552.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552" + } + }, + { + "severity": "none", + "score": 0.00104, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43552" + } + } + ], + "created": "2023-02-09T20:15:10Z", + "description": "A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2022-43552", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-27T14:55:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2380.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6684-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50495" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-466.html" + } + ], + "bom-ref": "vuln-224", + "references": [ + { + "id": "USN-6684-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6684-1" + } + } + ], + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-50495.html" + } + }, + { + "severity": "none", + "score": 0.00052, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50495" + } + } + ], + "created": "2023-12-12T15:15:07Z", + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "affects": [ + { + "ref": "comp-150" + }, + { + "ref": "comp-152" + } + ], + "id": "CVE-2023-50495", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-31T03:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm5" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2019:3278" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3754" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3755" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3895" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3197" + }, + { + "url": "https://security.gentoo.org/glsa/202003-12" + }, + { + "url": "https://usn.ubuntu.com/4154-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4543" + }, + { + "url": "https://support.f5.com/csp/article/K53746212?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3209" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2019:3248" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3941" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0388" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/20" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3205" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/21" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3204" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3916" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3219" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4154-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1309.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1315.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942322" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-14287" + } + ], + "bom-ref": "vuln-225", + "references": [ + { + "id": "USN-4154-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4154-1" + } + } + ], + "created": "2019-10-17T18:15:12Z", + "description": "In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a \"sudo -u \\#$((0xffffffff))\" command.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14287" + }, + "cwes": [ + 755 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.30814, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14287" + } + }, + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14287.html" + } + }, + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14287" + } + } + ], + "id": "CVE-2019-14287", + "updated": "2023-11-07T03:04:52Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:07:30Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202101-28" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5477-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6099-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-17594" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4426" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + } + ], + "bom-ref": "vuln-226", + "ratings": [ + { + "severity": "none", + "score": 0.00055, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-17594" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594" + } + }, + { + "severity": "info", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17594.html" + } + } + ], + "created": "2019-10-14T21:15:11Z", + "description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + } + ], + "id": "CVE-2019-17594", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2021-02-10T15:13:31Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2022-3437" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137774" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html" + }, + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://www.samba.org/samba/security/CVE-2022-3437.html" + }, + { + "url": "https://security.gentoo.org/glsa/202309-06" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-032.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5800-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5822-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5822-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5936-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3437" + } + ], + "bom-ref": "vuln-227", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3437.html" + } + }, + { + "severity": "none", + "score": 0.00995, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3437" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3437" + } + } + ], + "created": "2023-01-12T15:15:10Z", + "description": "A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.", + "affects": [ + { + "ref": "comp-99" + }, + { + "ref": "comp-97" + }, + { + "ref": "comp-91" + }, + { + "ref": "comp-98" + } + ], + "id": "CVE-2022-3437", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3437" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-22T16:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T18:45:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-91", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-98", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1175" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1175" + } + ], + "bom-ref": "vuln-228", + "ratings": [ + { + "severity": "none", + "score": 0.00056, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1175" + } + }, + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175" + } + }, + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-1175.html" + } + } + ], + "created": "2023-03-04T16:15:09Z", + "description": "Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-1175", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175" + }, + "cwes": [ + 131 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:02:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T12:28:27Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "bom-ref": "vuln-229", + "ratings": [ + { + "severity": "info", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "apt-get layer caching: Using apt-get update alone in a RUN statement causes caching issues and subsequent apt-get install instructions to fail.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-001", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4333-2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1727276" + }, + { + "url": "https://usn.ubuntu.com/4333-1/" + }, + { + "url": "https://bugs.python.org/issue30458" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4333-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4333-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-18348" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4273" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-18348" + } + ], + "bom-ref": "vuln-230", + "references": [ + { + "id": "USN-4333-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4333-1" + } + } + ], + "created": "2019-10-23T17:15:12Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" + }, + "cwes": [ + 74 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00284, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18348" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18348.html" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348" + } + } + ], + "id": "CVE-2019-18348", + "updated": "2023-11-07T03:06:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2580" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2580" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-231", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2580" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2580.html" + } + }, + { + "severity": "none", + "score": 0.00074, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2580" + } + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2580", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2580" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-08-04T23:30:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYC22GGZ6QA66HLNLHCTAJU265TT3O33/" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0288" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5836-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1703.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0288" + } + ], + "bom-ref": "vuln-232", + "ratings": [ + { + "severity": "none", + "score": 0.00071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0288" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0288" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0288.html" + } + } + ], + "created": "2023-01-13T16:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-0288", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0288" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:00:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T10:14:08Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2874" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2874" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-233", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2874" + } + }, + { + "severity": "none", + "score": 0.00084, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2874" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2874.html" + } + } + ], + "created": "2022-08-18T16:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2874", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2874" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0714" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0714" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + } + ], + "bom-ref": "vuln-234", + "ratings": [ + { + "severity": "none", + "score": 0.00074, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0714" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0714.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0714" + } + } + ], + "created": "2022-02-22T20:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0714", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0714" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:31Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22365" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2435.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-502.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061097" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6588-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2438" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6588-2" + } + ], + "bom-ref": "vuln-235", + "references": [ + { + "id": "USN-6588-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6588-2" + } + } + ], + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22365" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-22365.html" + } + } + ], + "created": "2024-02-06T08:15:52Z", + "description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "affects": [ + { + "ref": "comp-191" + }, + { + "ref": "comp-192" + }, + { + "ref": "comp-190" + }, + { + "ref": "comp-193" + } + ], + "id": "CVE-2024-22365", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-14T00:27:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T04:51:42Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-191", + "value": "0:1.1.8-1ubuntu2.2+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-192", + "value": "0:1.1.8-1ubuntu2.2+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-190", + "value": "0:1.1.8-1ubuntu2.2+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-193", + "value": "0:1.1.8-1ubuntu2.2+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/201909-08" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2870" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jun/16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4462" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2868" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3707" + }, + { + "url": "https://usn.ubuntu.com/4015-2/" + }, + { + "url": "https://usn.ubuntu.com/4015-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1726" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4015-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4015-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-12749" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1870.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4032" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1246.html" + } + ], + "bom-ref": "vuln-236", + "references": [ + { + "id": "USN-4015-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4015-2" + } + } + ], + "created": "2019-06-11T17:29:00Z", + "description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "affects": [ + { + "ref": "comp-110" + }, + { + "ref": "comp-109" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12749" + }, + "cwes": [ + 59 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00048, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12749" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12749" + } + }, + { + "severity": "medium", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12749.html" + } + } + ], + "id": "CVE-2019-12749", + "updated": "2023-11-07T03:03:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-110", + "value": "0:1.6.18-0ubuntu4.5+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-109", + "value": "0:1.6.18-0ubuntu4.5+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://security.gentoo.org/glsa/201706-26" + }, + { + "url": "https://usn.ubuntu.com/4016-1/" + }, + { + "url": "https://groups.google.com/forum/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4016-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854969" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-5953" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-237", + "ratings": [ + { + "severity": "none", + "score": 0.0104, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-5953" + } + }, + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5953.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5953" + } + } + ], + "created": "2017-02-10T07:59:00Z", + "description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "id": "CVE-2017-5953", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5953" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:49:47Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/cve-2013-4235" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235" + }, + { + "url": "https://security.gentoo.org/glsa/202210-26" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2013-4235" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1998169" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5745-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2013-4235" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5745-1" + } + ], + "bom-ref": "vuln-238", + "references": [ + { + "id": "USN-5745-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5745-1" + } + } + ], + "created": "2019-12-03T15:15:10Z", + "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "affects": [ + { + "ref": "comp-268" + }, + { + "ref": "comp-267" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235" + }, + "cwes": [ + 367 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235" + } + }, + { + "severity": "low", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html" + } + }, + { + "severity": "none", + "score": 0.00047, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2013-4235" + } + } + ], + "id": "CVE-2013-4235", + "updated": "2023-02-13T00:28:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-268", + "value": "1:4.1.5.1-1ubuntu9.5+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-267", + "value": "1:4.1.5.1-1ubuntu9.5+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995234" + }, + { + "url": "https://bugs.python.org/issue43075" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://ubuntu.com/security/CVE-2021-3733" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4160" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5200-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1764" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3733" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1663" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3733" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5199-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1593.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5083-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4057" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-239", + "references": [ + { + "id": "USN-5083-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5083-1" + } + } + ], + "created": "2022-03-10T17:42:59Z", + "description": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" + }, + "cwes": [ + 400 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00265, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3733" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3733.html" + } + } + ], + "id": "CVE-2021-3733", + "updated": "2023-06-30T23:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3352" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + } + ], + "bom-ref": "vuln-240", + "ratings": [ + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3352" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3352.html" + } + } + ], + "created": "2022-09-29T12:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0614.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3352", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:51:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:06:37Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2816" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2816" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-241", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2816" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2816.html" + } + }, + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2816" + } + } + ], + "created": "2022-08-15T22:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2816", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2816" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4128" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2932" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3355" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3421" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3354" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3420" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1199" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1405" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3408" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1934.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0215" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1683.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-101.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2165" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + } + ], + "bom-ref": "vuln-242", + "references": [ + { + "id": "USN-5845-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5845-2" + } + } + ], + "created": "2023-02-08T20:15:24Z", + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "affects": [ + { + "ref": "comp-232" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215" + } + }, + { + "severity": "none", + "score": 0.00365, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0215" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0215.html" + } + } + ], + "id": "CVE-2023-0215", + "updated": "2024-02-04T09:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5330" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://hackerone.com/reports/1704017" + }, + { + "url": "https://support.apple.com/kb/HT213604" + }, + { + "url": "https://support.apple.com/kb/HT213605" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4139" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5702-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5823-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0333" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5702-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-32221" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1882.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8840" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + } + ], + "bom-ref": "vuln-243", + "references": [ + { + "id": "USN-5702-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5702-2" + } + } + ], + "created": "2022-12-05T22:15:10Z", + "description": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221" + }, + "cwes": [ + 668, + 200 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221" + } + }, + { + "severity": "none", + "score": 0.00666, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-32221" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-32221.html" + } + } + ], + "id": "CVE-2022-32221", + "updated": "2024-03-27T15:00:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2284" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2284" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-244", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2284.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2284" + } + }, + { + "severity": "none", + "score": 0.00131, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2284" + } + } + ], + "created": "2022-07-02T15:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2284", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2284" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026831" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4415" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-025.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-4415" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0954" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5928-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1105" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0837" + } + ], + "bom-ref": "vuln-245", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-4415.html" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-4415" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415" + } + } + ], + "created": "2023-01-11T15:15:09Z", + "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", + "affects": [ + { + "ref": "comp-16" + }, + { + "ref": "comp-17" + } + ], + "id": "CVE-2022-4415", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415" + }, + "cwes": [ + 200 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-02-02T16:19:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:31Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-16", + "value": "0:204-5ubuntu20.31+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-17", + "value": "0:204-5ubuntu20.31+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/" + }, + { + "url": "https://support.apple.com/kb/HT212147" + }, + { + "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@" + }, + { + "url": "https://bugs.gentoo.org/717920" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://support.apple.com/kb/HT211931" + }, + { + "url": "https://www.pcre.org/original/changelog.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963086" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4614" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4373" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-14155" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-14155" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5425-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4613" + } + ], + "bom-ref": "vuln-246", + "references": [ + { + "id": "USN-5425-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5425-1" + } + } + ], + "created": "2020-06-15T17:15:10Z", + "description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.", + "affects": [ + { + "ref": "comp-38" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14155" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00611, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-14155" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14155" + } + }, + { + "severity": "info", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14155.html" + } + } + ], + "id": "CVE-2020-14155", + "updated": "2024-03-27T16:04:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-38", + "value": "1:8.31-2ubuntu2.3+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3134" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3134" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-247", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3134.html" + } + }, + { + "severity": "none", + "score": 0.00067, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3134" + } + } + ], + "created": "2022-09-06T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0389.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3134", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:05:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://ubuntu.com/security/CVE-2021-3737" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995162" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://bugs.python.org/issue44022" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4160" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3737" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5201-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5200-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1986" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1764" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1663" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3737" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5199-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1593.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5083-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-248", + "ratings": [ + { + "severity": "none", + "score": 0.01559, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3737" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3737.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" + } + } + ], + "created": "2022-03-04T19:15:08Z", + "description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2021-3737", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737" + }, + "cwes": [ + 400, + 835 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:38:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://manpages.debian.org/stretch/apt/apt.8.en.html" + } + ], + "bom-ref": "vuln-249", + "ratings": [ + { + "severity": "info", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Use of apt: 'apt' does not have a stable CLI interface for non-interactive use.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-004", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3235" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3235" + } + ], + "bom-ref": "vuln-250", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3235" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3235.html" + } + }, + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3235" + } + } + ], + "created": "2022-09-18T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0490.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3235", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3235" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:50:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22827" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22827" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-251", + "ratings": [ + { + "severity": "none", + "score": 0.00772, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22827" + } + }, + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827" + } + }, + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22827.html" + } + } + ], + "created": "2022-01-10T14:12:57Z", + "description": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22827", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-10-06T12:52:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2889" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2889" + } + ], + "bom-ref": "vuln-252", + "ratings": [ + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2889" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2889" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2889.html" + } + } + ], + "created": "2022-08-19T13:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0225.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2889", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2889" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:47:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464687" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-10684" + } + ], + "bom-ref": "vuln-253", + "references": [ + { + "id": "USN-5448-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5448-1" + } + } + ], + "created": "2017-06-29T23:29:00Z", + "description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10684.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684" + } + }, + { + "severity": "none", + "score": 0.0222, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-10684" + } + } + ], + "id": "CVE-2017-10684", + "updated": "2023-11-07T02:38:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0729" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0729" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + } + ], + "bom-ref": "vuln-254", + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729" + } + }, + { + "severity": "none", + "score": 0.00283, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0729" + } + }, + { + "severity": "low", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0729.html" + } + } + ], + "created": "2022-02-23T14:15:08Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0729", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729" + }, + "cwes": [ + 823, + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-16156" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5689-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5689-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985" + } + ], + "bom-ref": "vuln-255", + "references": [ + { + "id": "USN-5689-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5689-1" + } + } + ], + "created": "2021-12-13T18:15:07Z", + "description": "CPAN 2.28 allows Signature Verification Bypass.", + "affects": [ + { + "ref": "comp-194" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156" + }, + "cwes": [ + 347 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-16156.html" + } + }, + { + "severity": "none", + "score": 0.00165, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-16156" + } + } + ], + "id": "CVE-2020-16156", + "updated": "2023-11-07T03:18:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-194", + "value": "0:5.18.2-2ubuntu1.7+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20079" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-20079" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-256", + "ratings": [ + { + "severity": "none", + "score": 0.00092, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20079" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-20079.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20079" + } + } + ], + "created": "2019-12-30T01:15:12Z", + "description": "The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "id": "CVE-2019-20079", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20079" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2020-10-20T16:04:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-10T12:21:49Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0443" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0443" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-257", + "references": [ + { + "id": "USN-6026-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6026-1" + } + } + ], + "created": "2022-02-02T21:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0443" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00098, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0443" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0443.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0443" + } + } + ], + "id": "CVE-2022-0443", + "updated": "2023-11-07T03:41:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/" + }, + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1837.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4750" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4750" + } + ], + "bom-ref": "vuln-258", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4750" + } + }, + { + "severity": "none", + "score": 0.00056, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4750" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4750.html" + } + } + ], + "created": "2023-09-04T14:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1857.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4750", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4750" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-01T18:01:58Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/" + }, + { + "url": "https://metacpan.org/dist/CPAN/changes" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6539" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2034.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-178.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-182.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035109" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6112-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6112-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-31484" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1751.html" + } + ], + "bom-ref": "vuln-259", + "references": [ + { + "id": "USN-6112-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6112-1" + } + } + ], + "created": "2023-04-29T00:15:09Z", + "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", + "affects": [ + { + "ref": "comp-194" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484" + }, + "cwes": [ + 295 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484" + } + }, + { + "severity": "none", + "score": 0.00253, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31484" + } + }, + { + "severity": "medium", + "score": 8.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-31484.html" + } + } + ], + "id": "CVE-2023-31484", + "updated": "2023-11-07T04:14:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:26:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-194", + "value": "0:5.18.2-2ubuntu1.7+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4735" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1826.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4735" + } + ], + "bom-ref": "vuln-260", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4735" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4735" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4735.html" + } + } + ], + "created": "2023-09-02T18:15:20Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4735", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4735" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-22T17:54:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "bom-ref": "vuln-261", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2020-05-15T12:59:57Z", + "description": "USN-4360-1 fixed a vulnerability in json-c. The security fix introduced\na memory leak in some scenarios. This update reverts the security fix\npending further investigation.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that json-c incorrectly handled certain JSON files.\n An attacker could possibly use this issue to execute arbitrary code.\n", + "affects": [ + { + "ref": "comp-207" + }, + { + "ref": "comp-206" + } + ], + "id": "USN-4360-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4360-3" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-207", + "value": "0:0.11-3ubuntu1.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-206", + "value": "0:0.11-3ubuntu1.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2210" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2210" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5516-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-262", + "ratings": [ + { + "severity": "none", + "score": 0.00124, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2210" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2210" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2210.html" + } + } + ], + "created": "2022-06-27T16:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2210", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2210" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://security.gentoo.org/glsa/201706-26" + }, + { + "url": "https://groups.google.com/forum/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856266" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-6349" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-263", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6349" + } + }, + { + "severity": "none", + "score": 0.00939, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-6349" + } + }, + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6349.html" + } + } + ], + "created": "2017-02-27T07:59:00Z", + "description": "An integer overflow at a u_read_undo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "id": "CVE-2017-6349", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6349" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:49:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://kernel.org/pub/linux/libs/klibc/2.0/" + }, + { + "url": "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-31873" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5379-1" + } + ], + "bom-ref": "vuln-264", + "ratings": [ + { + "severity": "low", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-31873.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31873" + } + }, + { + "severity": "none", + "score": 0.00654, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-31873" + } + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Additions in the malloc() function may result in an integer overflow and a subsequent heap buffer overflow.", + "affects": [ + { + "ref": "comp-184" + }, + { + "ref": "comp-185" + } + ], + "id": "CVE-2021-31873", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31873" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T22:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2345" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2345" + } + ], + "bom-ref": "vuln-265", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2345.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2345" + } + }, + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2345" + } + } + ], + "created": "2022-07-08T22:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0046.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2345", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2345" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT214038" + }, + { + "url": "https://support.apple.com/kb/HT214036" + }, + { + "url": "https://support.apple.com/kb/HT214037" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00033.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-19189" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6451-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + } + ], + "bom-ref": "vuln-266", + "references": [ + { + "id": "USN-6451-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6451-1" + } + } + ], + "created": "2023-08-22T19:16:01Z", + "description": "Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.", + "affects": [ + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-19189.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189" + } + }, + { + "severity": "none", + "score": 0.00296, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-19189" + } + } + ], + "id": "CVE-2020-19189", + "updated": "2023-12-13T01:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1464686" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-11112" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html" + } + ], + "bom-ref": "vuln-267", + "ratings": [ + { + "severity": "info", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11112.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112" + } + }, + { + "severity": "none", + "score": 0.00231, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-11112" + } + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-11112", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2018-10-21T10:29:05Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch" + }, + { + "url": "https://security.gentoo.org/glsa/202209-01" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1271" + }, + { + "url": "https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2022-1271" + }, + { + "url": "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073310" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1271" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1537" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1782.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-042.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1676" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4991" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5378-4" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009167" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4940" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:2191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5439" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-043.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1590.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1665" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5052" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1271" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4582" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5378-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5378-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5378-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1592" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4992" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4993" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4994" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4896" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1598.html" + } + ], + "bom-ref": "vuln-268", + "references": [ + { + "id": "USN-5378-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5378-4" + } + } + ], + "created": "2022-08-31T16:15:09Z", + "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", + "affects": [ + { + "ref": "comp-29" + }, + { + "ref": "comp-28" + }, + { + "ref": "comp-117" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271" + }, + "cwes": [ + 20, + 179 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1271.html" + } + }, + { + "severity": "none", + "score": 0.00715, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1271" + } + }, + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271" + } + } + ], + "id": "CVE-2022-1271", + "updated": "2023-11-07T03:41:52Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-29", + "value": "0:5.1.1alpha+20120614-2ubuntu2.14.04.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-28", + "value": "0:5.1.1alpha+20120614-2ubuntu2.14.04.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-117", + "value": "0:1.6-3ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JYEK5RNMH7MVQH6RPBKLSCCA6NMIKHDV/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JCW33NOLMELTTTDJH7WGDIFJZ5YEEMK/" + }, + { + "url": "https://support.apple.com/kb/HT213605" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3705" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3705" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1663.html" + } + ], + "bom-ref": "vuln-269", + "ratings": [ + { + "severity": "none", + "score": 0.00445, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3705" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3705.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705" + } + } + ], + "created": "2022-10-26T20:15:10Z", + "description": "A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3705", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705" + }, + "cwes": [ + 119, + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:51:39Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://hackerone.com/reports/948876" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4881" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202012-14" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1444.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968831" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8231" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4466-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4466-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1610" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8231" + } + ], + "bom-ref": "vuln-270", + "references": [ + { + "id": "USN-4466-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4466-2" + } + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8231.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231" + } + }, + { + "severity": "none", + "score": 0.00265, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8231" + } + } + ], + "id": "CVE-2020-8231", + "updated": "2024-03-27T16:04:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm5" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5942" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5813" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5507-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1897" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-271", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1897.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1897" + } + }, + { + "severity": "none", + "score": 0.00128, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1897" + } + } + ], + "created": "2022-05-27T15:15:07Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1897", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1897" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2581" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5775-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2581" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + } + ], + "bom-ref": "vuln-272", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2581" + } + }, + { + "severity": "none", + "score": 0.00074, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2581" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2581.html" + } + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2581", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2581" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-08-04T23:30:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2206" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2206" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-273", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2206.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2206" + } + }, + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2206" + } + } + ], + "created": "2022-06-26T19:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2206", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2206" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5287" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-41916" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41916" + } + ], + "bom-ref": "vuln-274", + "references": [ + { + "id": "USN-5766-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5766-1" + } + } + ], + "created": "2022-11-15T23:15:27Z", + "description": "Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.", + "affects": [ + { + "ref": "comp-94" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41916" + }, + "cwes": [ + 193 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-41916.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41916" + } + }, + { + "severity": "none", + "score": 0.00298, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-41916" + } + } + ], + "id": "CVE-2022-41916", + "updated": "2023-10-08T09:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-94", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://support.apple.com/kb/HT213670" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0051" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0051" + } + ], + "bom-ref": "vuln-275", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0051.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0051" + } + }, + { + "severity": "none", + "score": 0.00071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0051" + } + } + ], + "created": "2023-01-04T18:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-0051", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0051" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-05-03T12:16:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T10:09:10Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0213" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + } + ], + "bom-ref": "vuln-276", + "ratings": [ + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0213.html" + } + }, + { + "severity": "none", + "score": 0.00086, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0213" + } + }, + { + "severity": "medium", + "score": 6.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213" + } + } + ], + "created": "2022-01-14T13:15:07Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0213", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-09T03:32:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3520" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3335" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/" + }, + { + "url": "https://bugs.python.org/issue36276" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://seclists.org/bugtraq/2019/Oct/29" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:1260" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:2030" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-9740" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1324.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1268" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1242.html" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1462" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1247.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1346" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1243.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1230.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1204.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + } + ], + "bom-ref": "vuln-277", + "ratings": [ + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9740.html" + } + }, + { + "severity": "medium", + "score": 6.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" + } + }, + { + "severity": "none", + "score": 0.00353, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-9740" + } + } + ], + "created": "2019-03-13T03:29:00Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2019-9740", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740" + }, + "cwes": [ + 93 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:13:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:28:04Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0368" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0368" + } + ], + "bom-ref": "vuln-278", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0368" + } + }, + { + "severity": "none", + "score": 0.00136, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0368" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0368.html" + } + } + ], + "created": "2022-01-26T18:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0368", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0368" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-11-09T03:52:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T13:17:18Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48233" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-279", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48233" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48233" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48233.html" + } + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48233", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48233" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:38:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2020/dsa-4606" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4238" + }, + { + "url": "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-08" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/27" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13753" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1810" + } + ], + "bom-ref": "vuln-280", + "references": [ + { + "id": "USN-4298-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4298-2" + } + } + ], + "created": "2019-12-10T22:15:15Z", + "description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13753" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13753" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13753.html" + } + }, + { + "severity": "none", + "score": 0.00743, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13753" + } + } + ], + "id": "CVE-2019-13753", + "updated": "2023-11-07T03:04:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3153" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3153" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-281", + "ratings": [ + { + "severity": "none", + "score": 0.00084, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3153" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3153.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3153" + } + } + ], + "created": "2022-09-08T15:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3153", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3153" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0685" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + } + ], + "bom-ref": "vuln-282", + "ratings": [ + { + "severity": "none", + "score": 0.00098, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0685" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0685.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685" + } + } + ], + "created": "2022-02-20T11:15:07Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0685", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685" + }, + "cwes": [ + 823 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1579.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0894" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0413" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0413" + } + ], + "bom-ref": "vuln-283", + "ratings": [ + { + "severity": "none", + "score": 0.00098, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0413" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0413.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0413" + } + } + ], + "created": "2022-01-30T15:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0413", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0413" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1979.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5817-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-40897" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-245.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0952" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-40897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0835" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-003.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6793" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2196.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7395" + } + ], + "bom-ref": "vuln-284", + "references": [ + { + "id": "USN-5817-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5817-1" + } + } + ], + "created": "2022-12-23T00:15:13Z", + "description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "affects": [ + { + "ref": "comp-106" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897" + }, + "cwes": [ + 1333 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-40897.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897" + } + }, + { + "severity": "none", + "score": 0.00458, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40897" + } + } + ], + "id": "CVE-2022-40897", + "updated": "2023-11-07T03:52:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-106", + "value": "0:3.3-1ubuntu2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html" + }, + { + "url": "https://twitter.com/chris_bloke/status/1181997278136958976" + }, + { + "url": "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html" + }, + { + "url": "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html" + }, + { + "url": "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip" + }, + { + "url": "https://usn.ubuntu.com/4428-1/" + }, + { + "url": "https://twitter.com/LucasCMoore/status/1181615421922824192" + }, + { + "url": "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html" + }, + { + "url": "https://bugs.python.org/issue33275" + }, + { + "url": "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4428-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-17514" + } + ], + "bom-ref": "vuln-285", + "references": [ + { + "id": "USN-4428-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4428-1" + } + } + ], + "created": "2019-10-12T13:15:10Z", + "description": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514" + }, + "cwes": [ + 682 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00328, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-17514" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514" + } + }, + { + "severity": "info", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17514.html" + } + } + ], + "id": "CVE-2019-17514", + "updated": "2020-07-27T18:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22823" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22823" + } + ], + "bom-ref": "vuln-286", + "ratings": [ + { + "severity": "none", + "score": 0.00991, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22823" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22823.html" + } + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22823", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-10-06T14:47:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UI44Y4LJLG34D4HNB6NTPLUPZREHAEL7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIQLVUSYHDN3644K6EFDI7PRZOTIKXM3/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-536.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-518.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22667" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2452.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6698-1" + } + ], + "bom-ref": "vuln-287", + "references": [ + { + "id": "USN-6698-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6698-1" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.", + "affects": [ + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22667" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-22667.html" + } + } + ], + "id": "CVE-2024-22667", + "updated": "2024-02-23T16:15:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T04:12:02Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm16" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2286" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2286" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-288", + "ratings": [ + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2286" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2286" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2286.html" + } + } + ], + "created": "2022-07-02T19:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2286", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2286" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-45142" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5849-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030849" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-45142" + } + ], + "bom-ref": "vuln-289", + "references": [ + { + "id": "USN-5849-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5849-1" + } + } + ], + "created": "2023-03-06T23:15:11Z", + "description": "The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding \"!= 0\" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.", + "affects": [ + { + "ref": "comp-97" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45142" + }, + "cwes": [ + 354 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45142" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-45142.html" + } + }, + { + "severity": "none", + "score": 0.00065, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-45142" + } + } + ], + "id": "CVE-2022-45142", + "updated": "2023-10-08T09:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-22T19:46:09Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22826" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22826" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-290", + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826" + } + }, + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22826.html" + } + }, + { + "severity": "none", + "score": 0.00739, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22826" + } + } + ], + "created": "2022-01-10T14:12:57Z", + "description": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22826", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-10-06T12:44:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "bom-ref": "vuln-291", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2023-05-24T17:36:21Z", + "description": "USN-6105-1 updated ca-certificates. This provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained outdated CA certificates. This update\n refreshes the included certificates to those contained in the 2.60 version\n of the Mozilla certificate authority bundle.\n", + "affects": [ + { + "ref": "comp-30" + } + ], + "id": "USN-6105-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6105-2" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-30", + "value": "0:20230311~14.04.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT212177" + }, + { + "url": "https://security.gentoo.org/glsa/202101-33" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/794544" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4839" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/" + }, + { + "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM" + }, + { + "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10348" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1478.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0227" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0225" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0401" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3156" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0226" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0218" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4705-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0219" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4705-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0395" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0220" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0223" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0224" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0221" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0222" + } + ], + "bom-ref": "vuln-292", + "references": [ + { + "id": "USN-4705-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4705-2" + } + } + ], + "created": "2021-01-26T21:15:12Z", + "description": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3156" + }, + "cwes": [ + 193 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3156" + } + }, + { + "severity": "none", + "score": 0.96952, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3156" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3156.html" + } + } + ], + "id": "CVE-2021-3156", + "updated": "2024-02-04T09:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:34:59Z" + }, + { + "name": "amazon:inspector:sbom_scanner:cisa_kev_date_added", + "value": "2022-04-06T00:00:00Z" + }, + { + "name": "amazon:inspector:sbom_scanner:cisa_kev_date_due", + "value": "2022-04-27T00:00:00Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://support.apple.com/kb/HT212534" + }, + { + "url": "https://security.gentoo.org/glsa/202103-03" + }, + { + "url": "https://www.openssl.org/news/secadv/20210216.txt" + }, + { + "url": "https://support.apple.com/kb/HT212529" + }, + { + "url": "https://support.apple.com/kb/HT212528" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4855" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4198" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4745-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1482.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-23841" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4614" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1612.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4738-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1608.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4613" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3798" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4424" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3016" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1168" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4863" + } + ], + "bom-ref": "vuln-293", + "ratings": [ + { + "severity": "none", + "score": 0.00416, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23841" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-23841.html" + } + } + ], + "created": "2021-02-16T17:15:13Z", + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "CVE-2021-23841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:30:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHJ6LCLHGGVI2U6ZHXHTZ2PYP4STC23N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RY3GEN2Q46ZJKSNHTN2XB6B3VAJBEILN/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3037" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3037" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-294", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3037.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3037" + } + }, + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3037" + } + } + ], + "created": "2022-08-30T21:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0322.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3037", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3037" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:50:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1893.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-431.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-46246" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2338.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-295", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46246" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-46246.html" + } + } + ], + "created": "2023-10-27T19:15:41Z", + "description": "Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-46246", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246" + }, + "cwes": [ + 190, + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-17T03:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://security.gentoo.org/glsa/201706-26" + }, + { + "url": "https://groups.google.com/forum/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856266" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-6350" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-296", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6350" + } + }, + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6350.html" + } + }, + { + "severity": "none", + "score": 0.00939, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-6350" + } + } + ], + "created": "2017-02-27T07:59:00Z", + "description": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "id": "CVE-2017-6350", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6350" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:49:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484276" + }, + { + "url": "https://security.gentoo.org/glsa/201804-13" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-13729" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5448-1" + } + ], + "bom-ref": "vuln-297", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729" + } + }, + { + "severity": "none", + "score": 0.00224, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-13729" + } + }, + { + "severity": "info", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13729.html" + } + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", + "affects": [ + { + "ref": "comp-151" + }, + { + "ref": "comp-150" + }, + { + "ref": "comp-149" + }, + { + "ref": "comp-152" + }, + { + "ref": "comp-148" + } + ], + "id": "CVE-2017-13729", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T02:38:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-151", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-150", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-149", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-152", + "value": "0:5.9+20140118-1ubuntu1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:5.9+20140118-1ubuntu1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2175" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2175" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-298", + "ratings": [ + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2175" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2175" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2175.html" + } + } + ], + "created": "2022-06-23T13:15:07Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2175", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2175" + }, + "cwes": [ + 125, + 126 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5498-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1898" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1898" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-299", + "ratings": [ + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1898.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1898" + } + }, + { + "severity": "none", + "score": 0.00129, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1898" + } + } + ], + "created": "2022-05-27T09:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1898", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1898" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:42:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://hackerone.com/reports/1555441" + }, + { + "url": "https://security.gentoo.org/glsa/202212-01" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5197" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5499-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-27781" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5412-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1646.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-27781" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1924.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8840" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + } + ], + "bom-ref": "vuln-300", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781" + } + }, + { + "severity": "none", + "score": 0.00187, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-27781" + } + }, + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-27781.html" + } + } + ], + "created": "2022-06-02T14:15:44Z", + "description": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "id": "CVE-2022-27781", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781" + }, + "cwes": [ + 400, + 835 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T15:01:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202310-06" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44758" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5800-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-44758" + } + ], + "bom-ref": "vuln-301", + "ratings": [ + { + "severity": "none", + "score": 0.00088, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-44758" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-44758.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44758" + } + } + ], + "created": "2022-12-26T05:15:10Z", + "description": "Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.", + "affects": [ + { + "ref": "comp-99" + }, + { + "ref": "comp-97" + }, + { + "ref": "comp-91" + }, + { + "ref": "comp-98" + } + ], + "id": "CVE-2021-44758", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44758" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-10-08T09:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-91", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-98", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-403.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1893.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2319.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5535" + } + ], + "bom-ref": "vuln-302", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-5535.html" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5535" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535" + } + } + ], + "created": "2023-10-11T20:15:10Z", + "description": "Use After Free in GitHub repository vim/vim prior to v9.0.2010.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-5535", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-15T02:31:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6026-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1567.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0894" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0359" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5458-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0359" + } + ], + "bom-ref": "vuln-303", + "ratings": [ + { + "severity": "none", + "score": 0.00128, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0359" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0359.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0359" + } + } + ], + "created": "2022-01-26T12:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-0359", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0359" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-09T18:58:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5507-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1942" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-304", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1942" + } + }, + { + "severity": "none", + "score": 0.00087, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1942" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1942.html" + } + } + ], + "created": "2022-05-31T14:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1942", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1942" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2022/dsa-5266" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/" + }, + { + "url": "https://security.gentoo.org/glsa/202210-38" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43680" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3355" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0103" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1655.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8550" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1885.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0337" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8554" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022743" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8553" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8548" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8549" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-43680" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0421" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5638-4" + } + ], + "bom-ref": "vuln-305", + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-43680.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680" + } + }, + { + "severity": "none", + "score": 0.00487, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43680" + } + } + ], + "created": "2022-10-24T14:15:53Z", + "description": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.", + "affects": [ + { + "ref": "comp-166" + }, + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-43680", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-01-21T02:08:05Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:14:05Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-166", + "value": "0:2.1.0-4ubuntu1.4+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://usn.ubuntu.com/4309-1/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1468492" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-11109" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867720" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4309-1" + } + ], + "bom-ref": "vuln-306", + "ratings": [ + { + "severity": "none", + "score": 0.00132, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-11109" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-11109.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11109" + } + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-160" + } + ], + "id": "CVE-2017-11109", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11109" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-08-03T13:15:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "2:7.4.052-1ubuntu3.1+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202006-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2184" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-12723" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0557" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1032" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0883" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1266" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0343" + } + ], + "bom-ref": "vuln-307", + "ratings": [ + { + "severity": "low", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12723.html" + } + }, + { + "severity": "none", + "score": 0.00239, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-12723" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723" + } + } + ], + "created": "2020-06-05T15:15:10Z", + "description": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.", + "affects": [ + { + "ref": "comp-194" + } + ], + "id": "CVE-2020-12723", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723" + }, + "cwes": [ + 120 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:15:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-194", + "value": "0:5.18.2-2ubuntu1.7+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://seclists.org/bugtraq/2019/Aug/4" + }, + { + "url": "https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774@" + }, + { + "url": "https://usn.ubuntu.com/4146-1/" + }, + { + "url": "https://usn.ubuntu.com/4038-2/" + }, + { + "url": "https://usn.ubuntu.com/4146-2/" + }, + { + "url": "https://support.f5.com/csp/article/K68713584?utm_source=f5support&utm_medium=RSS" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html" + }, + { + "url": "https://usn.ubuntu.com/4038-1/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jul/22" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html" + }, + { + "url": "https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4@" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc" + }, + { + "url": "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4146-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1652.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4146-1" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/bzip2/+bug/1834494" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930886" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-12900" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-4" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-12900" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-2" + } + ], + "bom-ref": "vuln-308", + "ratings": [ + { + "severity": "none", + "score": 0.01745, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-12900" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12900.html" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" + } + } + ], + "created": "2019-06-19T23:15:09Z", + "description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "affects": [ + { + "ref": "comp-175" + }, + { + "ref": "comp-174" + } + ], + "id": "CVE-2019-12900", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:03:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:33:11Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-175", + "value": "0:1.0.6-5ubuntu0.1~esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-174", + "value": "0:1.0.6-5ubuntu0.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3016" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3016" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-309", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3016.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016" + } + }, + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3016" + } + } + ], + "created": "2022-08-28T12:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0286.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3016", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T09:48:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2257" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2257" + } + ], + "bom-ref": "vuln-310", + "references": [ + { + "id": "USN-6270-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6270-1" + } + } + ], + "created": "2022-06-30T21:15:10Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2257" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2257" + } + }, + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2257" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2257.html" + } + } + ], + "id": "CVE-2022-2257", + "updated": "2023-11-07T03:46:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48237" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-311", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48237" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48237.html" + } + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48237", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:33:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1620" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5460-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1620" + } + ], + "bom-ref": "vuln-312", + "references": [ + { + "id": "USN-5613-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5613-1" + } + } + ], + "created": "2022-05-08T11:15:07Z", + "description": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.", + "affects": [ + { + "ref": "comp-159" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1620" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1620" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1620.html" + } + }, + { + "severity": "none", + "score": 0.00291, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1620" + } + } + ], + "id": "CVE-2022-1620", + "updated": "2023-11-07T03:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-08" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/418" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5704-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8812" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0335" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-42010" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1730.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42010" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0096" + } + ], + "bom-ref": "vuln-313", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010" + } + }, + { + "severity": "none", + "score": 0.00134, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42010" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-42010.html" + } + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.", + "affects": [ + { + "ref": "comp-110" + }, + { + "ref": "comp-109" + } + ], + "id": "CVE-2022-42010", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010" + }, + "cwes": [ + 347 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-27T16:49:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-110", + "value": "0:1.6.18-0ubuntu4.5+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-109", + "value": "0:1.6.18-0ubuntu4.5+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/" + }, + { + "url": "https://support.apple.com/kb/HT213489" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5218" + }, + { + "url": "https://support.apple.com/kb/HT213491" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/" + }, + { + "url": "https://support.apple.com/kb/HT213493" + }, + { + "url": "https://support.apple.com/kb/HT213494" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/" + }, + { + "url": "https://support.apple.com/kb/HT213490" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-002.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8291" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8841" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7793" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7106" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37434" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7314" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5570-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5573-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-37434" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1095" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-003.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6736-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0254" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1650.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5570-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2074.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016710" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1849.html" + } + ], + "bom-ref": "vuln-314", + "references": [ + { + "id": "USN-5570-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5570-1" + } + } + ], + "created": "2022-08-05T07:15:07Z", + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "affects": [ + { + "ref": "comp-185" + }, + { + "ref": "comp-141" + }, + { + "ref": "comp-184" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434" + } + }, + { + "severity": "none", + "score": 0.00341, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-37434" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-37434.html" + } + } + ], + "id": "CVE-2022-37434", + "updated": "2023-07-19T00:56:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:39Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-185", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-141", + "value": "1:1.2.8.dfsg-1ubuntu1.1+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-184", + "value": "0:2.0.3-0ubuntu1.14.04.3+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://manpages.debian.org/stretch/apt/apt-get.8.en.html" + } + ], + "bom-ref": "vuln-315", + "ratings": [ + { + "severity": "high", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Shell Command Exec Flag: 'apt-get --allow-unauthenticated' installs Advantaged package tool (APT) packages on Debian-based Linux distributions without validating package signatures.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-005-003", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1264" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5963-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1264" + } + ], + "bom-ref": "vuln-316", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-1264.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264" + } + }, + { + "severity": "none", + "score": 0.00053, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1264" + } + } + ], + "created": "2023-03-07T22:15:10Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-1264", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:02:58Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T12:32:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm7" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357" + }, + { + "url": "https://security.gentoo.org/glsa/201805-09" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-7169" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5254-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890557" + } + ], + "bom-ref": "vuln-317", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7169" + } + }, + { + "severity": "low", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7169.html" + } + }, + { + "severity": "none", + "score": 0.00081, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-7169" + } + } + ], + "created": "2018-02-15T20:29:00Z", + "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "affects": [ + { + "ref": "comp-267" + }, + { + "ref": "comp-268" + } + ], + "id": "CVE-2018-7169", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7169" + }, + "cwes": [ + 732 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-10-03T00:03:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-267", + "value": "1:4.1.5.1-1ubuntu9.5+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-268", + "value": "1:4.1.5.1-1ubuntu9.5+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-29" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4633" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2020.html" + }, + { + "url": "https://seclists.org/bugtraq/2020/Feb/36" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0877" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0759" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0250" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-5482" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1792" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1294.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3916" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1340.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1027" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940010" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4129-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4129-1" + } + ], + "bom-ref": "vuln-318", + "references": [ + { + "id": "USN-4129-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4129-2" + } + } + ], + "created": "2019-09-16T19:15:10Z", + "description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.09761, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5482" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5482.html" + } + } + ], + "id": "CVE-2019-5482", + "updated": "2023-11-07T03:11:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T07:38:45Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://docs.docker.com/develop/develop-images/instructions/" + } + ], + "bom-ref": "vuln-319", + "ratings": [ + { + "severity": "info", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Last USER is root: If a service can run without privileges, use USER to change to a non-root user.", + "affects": [ + { + "ref": "comp-284" + } + ], + "id": "IN-DOCKER-003", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T14:36:39Z" + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html" + }, + { + "url": "https://support.apple.com/kb/HT213843" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://hackerone.com/reports/1954658" + }, + { + "url": "https://security.gentoo.org/glsa/202310-12" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5598" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-270.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-28322" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6237-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4628" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2230.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4629" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6237-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4354" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0585" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1601" + } + ], + "bom-ref": "vuln-320", + "references": [ + { + "id": "USN-6237-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6237-3" + } + } + ], + "created": "2023-05-26T21:15:16Z", + "description": "An information disclosure vulnerability exists in curl " + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/" + }, + { + "url": "https://security.gentoo.org/glsa/202101-18" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3252" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-2(regressioninpython2.7)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-4" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5235" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1633" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3177" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1879" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3177" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-5" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1611.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1484.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-005.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1761" + } + ], + "bom-ref": "vuln-321", + "references": [ + { + "id": "USN-4754-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4754-1" + } + } + ], + "created": "2021-01-19T06:15:12Z", + "description": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" + }, + "cwes": [ + 120 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.03119, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3177" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3177.html" + } + } + ], + "id": "CVE-2021-3177", + "updated": "2023-11-07T03:37:56Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm10" + } + ] + }, + { + "advisories": [ + { + "url": "https://seclists.org/bugtraq/2019/Jun/14" + }, + { + "url": "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=c44496df2f090a56d3bf75df930592dac6bba46f" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/7" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=16695" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2014-9984" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-322", + "references": [ + { + "id": "USN-6762-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6762-1" + } + } + ], + "created": "2017-06-12T13:29:00Z", + "description": "nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.", + "affects": [ + { + "ref": "comp-218" + }, + { + "ref": "comp-216" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9984" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9984" + } + }, + { + "severity": "none", + "score": 0.01482, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2014-9984" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9984.html" + } + } + ], + "id": "CVE-2014-9984", + "updated": "2023-11-07T02:23:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-218", + "value": "0:2.19-0ubuntu6.15+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-216", + "value": "0:2.19-0ubuntu6.15+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/HT208112" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html" + }, + { + "url": "https://support.apple.com/HT208113" + }, + { + "url": "https://support.apple.com/HT208115" + }, + { + "url": "https://usn.ubuntu.com/4019-2/" + }, + { + "url": "https://usn.ubuntu.com/4019-1/" + }, + { + "url": "https://support.apple.com/HT208144" + }, + { + "url": "https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26" + }, + { + "url": "https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937" + }, + { + "url": "https://sqlite.org/src/info/66de6f4a" + }, + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867618" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2017-10989" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4019-2" + } + ], + "bom-ref": "vuln-323", + "ratings": [ + { + "severity": "info", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10989.html" + } + }, + { + "severity": "none", + "score": 0.00949, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2017-10989" + } + }, + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989" + } + } + ], + "created": "2017-07-07T12:29:00Z", + "description": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.", + "affects": [ + { + "ref": "comp-43" + }, + { + "ref": "comp-42" + } + ], + "id": "CVE-2017-10989", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-10-03T00:03:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1927" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5942" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5813" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-324", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1927" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1927.html" + } + }, + { + "severity": "none", + "score": 0.00092, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1927" + } + } + ], + "created": "2022-05-29T14:15:08Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1927", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1927" + }, + "cwes": [ + 125, + 126 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215945" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0417" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6632" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7112" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2577" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4641" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1873.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6640-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-450.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4641" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2247.html" + } + ], + "bom-ref": "vuln-325", + "references": [ + { + "id": "USN-6640-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6640-1" + } + } + ], + "created": "2023-12-27T16:15:13Z", + "description": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", + "affects": [ + { + "ref": "comp-268" + }, + { + "ref": "comp-267" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4641" + }, + "cwes": [ + 303, + 287 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4641.html" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4641" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4641" + } + } + ], + "id": "CVE-2023-4641", + "updated": "2024-05-03T16:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-268", + "value": "1:4.1.5.1-1ubuntu9.5+esm4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-267", + "value": "1:4.1.5.1-1ubuntu9.5+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-4293" + } + ], + "bom-ref": "vuln-326", + "ratings": [ + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-4293.html" + } + }, + { + "severity": "none", + "score": 0.00077, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-4293" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4293" + } + } + ], + "created": "2022-12-05T19:15:10Z", + "description": "Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-4293", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4293" + }, + "cwes": [ + 697, + 1077 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVPZVE2CIE2NGCHZDMEHPBWN3LK2UQAA/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6E457NYOIRWBJHKB7ON44UY5AVTG4HU/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1420" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5613-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1597.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1420" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5242" + } + ], + "bom-ref": "vuln-327", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1420" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1420.html" + } + }, + { + "severity": "none", + "score": 0.00081, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1420" + } + } + ], + "created": "2022-04-21T11:15:08Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.", + "affects": [ + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1420", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1420" + }, + "cwes": [ + 823, + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:41:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2019/dsa-4535" + }, + { + "url": "https://usn.ubuntu.com/4142-2/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html" + }, + { + "url": "https://security.gentoo.org/glsa/202003-05" + }, + { + "url": "https://seclists.org/bugtraq/2019/Sep/58" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/" + }, + { + "url": "https://usn.ubuntu.com/4142-1/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1458.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-5094" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4142-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1509.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-5094" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941139" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4142-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4011" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1913" + } + ], + "bom-ref": "vuln-328", + "references": [ + { + "id": "USN-4142-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4142-2" + } + } + ], + "created": "2019-09-24T22:15:13Z", + "description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "affects": [ + { + "ref": "comp-273" + }, + { + "ref": "comp-276" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5094" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5094.html" + } + }, + { + "severity": "none", + "score": 0.00082, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5094" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5094" + } + } + ], + "id": "CVE-2019-5094", + "updated": "2023-11-07T03:11:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-273", + "value": "0:1.42.9-3ubuntu1.3+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-276", + "value": "0:1.42.9-3ubuntu1.3+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22824" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22824" + } + ], + "bom-ref": "vuln-329", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824" + } + }, + { + "severity": "none", + "score": 0.00823, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22824" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22824.html" + } + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22824", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-10-06T14:47:33Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/" + }, + { + "url": "https://support.apple.com/kb/HT213844" + }, + { + "url": "https://support.apple.com/kb/HT213845" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LOJP6M7ZTKZQYOGVOOAY6TIE6ACBJL55/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6154-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2426" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035323" + } + ], + "bom-ref": "vuln-330", + "references": [ + { + "id": "USN-6154-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/6154-1" + } + } + ], + "created": "2023-04-29T22:15:09Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426" + }, + "cwes": [ + 823 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-2426.html" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2426" + } + } + ], + "id": "CVE-2023-2426", + "updated": "2023-12-23T07:15:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T13:35:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm10" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213257" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65" + }, + { + "url": "https://support.apple.com/kb/HT213255" + }, + { + "url": "https://support.apple.com/kb/HT213256" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5103" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.openssl.org/news/secadv/20220315.txt" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "url": "https://security.gentoo.org/glsa/202210-02" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-037.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1519" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1476" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6457-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1766.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1112" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1078" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1077" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1076" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1082" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-051.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1389" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1520" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5328-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5328-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2022-018.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1066" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1065" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1263" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1575.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1073" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASMARIADB10.5-2023-003.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4896" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1390" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1071" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5326" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1091" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4899" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:4956" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-0778" + } + ], + "bom-ref": "vuln-331", + "references": [ + { + "id": "USN-5328-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5328-2" + } + } + ], + "created": "2022-03-15T17:15:08Z", + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "affects": [ + { + "ref": "comp-232" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778" + } + }, + { + "severity": "none", + "score": 0.01342, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-0778" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0778.html" + } + } + ], + "id": "CVE-2022-0778", + "updated": "2023-11-07T03:41:33Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T11:56:33Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780" + }, + { + "url": "https://security.gentoo.org/glsa/202003-24" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html" + }, + { + "url": "https://www.debian.org/security/2019/dsa-4550" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6BJVGXSCC6NMIAWX36FPWHEIFON3OSE/" + }, + { + "url": "https://usn.ubuntu.com/4172-2/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html" + }, + { + "url": "https://usn.ubuntu.com/4172-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942830" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2019-1326.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1918.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4374" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2019-1370.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4172-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4172-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1921.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-18218" + } + ], + "bom-ref": "vuln-332", + "references": [ + { + "id": "USN-4172-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4172-2" + } + } + ], + "created": "2019-10-21T05:15:10Z", + "description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", + "affects": [ + { + "ref": "comp-139" + }, + { + "ref": "comp-138" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18218.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218" + } + }, + { + "severity": "none", + "score": 0.00118, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-18218" + } + } + ], + "id": "CVE-2019-18218", + "updated": "2023-11-07T03:06:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-139", + "value": "1:5.14-2ubuntu3.4+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-138", + "value": "1:5.14-2ubuntu3.4+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202402-08" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d" + }, + { + "url": "https://www.openssl.org/news/secadv/20230207.txt" + }, + { + "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5209" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2932" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3421" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1440" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1441" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3420" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0286" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1405" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1934.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1683.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-101.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6564-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2022" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2165" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4128" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3355" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4124" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3354" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1199" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1437" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1438" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1439" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0946" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5844-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5845-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4252" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" + } + ], + "bom-ref": "vuln-333", + "ratings": [ + { + "severity": "high", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-0286.html" + } + }, + { + "severity": "high", + "score": 7.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286" + } + }, + { + "severity": "none", + "score": 0.00255, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0286" + } + } + ], + "created": "2023-02-08T20:15:24Z", + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "CVE-2023-0286", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286" + }, + "cwes": [ + 843 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-04T09:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213444" + }, + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://support.apple.com/kb/HT213443" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2125" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2125" + } + ], + "bom-ref": "vuln-334", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125" + } + }, + { + "severity": "none", + "score": 0.00147, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2125" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2125.html" + } + } + ], + "created": "2022-06-19T12:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2125", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2522" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016068" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2522" + } + ], + "bom-ref": "vuln-335", + "ratings": [ + { + "severity": "none", + "score": 0.00123, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2522" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2522" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2522.html" + } + } + ], + "created": "2022-07-25T14:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2522", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2522" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48232" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-336", + "ratings": [ + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48232" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48232.html" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48232" + } + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48232", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48232" + }, + "cwes": [ + 755 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:37:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1716.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3491" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6420-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + } + ], + "bom-ref": "vuln-337", + "ratings": [ + { + "severity": "none", + "score": 0.00062, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3491" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3491.html" + } + } + ], + "created": "2022-12-03T13:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-3491", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:16:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22825" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22825" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-338", + "ratings": [ + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825" + } + }, + { + "severity": "none", + "score": 0.00739, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22825" + } + }, + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22825.html" + } + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22825", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-10-06T14:47:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1372830" + }, + { + "url": "https://usn.ubuntu.com/3968-3/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3968-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-7032" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2016:2872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-339", + "references": [ + { + "id": "USN-3968-3", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/3968-3" + } + } + ], + "created": "2017-04-14T18:59:00Z", + "description": "sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function.", + "affects": [ + { + "ref": "comp-102" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7032" + }, + "cwes": [ + 284 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "info", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7032.html" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-7032" + } + }, + { + "severity": "high", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7032" + } + } + ], + "id": "CVE-2016-7032", + "updated": "2020-09-30T18:15:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-102", + "value": "0:1.8.9p5-1ubuntu1.5+esm5" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/" + }, + { + "url": "https://usn.ubuntu.com/4581-1/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/" + }, + { + "url": "https://bugs.python.org/issue39603" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/" + }, + { + "url": "https://security.gentoo.org/glsa/202101-18" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1670.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4581-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2317.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4299" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1669.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1454.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5235" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4754-3" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1633" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-26116" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-26116" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1879" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3366" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4285" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4273" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1761" + } + ], + "bom-ref": "vuln-340", + "references": [ + { + "id": "USN-4581-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4581-1" + } + } + ], + "created": "2020-09-27T04:15:11Z", + "description": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" + }, + "cwes": [ + 74 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116" + } + }, + { + "severity": "none", + "score": 0.00306, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-26116" + } + }, + { + "severity": "medium", + "score": 7.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-26116.html" + } + } + ], + "id": "CVE-2020-26116", + "updated": "2023-11-07T03:20:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:26:42Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/" + }, + { + "url": "https://hackerone.com/reports/1892780" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html" + }, + { + "url": "https://security.gentoo.org/glsa/202310-12" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3106" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-27535" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2070.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5964-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:2650" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5964-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-27535" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1727.html" + } + ], + "bom-ref": "vuln-341", + "references": [ + { + "id": "USN-5964-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5964-2" + } + } + ], + "created": "2023-03-30T20:15:07Z", + "description": "An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27535" + }, + "cwes": [ + 305, + 287 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-27535.html" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27535" + } + }, + { + "severity": "none", + "score": 0.00154, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27535" + } + } + ], + "id": "CVE-2023-27535", + "updated": "2024-03-27T14:47:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:13Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4751" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1826.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + } + ], + "bom-ref": "vuln-342", + "ratings": [ + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4751.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4751" + } + }, + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4751" + } + } + ], + "created": "2023-09-03T19:15:43Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4751" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-22T18:09:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202210-40" + }, + { + "url": "https://sqlite.org/releaselog/3_39_2.html" + }, + { + "url": "https://www.sqlite.org/cves.html" + }, + { + "url": "https://kb.cert.org/vuls/id/720344" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5716-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0110" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5716-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5712-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0339" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034122" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-089.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1911.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034127" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034129" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35737" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://support.microsoft.com/help/5034122" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-35737" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0425" + } + ], + "bom-ref": "vuln-343", + "references": [ + { + "id": "USN-5716-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5716-2" + } + } + ], + "created": "2022-08-03T06:15:07Z", + "description": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.", + "affects": [ + { + "ref": "comp-43" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737" + }, + "cwes": [ + 129 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-35737.html" + } + }, + { + "severity": "none", + "score": 0.00254, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-35737" + } + } + ], + "id": "CVE-2022-35737", + "updated": "2024-03-27T16:05:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:26:21Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://support.apple.com/kb/HT212325" + }, + { + "url": "https://www.debian.org/security/2021/dsa-4881" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html" + }, + { + "url": "https://support.apple.com/kb/HT212327" + }, + { + "url": "https://security.gentoo.org/glsa/202012-14" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/" + }, + { + "url": "https://support.apple.com/kb/HT212326" + }, + { + "url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/" + }, + { + "url": "https://hackerone.com/reports/1045844" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-8285" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2471" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4665-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977162" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2472" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8285" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1610" + } + ], + "bom-ref": "vuln-344", + "references": [ + { + "id": "USN-4665-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4665-2" + } + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.", + "affects": [ + { + "ref": "comp-135" + }, + { + "ref": "comp-134" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285" + }, + "cwes": [ + 787, + 674 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285" + } + }, + { + "severity": "none", + "score": 0.0071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-8285" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8285.html" + } + } + ], + "id": "CVE-2020-8285", + "updated": "2024-03-27T15:47:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm6" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html" + }, + { + "url": "https://usn.ubuntu.com/4249-1/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1458.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-5188" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1509.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:4011" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1913" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4249-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-5188" + } + ], + "bom-ref": "vuln-345", + "references": [ + { + "id": "USN-4249-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4249-1" + } + } + ], + "created": "2020-01-08T16:15:11Z", + "description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "affects": [ + { + "ref": "comp-273" + }, + { + "ref": "comp-276" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5188" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5188" + } + }, + { + "severity": "none", + "score": 0.00065, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-5188" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5188.html" + } + } + ], + "id": "CVE-2019-5188", + "updated": "2023-11-07T03:11:27Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-09T07:51:00Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-273", + "value": "0:1.42.9-3ubuntu1.3+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-276", + "value": "0:1.42.9-3ubuntu1.3+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2183" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5723-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2183" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-346", + "ratings": [ + { + "severity": "none", + "score": 0.00117, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2183" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2183" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2183.html" + } + } + ], + "created": "2022-06-23T19:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2183", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2183" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-08" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/" + }, + { + "url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/413" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8812" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8977" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5704-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0335" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-42011" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1730.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0096" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42011" + } + ], + "bom-ref": "vuln-347", + "references": [ + { + "id": "USN-5704-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5704-1" + } + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.", + "affects": [ + { + "ref": "comp-110" + }, + { + "ref": "comp-109" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011" + }, + "cwes": [ + 129 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00176, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-42011" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-42011.html" + } + } + ], + "id": "CVE-2022-42011", + "updated": "2023-12-27T16:49:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-110", + "value": "0:1.6.18-0ubuntu4.5+esm3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-109", + "value": "0:1.6.18-0ubuntu4.5+esm3" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2923" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2923" + } + ], + "bom-ref": "vuln-348", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2923.html" + } + }, + { + "severity": "none", + "score": 0.00093, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2923" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2923" + } + } + ], + "created": "2022-08-22T21:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2923", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2923" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:47:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T08:13:31Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2020:0463" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0451" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4238" + }, + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0476" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0273" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0229" + }, + { + "url": "https://security.gentoo.org/glsa/202003-08" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/27" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:0227" + }, + { + "url": "https://www.debian.org/security/2020/dsa-4606" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:2014" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:0547" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1394.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13734" + } + ], + "bom-ref": "vuln-349", + "ratings": [ + { + "severity": "medium", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13734.html" + } + }, + { + "severity": "high", + "score": 8.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13734" + } + }, + { + "severity": "none", + "score": 0.00424, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13734" + } + } + ], + "created": "2019-12-10T22:15:13Z", + "description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "id": "CVE-2019-13734", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13734" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:04:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:09Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "bom-ref": "vuln-350", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2021-09-01T18:49:31Z", + "description": "USN-5051-2 introduced a regression in OpenSSL that affected only Ubuntu 14.04 ESM.\nThis update fix the regression.\n\nOriginal advisory details:\n\n Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1\n strings. A remote attacker could use this issue to cause OpenSSL to crash,\n resulting in a denial of service, or possibly obtain sensitive information.\n (CVE-2021-3712)\n", + "affects": [ + { + "ref": "comp-232" + } + ], + "id": "USN-5051-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5051-4" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-232", + "value": "0:1.0.1f-1ubuntu2.27+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://docs.aws.amazon.com/inspector/latest/user/supported.html" + } + ], + "bom-ref": "vuln-351", + "ratings": [ + { + "severity": "critical", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-04-08T15:09:42Z", + "description": "Discontinued Operating System: This resource relies on an operating system that was discontinued and is no longer actively supported or maintained by the original developer or a trusted proxy for the original developer. Amazon Inspector previously provided full support for this operating system and will continue to scan impacted resources. However, any findings Amazon Inspector generates for a discontinued operating system are for informational purposes only.", + "affects": [ + { + "ref": "comp-1" + } + ], + "id": "IN-DISCONTINUED-001", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + }, + "cwes": [ + 1104 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-08T15:09:42Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/" + }, + { + "url": "https://security.gentoo.org/glsa/202104-04" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935913" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1640.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4160" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1504.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5342-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4162" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3426" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4399" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:3254" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1498.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2021-1500.html" + } + ], + "bom-ref": "vuln-352", + "ratings": [ + { + "severity": "medium", + "score": 5.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" + } + }, + { + "severity": "none", + "score": 0.00061, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3426" + } + }, + { + "severity": "low", + "score": 5.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-3426.html" + } + } + ], + "created": "2021-05-20T13:15:07Z", + "description": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "id": "CVE-2021-3426", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426" + }, + "cwes": [ + 22, + 200 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:38:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5533-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2129" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2129" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-353", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2129" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2129.html" + } + }, + { + "severity": "none", + "score": 0.00097, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2129" + } + } + ], + "created": "2022-06-19T19:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2129", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:46:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-29T14:20:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.debian.org/security/2020/dsa-4606" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:4238" + }, + { + "url": "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html" + }, + { + "url": "https://usn.ubuntu.com/4298-2/" + }, + { + "url": "https://usn.ubuntu.com/4298-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-08" + }, + { + "url": "https://seclists.org/bugtraq/2020/Jan/27" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-13750" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:4396" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4298-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-354", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13750" + } + }, + { + "severity": "none", + "score": 0.00766, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-13750" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13750.html" + } + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.", + "affects": [ + { + "ref": "comp-42" + }, + { + "ref": "comp-43" + } + ], + "id": "CVE-2019-13750", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13750" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:04:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:46:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-42", + "value": "0:3.8.2-1ubuntu2.2+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-43", + "value": "0:3.8.2-1ubuntu2.2+esm2" + } + ] + }, + { + "bom-ref": "vuln-355", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2021-09-21T13:07:33Z", + "description": "USN-5079-2 fixed vulnerabilities in curl. One of the fixes introduced a\nregression. This update fixes the problem.\n\nOriginal advisory details:\n\n Patrick Monnerat discovered that curl incorrectly handled upgrades to TLS.\n When receiving certain responses from servers, curl would continue without\n TLS even when the option to require a successful upgrade to TLS was\n specified. (CVE-2021-22946)\n\n Patrick Monnerat discovered that curl incorrectly handled responses\n received before STARTTLS. A remote attacker could possibly use this issue\n to inject responses and intercept communications. (CVE-2021-22947)\n", + "affects": [ + { + "ref": "comp-134" + }, + { + "ref": "comp-135" + } + ], + "id": "USN-5079-4", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5079-4" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-134", + "value": "0:7.35.0-1ubuntu2.20+esm9" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-135", + "value": "0:7.35.0-1ubuntu2.20+esm9" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/" + }, + { + "url": "https://bugs.python.org/issue35121" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00040.html" + }, + { + "url": "https://usn.ubuntu.com/4127-2/" + }, + { + "url": "https://usn.ubuntu.com/4127-1/" + }, + { + "url": "https://security.gentoo.org/glsa/202003-26" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3948" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2019:3725" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2020-1375.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1132" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1539" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1131" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1605" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2020:1540" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:1764" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1432.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-20852" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4127-1" + } + ], + "bom-ref": "vuln-356", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20852.html" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" + } + }, + { + "severity": "none", + "score": 0.00484, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-20852" + } + } + ], + "created": "2019-07-13T21:15:10Z", + "description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "affects": [ + { + "ref": "comp-226" + }, + { + "ref": "comp-224" + } + ], + "id": "CVE-2018-20852", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T02:56:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T10:34:48Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm2" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213488" + }, + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1968" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5995-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5507-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-357", + "ratings": [ + { + "severity": "none", + "score": 0.00102, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1968" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1968" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1968.html" + } + } + ], + "created": "2022-06-02T14:15:34Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1968", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1968" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-05-03T12:15:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm8" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202209-24" + }, + { + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf" + }, + { + "url": "https://www.debian.org/security/2022/dsa-5073" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5455-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1603.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0951" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7692" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5288-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22822" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:1069" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-22822" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7144" + } + ], + "bom-ref": "vuln-358", + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822" + } + }, + { + "severity": "medium", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-22822.html" + } + }, + { + "severity": "none", + "score": 0.0034, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22822" + } + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "affects": [ + { + "ref": "comp-167" + } + ], + "id": "CVE-2022-22822", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-10-06T15:29:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:42:38Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-167", + "value": "0:2.1.0-4ubuntu1.4+esm4" + } + ] + }, + { + "advisories": [ + { + "url": "https://seclists.org/bugtraq/2019/Aug/4" + }, + { + "url": "https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73@" + }, + { + "url": "https://usn.ubuntu.com/4038-2/" + }, + { + "url": "https://security.gentoo.org/glsa/201708-08" + }, + { + "url": "https://usn.ubuntu.com/4038-1/" + }, + { + "url": "https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c@" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af@" + }, + { + "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@" + }, + { + "url": "https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301@" + }, + { + "url": "https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e@" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html" + }, + { + "url": "https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260@" + }, + { + "url": "https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305@" + }, + { + "url": "https://seclists.org/bugtraq/2019/Jul/22" + }, + { + "url": "https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3@" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1319648" + }, + { + "url": "https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203@" + }, + { + "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2016-3189" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827744" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2016-3189" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4038-2" + } + ], + "bom-ref": "vuln-359", + "references": [ + { + "id": "USN-4038-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4038-2" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.03568, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-3189" + } + }, + { + "severity": "low", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3189.html" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" + } + } + ], + "created": "2016-06-30T17:59:01Z", + "description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "affects": [ + { + "ref": "comp-175" + }, + { + "ref": "comp-174" + } + ], + "id": "CVE-2016-3189", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T02:32:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:33:11Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-175", + "value": "0:1.0.6-5ubuntu0.1~esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-174", + "value": "0:1.0.6-5ubuntu0.1~esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/" + }, + { + "url": "https://bugs.python.org/issue24778" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/" + }, + { + "url": "https://security.gentoo.org/glsa/202305-02" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2015-20107" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6766" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6457" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5888-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7593" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:8353" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7592" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:7581" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5519-1" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2015-20107" + } + ], + "bom-ref": "vuln-360", + "references": [ + { + "id": "USN-5519-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5519-1" + } + } + ], + "created": "2022-04-13T16:15:08Z", + "description": "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "affects": [ + { + "ref": "comp-224" + }, + { + "ref": "comp-226" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" + }, + "cwes": [ + 77 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "low", + "score": 7.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-20107.html" + } + }, + { + "severity": "high", + "score": 7.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107" + } + }, + { + "severity": "none", + "score": 0.00141, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2015-20107" + } + } + ], + "id": "CVE-2015-20107", + "updated": "2023-11-07T02:25:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm13" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-226", + "value": "0:3.4.3-1ubuntu1~14.04.7+esm13" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.kb.cert.org/vuls/id/730793" + }, + { + "url": "https://kb.cert.org/vuls/id/730793" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-3116" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5675-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-361", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3116" + } + }, + { + "severity": "none", + "score": 0.00123, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-3116" + } + }, + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-3116.html" + } + } + ], + "created": "2023-03-27T22:15:11Z", + "description": "The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.", + "affects": [ + { + "ref": "comp-97" + }, + { + "ref": "comp-99" + } + ], + "id": "CVE-2022-3116", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3116" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-05-05T20:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2023-09-12T08:39:16Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1886" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1886" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-362", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886" + } + }, + { + "severity": "none", + "score": 0.00123, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1886" + } + }, + { + "severity": "low", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-1886.html" + } + } + ], + "created": "2022-05-26T15:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-1886", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:42:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://seclists.org/bugtraq/2019/Aug/25" + }, + { + "url": "https://www.samba.org/samba/security/CVE-2018-16860.html" + }, + { + "url": "https://support.apple.com/HT210353" + }, + { + "url": "https://seclists.org/bugtraq/2019/Aug/21" + }, + { + "url": "https://support.apple.com/HT210351" + }, + { + "url": "https://seclists.org/bugtraq/2019/Aug/23" + }, + { + "url": "https://seclists.org/bugtraq/2019/Aug/22" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16860" + }, + { + "url": "https://support.apple.com/HT210348" + }, + { + "url": "https://security.gentoo.org/glsa/202003-52" + }, + { + "url": "https://support.apple.com/HT210346" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2018-16860" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5675-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928966" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3976-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-3976-2" + } + ], + "bom-ref": "vuln-363", + "ratings": [ + { + "severity": "medium", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16860.html" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16860" + } + }, + { + "severity": "none", + "score": 0.00285, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2018-16860" + } + } + ], + "created": "2019-07-31T15:15:11Z", + "description": "A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.", + "affects": [ + { + "ref": "comp-97" + }, + { + "ref": "comp-99" + } + ], + "id": "CVE-2018-16860", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16860" + }, + "cwes": [ + 358 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2019-08-14T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-97", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2819" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2819" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1639.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6302-1" + } + ], + "bom-ref": "vuln-364", + "ratings": [ + { + "severity": "none", + "score": 0.00091, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2819" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2819.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2819" + } + } + ], + "created": "2022-08-15T11:21:31Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2022-2819", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2819" + }, + "cwes": [ + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm12" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm12" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866" + }, + { + "url": "https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:0073" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2020:3908" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941412" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4176-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2020-1505.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1582" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2019-14866" + } + ], + "bom-ref": "vuln-365", + "references": [ + { + "id": "USN-4176-1", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/4176-1" + } + } + ], + "created": "2020-01-07T17:15:11Z", + "description": "In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.", + "affects": [ + { + "ref": "comp-265" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14866" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00053, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14866" + } + }, + { + "severity": "high", + "score": 7.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14866" + } + }, + { + "severity": "medium", + "score": 7.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14866.html" + } + } + ], + "id": "CVE-2019-14866", + "updated": "2023-06-04T22:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-11T11:01:03Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-265", + "value": "0:2.11+dfsg-1ubuntu1.2+esm1" + } + ] + }, + { + "advisories": [ + { + "url": "https://support.apple.com/kb/HT213984" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4734" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6452-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1826.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4734" + } + ], + "bom-ref": "vuln-366", + "ratings": [ + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4734" + } + }, + { + "severity": "medium", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-4734.html" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4734" + } + } + ], + "created": "2023-09-02T18:15:17Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2023-4734", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4734" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-12-21T02:52:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm14" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm14" + } + ] + }, + { + "advisories": [ + { + "url": "https://security.gentoo.org/glsa/202305-16" + }, + { + "url": "https://security.gentoo.org/glsa/202208-32" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6270-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1628.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-2208" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + } + ], + "bom-ref": "vuln-367", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2208" + } + }, + { + "severity": "none", + "score": 0.00119, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2208" + } + }, + { + "severity": "low", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-2208.html" + } + } + ], + "created": "2022-06-27T13:15:07Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.", + "affects": [ + { + "ref": "comp-159" + }, + { + "ref": "comp-161" + } + ], + "id": "CVE-2022-2208", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2208" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:46:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm11" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm11" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48236" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1902.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6557-1" + } + ], + "bom-ref": "vuln-368", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-48236.html" + } + }, + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48236" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48236" + } + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "affects": [ + { + "ref": "comp-161" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2023-48236", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48236" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-25T21:38:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-161", + "value": "2:7.4.052-1ubuntu3.1+esm15" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "2:7.4.052-1ubuntu3.1+esm15" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, + { + "url": "https://security.gentoo.org/glsa/202006-03" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, + { + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, + { + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-4602-2" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-10878" + }, + { + "url": "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1678" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:2792" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1032" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0883" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1266" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:0343" + } + ], + "bom-ref": "vuln-369", + "ratings": [ + { + "severity": "high", + "score": 8.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878" + } + }, + { + "severity": "low", + "score": 8.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "source": { + "name": "Ubuntu Linux", + "url": "https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-10878.html" + } + }, + { + "severity": "none", + "score": 0.00282, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-10878" + } + } + ], + "created": "2020-06-05T14:15:10Z", + "description": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.", + "affects": [ + { + "ref": "comp-194" + } + ], + "id": "CVE-2020-10878", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:14:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:45:23Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-194", + "value": "0:5.18.2-2ubuntu1.7+esm3" + } + ] + }, + { + "bom-ref": "vuln-370", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2021-09-23T13:01:20Z", + "description": "USN-5089-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained a CA certificate that will expire on\n 2021-09-30 and will cause connectivity issues. This update removes the\n “DST Root CA X3” CA.\n", + "affects": [ + { + "ref": "comp-30" + } + ], + "id": "USN-5089-2", + "source": { + "name": "USN", + "url": "https://usn.ubuntu.com/5089-2" + }, + "analysis": { + "state": "in_triage" + }, + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-30", + "value": "0:20190110~14.04.1~esm2" + } + ] + } + ] + } +} \ No newline at end of file diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan.json new file mode 100644 index 0000000..071b8a0 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/inspector-scan.json @@ -0,0 +1,21081 @@ +{ + "messages": [ + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/isc-dhcp-common@4.2.4-7ubuntu12.13?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=isc-dhcp" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsemanage@2.2-1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libcomerr2@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=e2fsprogs" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libroken18-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libselinux@2.2.2-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/eglibc@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libreadline6@6.3-4ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=readline6" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/pam@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libaudit1@2.3.2-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=audit" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/shadow@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libldap-2.4-2@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openldap" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gcc-4.9-base@4.9.3-0ubuntu4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gccgo-4.9" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/dh-python@1.20140128-1ubuntu8.2?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/slang2@2.2.4-15ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libapt-pkg4.12@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=apt" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/dpkg@1.17.5ubuntu5.8?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/acl@2.2.52-1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/openldap@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/tzdata@2019a-0ubuntu0.14.04?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/sysvinit@2.88dsf-41ubuntu6.3?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/lvm2@2.02.98-6ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/audit@2.3.2-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libgcc1@4.9.3-0ubuntu4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gccgo-4.9" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libestr@0.1.9-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/makedev@2.3.1-93ubuntu2%7Eubuntu14.04.1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/init-system-helpers@1.14ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/iputils@20121221-4ubuntu1.1?arch=amd64\u0026distro=14.04\u0026epoch=3" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libpng@1.2.50-1ubuntu2.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/sensible-utils@0.0.9ubuntu0.14.04.1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/attr@2.4.47-1ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libkeyutils1@1.5.6-1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=keyutils" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libdebconfclient0@0.187ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=cdebconf" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/coreutils@8.21-1ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/cron@3.0pl1-124ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libdevmapper1.02.1@2.02.98-6ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=lvm2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/lsb-release@4.1%2BDebian11ubuntu6.2?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=lsb" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libcgmanager0@0.24-0ubuntu7.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=cgmanager" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libnih@1.0.3-4ubuntu25?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libslang2@2.2.4-15ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=slang2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libmodule-pluggable-perl@5.1-1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/debianutils@4.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/findutils@4.4.2-7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libplymouth2@0.8.8-0ubuntu17.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=plymouth" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/xkb-data@2.10.1-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=xkeyboard-config" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libpython3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/module-init-tools@15-0ubuntu7?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=kmod" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libprocps3@3.3.9-1ubuntu2.3?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=procps" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/udev@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=systemd" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/xkeyboard-config@2.10.1-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libmount1@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=util-linux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsemanage1@2.2-1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libsemanage" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/readline-common@6.3-4ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=readline6" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/fribidi@0.19.6-1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/apt-transport-https@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=apt" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/cgmanager@0.24-0ubuntu7.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libgpg-error@1.12-0.2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@4.8.4-2ubuntu1%7E14.04.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gcc-4.8" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libacl1@2.2.52-1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=acl" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libarchive-extract-perl@0.70-1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:pypi/argparse@1.2.1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/base-passwd@3.5.33?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libgdbm3@1.8.3-12build1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gdbm" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/isc-dhcp@4.2.4-7ubuntu12.13?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/rsyslog@7.4.4-1ubuntu2.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libusb-0.1-4@0.1.12-23.3ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=libusb" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/db5.3@5.3.28-3ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/lsb@4.1%2BDebian11ubuntu6.2?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libnih-dbus1@1.0.3-4ubuntu25?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libnih" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/base-files@7.2ubuntu5.6?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libheimntlm0-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/eject@2.1.5%2Bdeb1%2Bcvs20081104-13.1ubuntu0.14.04.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/kbd@1.15.5-1ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libusb@0.1.12-23.3ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsasl2-modules@2.1.25.dfsg1-17build1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=cyrus-sasl2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/plymouth@0.8.8-0ubuntu17.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libtasn1-6@3.4-3ubuntu0.6?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libpod-latex-perl@0.61-1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libpam-cap@2.24-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=libcap2" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libidn11@1.28-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libidn" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gnutls26@2.12.23-12ubuntu2.8?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libdrm@2.4.67-1ubuntu0.14.04.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/liblockfile@1.09-6ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libtext-soundex-perl@3.4-1build1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libdrm2@2.4.67-1ubuntu0.14.04.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libdrm" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/kmod@15-0ubuntu7?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libtext-charwidth-perl@0.04-7build3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libnih1@1.0.3-4ubuntu25?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libnih" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gdbm@1.8.3-12build1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/klibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.1.4-3ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libyaml" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/pyyaml@3.10-4ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libffi@3.1%7Erc1%2Br3.0.13-12ubuntu0.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/initramfs-tools-bin@0.103ubuntu4.11?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=initramfs-tools" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libffi6@3.1%7Erc1%2Br3.0.13-12ubuntu0.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libffi" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@19.6%7Eubuntu14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/keyboard-configuration@1.70ubuntu8?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=console-setup" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libhcrypto4-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libbsd@0.6.0-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libtext-wrapi18n-perl@0.06-7?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ifupdown@0.7.47.2ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/iputils-ping@20121221-4ubuntu1.1?arch=amd64\u0026distro=14.04\u0026epoch=3\u0026source=iputils" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/initramfs-tools@0.103ubuntu4.11?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/liblog-message-simple-perl@0.10-1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/rtmpdump@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libustr-1.0-1@1.0.4-3ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=ustr" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ubuntu-meta@1.325.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libmpdec2@2.4.0-6?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=mpdecimal" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/multiarch-support@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/net-tools@1.60-25ubuntu2.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/e2fslibs@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=e2fsprogs" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/mawk@1.3.3-17ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/mpdecimal@2.4.0-6?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libnewt0.52@0.52.15-2ubuntu5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=newt" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/logrotate@3.8.7-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libpng12-0@1.2.50-1ubuntu2.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libpng" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/cdebconf@0.187ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/mountall@2.53ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ureadahead@0.100.0-16?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libpopt0@1.16-8ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=popt" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/python3-pkg-resources@3.3-1ubuntu2?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=python-setuptools" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/python3-minimal@3.4.0-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3-defaults" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/langpack-locales@2.13%2Bgit20120306-12.1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gcc-4.8-base@4.8.4-2ubuntu1%7E14.04.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gcc-4.8" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ubuntu-minimal@1.325.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=ubuntu-meta" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/dash@0.5.7-4ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/gpgv@1.4.16-1ubuntu2.6?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gnupg" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/bsdutils@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=util-linux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libattr1@2.4.47-1ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=attr" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/netbase@5.2?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libgnutls26@2.12.23-12ubuntu2.8?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gnutls26" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libgnutls-openssl27@2.12.23-12ubuntu2.8?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=gnutls26" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/mount@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=util-linux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libselinux1@2.2.2-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libselinux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/locales@2.13%2Bgit20120306-12.1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=langpack-locales" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libidn@1.28-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gccgo-4.9@4.9.3-0ubuntu4?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libestr0@0.1.9-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libestr" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/liblockfile1@1.09-6ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=liblockfile" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/gcc-4.8@4.8.4-2ubuntu1%7E14.04.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libtext-iconv-perl@1.7-5build2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/python3-defaults@3.4.0-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/apt-utils@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=apt" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libaudit-common@2.3.2-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=audit" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ustr@1.0.4-3ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/sysvinit-utils@2.88dsf-41ubuntu6.3?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=sysvinit" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/libpython3.4-stdlib@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/hostname@3.15ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ntpdate@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=ntp" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/insserv@1.14.0-5ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libyaml@0.1.4-3ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libapt-inst1.5@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=apt" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/netcat-openbsd@1.105-7ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/zlib@1.2.8.dfsg-1ubuntu1.1?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/iproute2@3.12.0-2ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/lockfile-progs@0.1.17?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/resolvconf@1.69ubuntu1.4?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/procps@3.3.9-1ubuntu2.3?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/liblockfile-bin@1.09-6ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=liblockfile" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libgpg-error0@1.12-0.2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libgpg-error" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsepol@2.2-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/readline6@6.3-4ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libpython3-stdlib@3.4.0-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3-defaults" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libkmod2@15-0ubuntu7?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=kmod" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/util-linux@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/python3-yaml@3.10-4ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pyyaml" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/dmsetup@2.02.98-6ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=lvm2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libterm-ui-perl@0.42-1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/liblocale-gettext-perl@1.05-7build3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ubuntu-keyring@2012.05.19?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libfribidi0@0.19.6-1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=fribidi" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/popt@1.16-8ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libuuid1@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=util-linux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/sysv-rc@2.88dsf-41ubuntu6.3?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=sysvinit" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/perl-base@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=perl" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:pypi/wsgiref@0.1.2" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/mime-support@3.54ubuntu1.1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/whiptail@0.52.15-2ubuntu5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=newt" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ucf@3.0027%2Bnmu1?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/initscripts@2.88dsf-41ubuntu6.3?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=sysvinit" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/perl-modules@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=perl" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/console-setup@1.70ubuntu8?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsepol1@2.2-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libsepol" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsasl2-modules-db@2.1.25.dfsg1-17build1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=cyrus-sasl2" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/upstart@1.12.1-0ubuntu4.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/sed@4.2.2-4ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libheimbase1-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/lsb-base@4.1%2BDebian11ubuntu6.2?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=lsb" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/cyrus-sasl2@2.1.25.dfsg1-17build1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/python3@3.4.0-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3-defaults" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libblkid1@2.20.1-5.1ubuntu20.9?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=util-linux" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/libsemanage-common@2.2-1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libsemanage" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/diffutils@3.3-1?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/debconf@1.5.51ubuntu2?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/grep@2.16-1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/krb5@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:pypi/Python@2.7.6" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/adduser@3.113%2Bnmu3ubuntu3?arch=all\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component end-of-life: 2024-04-01T00:00:00Z", + "name": "Ubuntu", + "version": "14.04" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/newt@0.52.15-2ubuntu5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/debconf-i18n@1.5.51ubuntu2?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=debconf" + }, + { + "info_message": "Component scanned: no vulnerabilities found.", + "purl": "pkg:deb/ubuntu/librtmp0@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=rtmpdump" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/pcre3@8.31-2ubuntu2.3?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/keyutils@1.5.6-1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/json-c@0.11-3ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "info_message": "Component skipped: no rules found.", + "purl": "pkg:deb/ubuntu/ncurses@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "vulnerabilities": [ + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-23T18:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2182", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.00131 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2182", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2182", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2182", + "updated": "2023-11-07T03:46:16Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm7", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-01-18T17:15:10Z", + "description": "In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a \"--\" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.", + "id": "CVE-2023-22809", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 269 + ], + "epss": 5.0E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-14T20:35:25Z" + }, + "references": [ + "https://www.debian.org/security/2023/dsa-5321", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4YNBTTKTRT2ME3NTSXAPTOKYUE47XHZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2QDGFCGAV5QRJCE6IXRXIS4XJHS57DDH/", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00012.html", + "https://security.gentoo.org/glsa/202305-12", + "https://support.apple.com/kb/HT213758", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1985.html", + "https://access.redhat.com/errata/RHSA-2023:0287", + "https://alas.aws.amazon.com/ALAS-2023-1682.html", + "https://access.redhat.com/errata/RHSA-2023:0859", + "https://www.cve.org/CVERecord?id=CVE-2023-22809", + "https://ubuntu.com/security/notices/USN-5811-1", + "https://ubuntu.com/security/notices/USN-5811-2", + "https://ubuntu.com/security/notices/USN-5811-3", + "https://access.redhat.com/errata/RHSA-2023:0291", + "https://access.redhat.com/errata/RHSA-2023:0280", + "https://access.redhat.com/errata/RHSA-2023:3262", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2023:3276", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-106.html", + "https://access.redhat.com/errata/RHSA-2023:3264", + "https://access.redhat.com/errata/RHSA-2023:0284", + "https://access.redhat.com/errata/RHSA-2023:0283", + "https://access.redhat.com/errata/RHSA-2023:0293", + "https://access.redhat.com/errata/RHSA-2023:0282", + "https://access.redhat.com/errata/RHSA-2023:0292", + "https://access.redhat.com/errata/RHSA-2023:0281" + ], + "related": [ + "USN-5811-3" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-22809", + "updated": "2023-11-17T19:32:56Z" + }, + { + "affects": [ + { + "fixed_version": "0:0.20.2-2ubuntu2+esm1", + "installed_version": "pkg:deb/ubuntu/libp11-kit0@0.20.2-2ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=p11-kit" + }, + { + "fixed_version": "0:0.20.2-2ubuntu2+esm1", + "installed_version": "pkg:deb/ubuntu/p11-kit@0.20.2-2ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-12-16T14:15:12Z", + "description": "An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.", + "id": "CVE-2020-29361", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00562, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-01-31T20:51:25Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2021/01/msg00002.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://www.debian.org/security/2021/dsa-4822", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1601.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-29361", + "https://www.cve.org/CVERecord?id=CVE-2020-29361", + "https://ubuntu.com/security/notices/USN-4677-2", + "https://ubuntu.com/security/notices/USN-4677-1", + "https://lists.freedesktop.org/archives/p11-glue/2020-December/000712.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:1609" + ], + "related": [ + "USN-4677-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-29361", + "updated": "2023-11-07T03:21:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:5.3.28-3ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/libdb5.3@5.3.28-3ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=db5.3" + } + ], + "created": "2019-05-30T16:29:01Z", + "description": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.", + "id": "CVE-2019-8457", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0052700001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:20:48Z" + }, + "references": [ + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJPFGA45DI4F5MCF2OAACGH3HQOF4G3M/", + "https://www.sqlite.org/src/info/90acdbfce9c08858", + "https://www.sqlite.org/releaselog/3_28_0.html", + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPKYSWCOM3CL66RI76TYVIG6TJ263RXH/", + "https://usn.ubuntu.com/4004-1/", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://usn.ubuntu.com/4004-2/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://ubuntu.com/security/notices/USN-4004-1", + "https://ubuntu.com/security/notices/USN-4004-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929775", + "https://www.cve.org/CVERecord?id=CVE-2019-8457", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2", + "https://access.redhat.com/errata/RHSA-2020:1810" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-8457", + "updated": "2023-11-07T03:13:30Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm2", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm2", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2019-05-28T19:29:06Z", + "description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.", + "id": "CVE-2019-5436", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0721900016 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://support.f5.com/csp/article/K55133295?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", + "https://security.gentoo.org/glsa/202003-29", + "https://support.f5.com/csp/article/K55133295", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.debian.org/security/2020/dsa-4633", + "https://seclists.org/bugtraq/2020/Feb/36", + "https://ubuntu.com/security/notices/USN-3993-1", + "https://ubuntu.com/security/notices/USN-3993-2", + "https://access.redhat.com/errata/RHSA-2020:1020", + "https://access.redhat.com/errata/RHSA-2019:1543", + "https://access.redhat.com/errata/RHSA-2020:1792", + "https://access.redhat.com/errata/RHBA-2020:1539", + "https://alas.aws.amazon.com/ALAS-2019-1233.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1233.html", + "https://access.redhat.com/errata/RHSA-2020:2505", + "https://access.redhat.com/errata/RHBA-2020:1540", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929351", + "https://www.cve.org/CVERecord?id=CVE-2019-5436" + ], + "related": [ + "USN-3993-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-5436", + "updated": "2023-11-07T03:11:35Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-03-03T23:15:11Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1376.", + "id": "CVE-2023-1170", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 5.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T12:25:03Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/", + "https://www.cve.org/CVERecord?id=CVE-2023-1170", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1170", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html", + "https://ubuntu.com/security/notices/USN-5963-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-1170", + "updated": "2023-11-07T04:02:43Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2018-12-23T23:29:00Z", + "description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1, v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1, v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "id": "CVE-2018-20406", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00655 + }, + "references": [ + "https://bugs.python.org/issue34656", + "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://usn.ubuntu.com/4127-2/", + "https://usn.ubuntu.com/4127-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1204.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://www.cve.org/CVERecord?id=CVE-2018-20406", + "https://ubuntu.com/security/notices/USN-4127-1", + "https://alas.aws.amazon.com/ALAS-2019-1202.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20406", + "updated": "2023-11-07T02:56:16Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=dbus" + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.", + "id": "CVE-2022-42012", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 0.00113 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/", + "https://security.gentoo.org/glsa/202305-08", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/", + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/417", + "https://ubuntu.com/security/notices/USN-5704-1", + "https://access.redhat.com/errata/RHSA-2022:8812", + "https://access.redhat.com/errata/RHSA-2022:8977", + "https://www.cve.org/CVERecord?id=CVE-2022-42012", + "https://access.redhat.com/errata/RHSA-2023:0335", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2023-1730.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html", + "https://access.redhat.com/errata/RHSA-2023:0096", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42012" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-42012", + "updated": "2023-12-27T16:49:43Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm5", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2017-04-14T18:59:00Z", + "description": "sudo_noexec.so in Sudo before 1.8.15 on Linux might allow local users to bypass intended noexec command restrictions via an application that calls the (1) system or (2) popen function.", + "id": "CVE-2016-7032", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.0, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.0, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 284 + ], + "epss": 4.2E-4 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1372830", + "https://usn.ubuntu.com/3968-3/", + "https://ubuntu.com/security/notices/USN-3968-3", + "https://www.cve.org/CVERecord?id=CVE-2016-7032", + "https://access.redhat.com/errata/RHSA-2016:2872", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-3968-3" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-7032", + "updated": "2020-09-30T18:15:14Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2017-05-23T04:29:01Z", + "description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", + "id": "CVE-2016-9840", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0135000004, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T07:53:43Z" + }, + "references": [ + "https://support.apple.com/HT208112", + "https://support.apple.com/HT208113", + "https://support.apple.com/HT208115", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", + "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", + "https://security.gentoo.org/glsa/201701-56", + "https://support.apple.com/HT208144", + "https://access.redhat.com/errata/RHSA-2017:3046", + "https://access.redhat.com/errata/RHSA-2017:3453", + "https://access.redhat.com/errata/RHSA-2017:1220", + "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed", + "https://access.redhat.com/errata/RHSA-2017:1222", + "https://access.redhat.com/errata/RHSA-2017:1221", + "https://usn.ubuntu.com/4292-1/", + "https://access.redhat.com/errata/RHSA-2017:3047", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", + "https://access.redhat.com/errata/RHSA-2017:2999", + "https://security.gentoo.org/glsa/202007-54", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=1402345", + "https://usn.ubuntu.com/4246-1/", + "https://ubuntu.com/security/notices/USN-4246-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270", + "https://ubuntu.com/security/notices/USN-4292-1", + "https://www.cve.org/CVERecord?id=CVE-2016-9840" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-9840", + "updated": "2023-11-07T02:37:35Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-10T22:15:15Z", + "description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "id": "CVE-2019-13753", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0074300002, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:20:48Z" + }, + "references": [ + "https://www.debian.org/security/2020/dsa-4606", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://usn.ubuntu.com/4298-2/", + "https://usn.ubuntu.com/4298-1/", + "https://security.gentoo.org/glsa/202003-08", + "https://seclists.org/bugtraq/2020/Jan/27", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2019-13753", + "https://access.redhat.com/errata/RHSA-2020:1810" + ], + "related": [ + "USN-4298-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13753", + "updated": "2023-11-07T03:04:22Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "3-3" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Shell Command Exec Flag: 'apt-get --allow-unauthenticated' installs Advantaged package tool (APT) packages on Debian-based Linux distributions without validating package signatures.", + "id": "IN-DOCKER-005-003", + "properties": {}, + "references": [ + "https://manpages.debian.org/stretch/apt/apt-get.8.en.html" + ], + "severity": "high", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-23T14:15:08Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.", + "id": "CVE-2022-0729", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 823, + 119 + ], + "epss": 0.0028299999 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0729", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0729", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0729", + "updated": "2023-11-07T03:41:32Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-12-25T19:15:07Z", + "description": "vim is vulnerable to Out-of-bounds Read", + "id": "CVE-2021-4166", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 9.2E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD/", + "https://security.gentoo.org/glsa/202208-32", + "https://support.apple.com/kb/HT213343", + "https://support.apple.com/kb/HT213256", + "https://support.apple.com/kb/HT213183", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/", + "https://www.cve.org/CVERecord?id=CVE-2021-4166", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4166", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1557.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-4166", + "updated": "2023-11-07T03:40:17Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm1", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2017-06-05T16:29:00Z", + "description": "Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.", + "id": "CVE-2017-1000368", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1999998093, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1999998093, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 6.5E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/201710-04", + "https://access.redhat.com/errata/RHSA-2017:1574", + "https://usn.ubuntu.com/3968-1/", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10205", + "https://usn.ubuntu.com/3968-2/", + "https://ubuntu.com/security/notices/USN-3968-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863897", + "https://ubuntu.com/security/notices/USN-3968-2", + "https://www.cve.org/CVERecord?id=CVE-2017-1000368", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1315.html", + "https://alas.aws.amazon.com/ALAS-2017-855.html" + ], + "related": [ + "USN-3968-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000368", + "updated": "2019-05-29T19:29:00Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-17T17:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4968.", + "id": "CVE-2022-1733", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 5.4E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFAZTAT5CZC2R6KYDYA2HBAVEDSIX6MW/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKIX5HYKWXWG6QBCPPTPQ53GNOFHSAIS/", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1733", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1733", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1733", + "updated": "2023-11-07T03:42:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Out-of-bounds Write to API in GitHub repository vim/vim prior to 9.0.0100.\n\n", + "id": "CVE-2022-2598", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 8.1E-4 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2598", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2598", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "related": [ + "USN-6302-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2598", + "updated": "2023-07-11T08:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm4", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm4", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.", + "id": "CVE-2020-8177", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 99, + 74 + ], + "epss": 9.9E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:12:19Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.debian.org/security/2021/dsa-4881", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://hackerone.com/reports/887462", + "https://www.cve.org/CVERecord?id=CVE-2020-8177", + "https://access.redhat.com/errata/RHSA-2020:4599", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1451.html", + "https://ubuntu.com/security/notices/USN-4402-1", + "https://access.redhat.com/errata/RHSA-2020:5002", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965281", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8177", + "https://access.redhat.com/errata/RHSA-2020:5417", + "https://alas.aws.amazon.com/ALAS-2020-1411.html" + ], + "related": [ + "USN-4402-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8177", + "updated": "2024-03-27T16:04:20Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function _nc_read_entry_source() in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "id": "CVE-2017-13730", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0022400001 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1484284", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://www.cve.org/CVERecord?id=CVE-2017-13730" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13730", + "updated": "2023-11-07T02:38:41Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-27T15:15:07Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1897", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00128, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://access.redhat.com/errata/RHSA-2022:5942", + "https://access.redhat.com/errata/RHSA-2022:5813", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5507-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://www.cve.org/CVERecord?id=CVE-2022-1897", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1897", + "updated": "2023-11-07T03:42:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-26T15:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1886", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0012300001 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1886", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-1886", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1886", + "updated": "2023-11-07T03:42:15Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2023-03-27T22:15:11Z", + "description": "The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash.", + "id": "CVE-2022-3116", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0012300001, + "exploit_available": true, + "exploit_last_seen_in_public": "2023-09-12T08:39:16Z" + }, + "references": [ + "https://www.kb.cert.org/vuls/id/730793", + "https://kb.cert.org/vuls/id/730793", + "https://www.cve.org/CVERecord?id=CVE-2022-3116", + "https://ubuntu.com/security/notices/USN-5675-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3116", + "updated": "2023-05-05T20:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm13", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm13", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2022-12-05T22:15:10Z", + "description": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.", + "id": "CVE-2022-32221", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 668, + 200 + ], + "epss": 0.00562 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html", + "https://www.debian.org/security/2023/dsa-5330", + "https://security.gentoo.org/glsa/202212-01", + "https://hackerone.com/reports/1704017", + "https://support.apple.com/kb/HT213604", + "https://support.apple.com/kb/HT213605", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html", + "https://access.redhat.com/errata/RHSA-2023:4139", + "https://ubuntu.com/security/notices/USN-5702-2", + "https://ubuntu.com/security/notices/USN-5823-1", + "https://ubuntu.com/security/notices/USN-5702-1", + "https://access.redhat.com/errata/RHSA-2023:0333", + "https://www.cve.org/CVERecord?id=CVE-2022-32221", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1882.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:8840", + "https://access.redhat.com/errata/RHSA-2022:8841" + ], + "related": [ + "USN-5702-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32221", + "updated": "2024-03-27T15:00:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.11+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/cpio@2.11%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-01-07T17:15:11Z", + "description": "In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.", + "id": "CVE-2019-14866", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 5.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:01:03Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html", + "https://lists.gnu.org/archive/html/bug-cpio/2019-11/msg00000.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14866", + "https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html", + "https://access.redhat.com/errata/RHSA-2022:0073", + "https://access.redhat.com/errata/RHSA-2020:3908", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941412", + "https://ubuntu.com/security/notices/USN-4176-1", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1505.html", + "https://access.redhat.com/errata/RHSA-2021:1582", + "https://www.cve.org/CVERecord?id=CVE-2019-14866" + ], + "related": [ + "USN-4176-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-14866", + "updated": "2023-06-04T22:15:21Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-06-18T14:15:11Z", + "description": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12; v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.", + "id": "CVE-2020-14422", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 330, + 682 + ], + "epss": 0.0088299997, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCCZTAYZATTNSNEAXWA7U3HCO2OVQKT5/", + "https://usn.ubuntu.com/4428-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X36Y523UAZY5QFXZAAORNFY63HLBWX7N/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00016.html", + "https://bugs.python.org/issue41004", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://security.gentoo.org/glsa/202008-01", + "https://access.redhat.com/errata/RHSA-2020:4433", + "https://ubuntu.com/security/notices/USN-4428-1", + "https://www.cve.org/CVERecord?id=CVE-2020-14422", + "https://access.redhat.com/errata/RHSA-2020:4641", + "https://access.redhat.com/errata/RHSA-2020:4299", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-008.html", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1484.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2151.html", + "https://alas.aws.amazon.com/ALAS-2020-1432.html", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-14422", + "https://access.redhat.com/errata/RHSA-2020:5010", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2174.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422", + "updated": "2023-11-07T03:17:14Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-10-05T21:15:11Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 20d161ace307e28690229b68584f2d84556f8960.", + "id": "CVE-2023-5441", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 4.4E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-403.html", + "https://www.cve.org/CVERecord?id=CVE-2023-5441", + "https://alas.aws.amazon.com/ALAS-2023-1893.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-5441", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2319.html", + "https://ubuntu.com/security/notices/USN-6452-1" + ], + "related": [ + "USN-6452-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-5441", + "updated": "2023-11-15T02:33:52Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-02T22:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2287", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00115 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2287", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2287", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2287", + "updated": "2023-11-07T03:46:24Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the _nc_save_str function in alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.", + "id": "CVE-2017-13729", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0022400001 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1484276", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://www.cve.org/CVERecord?id=CVE-2017-13729", + "https://ubuntu.com/security/notices/USN-5448-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13729", + "updated": "2023-11-07T02:38:41Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-19T13:15:07Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2126", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0017 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://support.apple.com/kb/HT213443", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2126", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2126" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2126", + "updated": "2023-11-07T03:46:13Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm1", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2019-06-24T17:15:09Z", + "description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", + "id": "CVE-2018-20843", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 611 + ], + "epss": 0.6090999842, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:12:19Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/", + "https://www.debian.org/security/2019/dsa-4472", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226", + "https://security.gentoo.org/glsa/201911-08", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html", + "https://usn.ubuntu.com/4040-2/", + "https://usn.ubuntu.com/4040-1/", + "https://seclists.org/bugtraq/2019/Jun/39", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://support.f5.com/csp/article/K51011533", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://access.redhat.com/errata/RHSA-2020:3952", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1513.html", + "https://access.redhat.com/errata/RHSA-2020:4484", + "https://access.redhat.com/errata/RHSA-2020:2646", + "https://access.redhat.com/errata/RHSA-2020:4846", + "https://access.redhat.com/errata/RHSA-2020:2644", + "https://alas.aws.amazon.com/ALAS-2021-1459.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031", + "https://www.cve.org/CVERecord?id=CVE-2018-20843", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-20843", + "https://ubuntu.com/security/notices/USN-4040-2", + "https://ubuntu.com/security/notices/USN-4040-1", + "https://ubuntu.com/security/notices/USN-4852-1" + ], + "related": [ + "USN-4040-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20843", + "updated": "2023-11-07T02:56:21Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2022-02-09T23:15:16Z", + "description": "A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\\r' and '\\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.", + "id": "CVE-2022-0391", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 74 + ], + "epss": 0.0021299999 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDBDBAU6HUPZHISBOARTXZ5GKHF2VH5U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSD2YBXP3ZF44E44QMIIAR5VTO35KTRB/", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://security.gentoo.org/glsa/202305-02", + "https://bugs.python.org/issue43882", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0391", + "https://access.redhat.com/errata/RHSA-2022:1821", + "https://access.redhat.com/errata/RHSA-2022:1764", + "https://www.cve.org/CVERecord?id=CVE-2022-0391", + "https://access.redhat.com/errata/RHSA-2022:1663", + "https://alas.aws.amazon.com/ALAS-2022-1593.html", + "https://access.redhat.com/errata/RHSA-2022:6457", + "https://ubuntu.com/security/notices/USN-5342-2", + "https://ubuntu.com/security/notices/USN-5342-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:3254" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0391", + "updated": "2023-11-07T03:41:13Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.27.1-1ubuntu0.1+esm2", + "installed_version": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-03-26T17:15:12Z", + "description": "A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.", + "id": "CVE-2021-20193", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 401 + ], + "epss": 7.6E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-15T20:18:49Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202105-29", + "https://savannah.gnu.org/bugs/?59897", + "https://bugzilla.redhat.com/show_bug.cgi?id=1917565", + "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980525", + "https://www.cve.org/CVERecord?id=CVE-2021-20193", + "https://ubuntu.com/security/notices/USN-5329-1" + ], + "related": [ + "USN-5329-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-20193", + "updated": "2023-11-07T03:28:59Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2017-07-07T12:29:00Z", + "description": "The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.", + "id": "CVE-2017-10989", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0094900001 + }, + "references": [ + "https://support.apple.com/HT208112", + "https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html", + "https://support.apple.com/HT208113", + "https://support.apple.com/HT208115", + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://support.apple.com/HT208144", + "https://sqlite.org/src/vpatch?from=0db20efe201736b3\u0026to=66de6f4a9504ec26", + "https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937", + "https://sqlite.org/src/info/66de6f4a", + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867618", + "https://www.cve.org/CVERecord?id=CVE-2017-10989", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-10989", + "updated": "2019-10-03T00:03:26Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-17T20:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0221.", + "id": "CVE-2022-2862", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://www.cve.org/CVERecord?id=CVE-2022-2862", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2862", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2862", + "updated": "2023-11-07T03:46:59Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-21T12:15:10Z", + "description": "Heap-based Buffer Overflow in vim/vim prior to 8.2.", + "id": "CVE-2022-0318", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0090600001 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202208-32", + "https://ubuntu.com/security/notices/USN-5433-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0318", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004859", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0318", + "https://access.redhat.com/errata/RHSA-2022:0894", + "https://alas.aws.amazon.com/ALAS-2022-1597.html" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0318", + "updated": "2022-11-29T22:12:23Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.11+dfsg-1ubuntu1.2+esm2", + "installed_version": "pkg:deb/ubuntu/cpio@2.11%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-08-08T00:15:07Z", + "description": "GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.", + "id": "CVE-2021-38185", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0024999999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:08:00Z" + }, + "references": [ + "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00000.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00007.html", + "https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b", + "https://lists.gnu.org/archive/html/bug-cpio/2021-08/msg00002.html", + "https://ubuntu.com/security/notices/USN-5064-1", + "https://www.cve.org/CVERecord?id=CVE-2021-38185", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-021.html", + "https://ubuntu.com/security/notices/USN-5064-3", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992045", + "https://ubuntu.com/security/notices/USN-5064-2", + "https://access.redhat.com/errata/RHSA-2022:1991", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1972.html" + ], + "related": [ + "USN-5064-3" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-38185", + "updated": "2023-06-04T22:15:22Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm6", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm6", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-10-23T17:15:12Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.", + "id": "CVE-2019-18348", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 74 + ], + "epss": 0.00284 + }, + "references": [ + "https://usn.ubuntu.com/4333-2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://bugzilla.redhat.com/show_bug.cgi?id=1727276", + "https://usn.ubuntu.com/4333-1/", + "https://bugs.python.org/issue30458", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://ubuntu.com/security/notices/USN-4333-1", + "https://ubuntu.com/security/notices/USN-4333-2", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-18348", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://access.redhat.com/errata/RHSA-2020:4273", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2019-18348" + ], + "related": [ + "USN-4333-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-18348", + "updated": "2023-11-07T03:06:25Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-10-26T20:15:10Z", + "description": "A vulnerability was found in vim and classified as problematic. Affected by this issue is the function qf_update_buffer of the file quickfix.c of the component autocmd Handler. The manipulation leads to use after free. The attack may be launched remotely. Upgrading to version 9.0.0805 is able to address this issue. The name of the patch is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-212324.", + "id": "CVE-2022-3705", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119, + 416 + ], + "epss": 0.00452, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JYEK5RNMH7MVQH6RPBKLSCCA6NMIKHDV/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JCW33NOLMELTTTDJH7WGDIFJZ5YEEMK/", + "https://support.apple.com/kb/HT213605", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3705", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3705", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/ALAS-2023-1663.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3705", + "updated": "2023-11-07T03:51:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-11-22T22:29:00Z", + "description": "Stack-based buffer overflow in the _nc_write_entry function in tinfo/write_entry.c in ncurses 6.0 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted terminfo file, as demonstrated by tic.", + "id": "CVE-2017-16879", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00364 + }, + "references": [ + "https://tools.cisco.com/security/center/viewAlert.x?alertId=57695", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882620", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://www.cve.org/CVERecord?id=CVE-2017-16879" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-16879", + "updated": "2023-11-07T02:40:56Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function postprocess_termcap() in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.", + "id": "CVE-2017-13731", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0022400001 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1484285", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://www.cve.org/CVERecord?id=CVE-2017-13731" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13731", + "updated": "2023-11-07T02:38:41Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm1", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2019-09-10T17:15:11Z", + "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "id": "CVE-2019-1547", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 5.0E-4 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://seclists.org/bugtraq/2019/Oct/0", + "https://seclists.org/bugtraq/2019/Oct/1", + "https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://www.debian.org/security/2019/dsa-4540", + "https://security.gentoo.org/glsa/201911-04", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/", + "https://www.openssl.org/news/secadv/20190910.txt", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://usn.ubuntu.com/4504-1/", + "https://usn.ubuntu.com/4376-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.debian.org/security/2019/dsa-4539", + "https://arxiv.org/abs/1909.01785", + "https://usn.ubuntu.com/4376-2/", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1456.html", + "https://access.redhat.com/errata/RHSA-2020:1840", + "https://www.cve.org/CVERecord?id=CVE-2019-1547", + "https://ubuntu.com/security/notices/USN-4376-2", + "https://ubuntu.com/security/notices/USN-4376-1", + "https://ubuntu.com/security/notices/USN-4504-1", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2020:1336", + "https://access.redhat.com/errata/RHSA-2020:1337" + ], + "related": [ + "USN-4376-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-1547", + "updated": "2023-11-07T03:08:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22823", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0099099996, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22823", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://www.cve.org/CVERecord?id=CVE-2022-22823" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22823", + "updated": "2022-10-06T14:47:42Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-03-08T21:29:00Z", + "description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "id": "CVE-2019-9636", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0072400002, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://access.redhat.com/errata/RHBA-2019:0763", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://access.redhat.com/errata/RHSA-2019:2980", + "https://bugs.python.org/issue36216", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/", + "https://access.redhat.com/errata/RHSA-2019:0981", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://access.redhat.com/errata/RHSA-2019:3170", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/", + "https://usn.ubuntu.com/4127-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/", + "https://access.redhat.com/errata/RHSA-2019:0710", + "https://access.redhat.com/errata/RHSA-2019:0997", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://access.redhat.com/errata/RHBA-2019:0764", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/", + "https://access.redhat.com/errata/RHSA-2019:1467", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/", + "https://usn.ubuntu.com/4127-2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://access.redhat.com/errata/RHSA-2019:0806", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://access.redhat.com/errata/RHBA-2019:0959", + "https://access.redhat.com/errata/RHSA-2019:0765", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://access.redhat.com/errata/RHSA-2019:0902", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924072", + "https://alas.aws.amazon.com/ALAS-2019-1243.html", + "https://alas.aws.amazon.com/ALAS-2019-1230.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1204.html", + "https://alas.aws.amazon.com/ALAS-2019-1204.html", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://ubuntu.com/security/notices/USN-4127-1", + "https://alas.aws.amazon.com/ALAS-2019-1202.html", + "https://www.cve.org/CVERecord?id=CVE-2019-9636" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9636", + "updated": "2023-11-07T03:13:44Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm3", + "installed_version": "pkg:deb/ubuntu/libss2@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=e2fsprogs" + }, + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm3", + "installed_version": "pkg:deb/ubuntu/e2fsprogs@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-04-14T21:15:08Z", + "description": "An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.", + "id": "CVE-2022-1304", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 787 + ], + "epss": 6.5E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:06:17Z" + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2069726", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010263", + "https://access.redhat.com/errata/RHSA-2022:7720", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1884.html", + "https://ubuntu.com/security/notices/USN-5464-1", + "https://access.redhat.com/errata/RHSA-2022:8361", + "https://www.cve.org/CVERecord?id=CVE-2022-1304", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1304", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-044.html" + ], + "related": [ + "USN-5464-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1304", + "updated": "2023-11-07T03:41:53Z" + }, + { + "affects": [ + { + "fixed_version": "1:8.31-2ubuntu2.3+esm1", + "installed_version": "pkg:deb/ubuntu/libpcre3@8.31-2ubuntu2.3?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=pcre3" + } + ], + "created": "2020-06-15T17:15:09Z", + "description": "libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.", + "id": "CVE-2019-20838", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0102599999 + }, + "references": [ + "https://support.apple.com/kb/HT212147", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://bugs.gentoo.org/717920", + "https://support.apple.com/kb/HT211931", + "https://www.pcre.org/original/changelog.txt", + "https://access.redhat.com/errata/RHSA-2021:4614", + "https://access.redhat.com/errata/RHSA-2021:4373", + "https://www.cve.org/CVERecord?id=CVE-2019-20838", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:4613", + "https://ubuntu.com/security/notices/USN-5425-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20838" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-20838", + "updated": "2024-03-27T16:05:46Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2022-12-25T06:15:09Z", + "description": "PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has \"a similar bug.\"", + "id": "CVE-2022-42898", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0049100001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:06:17Z" + }, + "references": [ + "https://web.mit.edu/kerberos/krb5-1.19/", + "https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt", + "https://bugzilla.samba.org/show_bug.cgi?id=15203", + "https://web.mit.edu/kerberos/advisories/", + "https://security.gentoo.org/glsa/202310-06", + "https://www.samba.org/samba/security/CVE-2022-42898.html", + "https://security.gentoo.org/glsa/202309-06", + "https://access.redhat.com/errata/RHEA-2023:3850", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187", + "https://ubuntu.com/security/notices/USN-5936-1", + "https://access.redhat.com/errata/RHSA-2022:8640", + "https://access.redhat.com/errata/RHSA-2022:8662", + "https://access.redhat.com/errata/RHSA-2022:8663", + "https://access.redhat.com/errata/RHSA-2022:8641", + "https://access.redhat.com/errata/RHSA-2022:8669", + "https://access.redhat.com/errata/RHSA-2022:9029", + "https://ubuntu.com/security/notices/USN-5800-1", + "https://ubuntu.com/security/notices/USN-5828-1", + "https://www.cve.org/CVERecord?id=CVE-2022-42898", + "https://access.redhat.com/errata/RHSA-2022:8639", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42898", + "https://ubuntu.com/security/notices/USN-5822-1", + "https://access.redhat.com/errata/RHSA-2022:8648", + "https://access.redhat.com/errata/RHSA-2022:8637", + "https://ubuntu.com/security/notices/USN-5822-2", + "https://access.redhat.com/errata/RHSA-2022:8638", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1915.html", + "https://alas.aws.amazon.com/ALAS-2023-1667.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-103.html", + "https://alas.aws.amazon.com/ALAS-2023-1680.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-42898", + "updated": "2023-10-08T09:15:10Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "11-11" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "apt-get layer caching: Using apt-get update alone in a RUN statement causes caching issues and subsequent apt-get install instructions to fail.", + "id": "IN-DOCKER-001", + "properties": {}, + "references": [ + "https://docs.docker.com/develop/develop-images/instructions/" + ], + "severity": "info", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-10T14:15:08Z", + "description": "Heap buffer overflow in vim_strncpy find_word in GitHub repository vim/vim prior to 8.2.4919. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution", + "id": "CVE-2022-1621", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00355, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-19T02:51:19Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", + "https://security.gentoo.org/glsa/202208-32", + "https://www.cve.org/CVERecord?id=CVE-2022-1621", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1621", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://access.redhat.com/errata/RHSA-2022:5319", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://access.redhat.com/errata/RHSA-2022:5242", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1621", + "updated": "2023-11-07T03:42:03Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm2", + "installed_version": "pkg:deb/ubuntu/e2fsprogs@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm2", + "installed_version": "pkg:deb/ubuntu/libss2@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=e2fsprogs" + } + ], + "created": "2020-01-08T16:15:11Z", + "description": "A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "id": "CVE-2019-5188", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 6.5E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-09T07:51:00Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00021.html", + "https://lists.debian.org/debian-lts-announce/2020/03/msg00030.html", + "https://usn.ubuntu.com/4249-1/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508", + "https://alas.aws.amazon.com/ALAS-2021-1458.html", + "https://www.cve.org/CVERecord?id=CVE-2019-5188", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1509.html", + "https://access.redhat.com/errata/RHSA-2020:4011", + "https://access.redhat.com/errata/RHSA-2020:1913", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-5188", + "https://ubuntu.com/security/notices/USN-4249-1" + ], + "related": [ + "USN-4249-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-5188", + "updated": "2023-11-07T03:11:27Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2020-05-28T14:15:11Z", + "description": "In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).", + "id": "CVE-2019-20807", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 78 + ], + "epss": 4.8E-4 + }, + "references": [ + "https://support.apple.com/kb/HT211289", + "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html", + "https://usn.ubuntu.com/4582-1/", + "https://ubuntu.com/security/notices/USN-4582-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20807", + "https://www.cve.org/CVERecord?id=CVE-2019-20807", + "https://access.redhat.com/errata/RHSA-2020:4453", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5147-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-20807", + "updated": "2022-09-01T15:14:44Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=dbus" + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type.", + "id": "CVE-2022-42011", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 129 + ], + "epss": 0.00176 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/", + "https://security.gentoo.org/glsa/202305-08", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/", + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/413", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/", + "https://ubuntu.com/security/notices/USN-5704-1", + "https://access.redhat.com/errata/RHSA-2022:8812", + "https://access.redhat.com/errata/RHSA-2022:8977", + "https://access.redhat.com/errata/RHSA-2023:0335", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html", + "https://www.cve.org/CVERecord?id=CVE-2022-42011", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2023-1730.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html", + "https://access.redhat.com/errata/RHSA-2023:0096", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42011" + ], + "related": [ + "USN-5704-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-42011", + "updated": "2023-12-27T16:49:50Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "8-8" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: Dockerhub Personal Access Token.", + "id": "IN-DOCKER-007-002", + "properties": {}, + "references": [ + "https://docs.docker.com/security/for-developers/access-tokens/" + ], + "severity": "critical", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm6", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm6", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.", + "id": "CVE-2020-8285", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 674 + ], + "epss": 0.0071 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://support.apple.com/kb/HT212325", + "https://www.debian.org/security/2021/dsa-4881", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html", + "https://support.apple.com/kb/HT212327", + "https://security.gentoo.org/glsa/202012-14", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/", + "https://support.apple.com/kb/HT212326", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/", + "https://hackerone.com/reports/1045844", + "https://www.cve.org/CVERecord?id=CVE-2020-8285", + "https://access.redhat.com/errata/RHSA-2021:2471", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html", + "https://ubuntu.com/security/notices/USN-4665-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977162", + "https://ubuntu.com/security/notices/USN-4665-1", + "https://access.redhat.com/errata/RHSA-2021:2472", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8285", + "https://access.redhat.com/errata/RHSA-2021:1610" + ], + "related": [ + "USN-4665-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285", + "updated": "2024-03-27T15:47:57Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2019-10-14T21:15:11Z", + "description": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "id": "CVE-2019-17595", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00151 + }, + "references": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html", + "https://security.gentoo.org/glsa/202101-28", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://ubuntu.com/security/notices/USN-6099-1", + "https://www.cve.org/CVERecord?id=CVE-2019-17595", + "https://access.redhat.com/errata/RHSA-2021:4426", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595", + "updated": "2021-02-08T20:52:19Z" + }, + { + "affects": [ + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/systemd@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/libudev1@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=systemd" + } + ], + "created": "2022-11-08T22:15:16Z", + "description": "An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.", + "id": "CVE-2022-3821", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 193 + ], + "epss": 4.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:52:33Z" + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2139327", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html", + "https://security.gentoo.org/glsa/202305-15", + "https://access.redhat.com/errata/RHSA-2023:0100", + "https://access.redhat.com/security/cve/CVE-2022-3821", + "https://www.cve.org/CVERecord?id=CVE-2022-3821", + "https://access.redhat.com/errata/RHSA-2023:0336", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3821", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5928-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1899.html", + "https://access.redhat.com/errata/RHSA-2024:1105" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3821", + "updated": "2023-11-07T03:51:50Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.18.2-2ubuntu1.7+esm5", + "installed_version": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-04-29T00:15:09Z", + "description": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", + "id": "CVE-2023-31484", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 295 + ], + "epss": 0.0025299999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T08:35:38Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", + "https://metacpan.org/dist/CPAN/changes", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2034.html", + "https://access.redhat.com/errata/RHSA-2023:6539", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-178.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-182.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035109", + "https://ubuntu.com/security/notices/USN-6112-1", + "https://ubuntu.com/security/notices/USN-6112-2", + "https://www.cve.org/CVERecord?id=CVE-2023-31484", + "https://alas.aws.amazon.com/ALAS-2023-1751.html" + ], + "related": [ + "USN-6112-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-31484", + "updated": "2023-11-07T04:14:19Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm3", + "installed_version": "pkg:deb/ubuntu/libpam-modules@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm3", + "installed_version": "pkg:deb/ubuntu/libpam0g@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm3", + "installed_version": "pkg:deb/ubuntu/libpam-runtime@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm3", + "installed_version": "pkg:deb/ubuntu/libpam-modules-bin@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + } + ], + "created": "2022-09-19T22:15:10Z", + "description": "The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.", + "id": "CVE-2022-28321", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 287 + ], + "epss": 0.0022, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-05T08:27:57Z" + }, + "references": [ + "https://www.suse.com/security/cve/CVE-2022-28321.html", + "https://bugzilla.suse.com/show_bug.cgi?id=1197654", + "https://ubuntu.com/security/notices/USN-5825-1", + "https://ubuntu.com/security/notices/USN-5825-2", + "https://www.cve.org/CVERecord?id=CVE-2022-28321", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-5825-2", + "USN-5825-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-28321", + "updated": "2023-08-08T14:21:49Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm2", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2021-02-16T17:15:13Z", + "description": "The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).", + "id": "CVE-2021-23841", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00416, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:45:29Z" + }, + "references": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://support.apple.com/kb/HT212534", + "https://security.gentoo.org/glsa/202103-03", + "https://www.openssl.org/news/secadv/20210216.txt", + "https://support.apple.com/kb/HT212529", + "https://support.apple.com/kb/HT212528", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8252ee4d90f3f2004d3d0aeeed003ad49c9a7807", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.debian.org/security/2021/dsa-4855", + "https://access.redhat.com/errata/RHSA-2021:4198", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://access.redhat.com/errata/RHSA-2021:4614", + "https://alas.aws.amazon.com/ALAS-2021-1482.html", + "https://www.cve.org/CVERecord?id=CVE-2021-23841", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1612.html", + "https://ubuntu.com/security/notices/USN-4738-1", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1608.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://access.redhat.com/errata/RHSA-2021:4861", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:4613", + "https://access.redhat.com/errata/RHSA-2021:3798", + "https://access.redhat.com/errata/RHSA-2021:4424", + "https://access.redhat.com/errata/RHSA-2021:3016", + "https://access.redhat.com/errata/RHSA-2021:1168", + "https://access.redhat.com/errata/RHSA-2021:4863" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-23841", + "updated": "2023-11-07T03:30:55Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-10-31T21:15:13Z", + "description": "An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.", + "id": "CVE-2019-5010", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0184499994 + }, + "references": [ + "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@\u003cissues.bookkeeper.apache.org\u003e", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://alas.aws.amazon.com/ALAS-2019-1169.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1169.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1230.html", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://www.cve.org/CVERecord?id=CVE-2019-5010", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921040", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://ubuntu.com/security/notices/USN-4127-1", + "https://access.redhat.com/errata/RHSA-2019:2030" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-5010", + "updated": "2023-11-07T03:11:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-27T12:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2207", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.00131 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5516-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2207", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2207" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2207", + "updated": "2023-11-07T03:46:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit `25aabc2b` which has been included in release version 9.0.2106. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48231", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 7.1E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://www.cve.org/CVERecord?id=CVE-2023-48231", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48231", + "updated": "2023-12-28T17:39:29Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0259.", + "id": "CVE-2022-2980", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 9.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:19:30Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2980", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2980", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2980", + "updated": "2023-11-07T03:47:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-18T20:15:08Z", + "description": "Uncontrolled Recursion in GitHub repository vim/vim prior to 8.2.4975.", + "id": "CVE-2022-1771", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 674 + ], + "epss": 9.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1771", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1771", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "related": [ + "USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1771", + "updated": "2023-05-03T12:15:29Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-29T12:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0614.", + "id": "CVE-2022-3352", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.0E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T09:06:37Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://www.cve.org/CVERecord?id=CVE-2022-3352", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6420-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3352", + "updated": "2023-11-07T03:51:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an infinite loop in the next_char function in comp_scan.c in ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.", + "id": "CVE-2017-13728", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 835 + ], + "epss": 0.00563 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1484274", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://www.cve.org/CVERecord?id=CVE-2017-13728", + "https://ubuntu.com/security/notices/USN-5448-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13728", + "updated": "2023-11-07T02:38:41Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-25T19:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0579.", + "id": "CVE-2022-3297", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00124, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:54:37Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3297", + "https://www.cve.org/CVERecord?id=CVE-2022-3297", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6420-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3297", + "updated": "2023-11-07T03:51:04Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-21T15:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.", + "id": "CVE-2023-0433", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 8.0E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T09:41:43Z" + }, + "references": [ + "https://support.apple.com/kb/HT213675", + "https://support.apple.com/kb/HT213677", + "https://support.apple.com/kb/HT213670", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EX6N2DB75A73MQGVW3CS4VTNPAYVM2M/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/", + "https://ubuntu.com/security/notices/USN-5836-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0433", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://alas.aws.amazon.com/ALAS-2023-1703.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0433" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0433", + "updated": "2023-11-07T04:00:28Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-04-29T22:15:09Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.", + "id": "CVE-2023-2426", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 823 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T13:35:50Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LOJP6M7ZTKZQYOGVOOAY6TIE6ACBJL55/", + "https://ubuntu.com/security/notices/USN-6154-1", + "https://www.cve.org/CVERecord?id=CVE-2023-2426", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035323" + ], + "related": [ + "USN-6154-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-2426", + "updated": "2023-12-23T07:15:49Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-06T04:15:07Z", + "description": "In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.", + "id": "CVE-2021-46143", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00127 + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-46143", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2021-46143", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-46143", + "updated": "2022-10-06T19:11:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm3", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-09-06T12:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2021-3770", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 7.0E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2023-12-04T21:11:48Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2CJLY3CF55I2ULG2X4ENXLSXAXYW5J4/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4FFQARG3LGREPDZRI4C7ERQL3RJKEWQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNTMVZCN4TRTTCAXRLVQ7H2P7FYAIZQ/", + "https://www.cve.org/CVERecord?id=CVE-2021-3770", + "https://ubuntu.com/security/notices/USN-5093-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3770", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994076" + ], + "related": [ + "USN-5093-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3770", + "updated": "2023-11-07T03:38:15Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-19T13:15:07Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.4977.", + "id": "CVE-2022-1785", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 5.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202208-32", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1785", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://access.redhat.com/errata/RHSA-2022:5942", + "https://access.redhat.com/errata/RHSA-2022:5813", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1785" + ], + "related": [ + "USN-5995-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1785", + "updated": "2023-05-03T12:15:30Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2021-06-11T16:15:11Z", + "description": "curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.", + "id": "CVE-2021-22898", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 909, + 200 + ], + "epss": 0.0020099999 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@\u003cissues.guacamole.apache.org\u003e", + "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", + "https://hackerone.com/reports/1176461", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html", + "https://www.debian.org/security/2022/dsa-5197", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POOC3UV7V6L4CJ5KA2PTWTNUV5Y72T3Q/", + "https://www.cve.org/CVERecord?id=CVE-2021-22898", + "https://alas.aws.amazon.com/ALAS-2021-1509.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1700.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1653.html", + "https://ubuntu.com/security/notices/USN-5021-2", + "https://ubuntu.com/security/notices/USN-5021-1", + "https://ubuntu.com/security/notices/USN-5894-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22898", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989228", + "https://access.redhat.com/errata/RHSA-2021:4511" + ], + "related": [ + "USN-5894-1" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-22898", + "updated": "2024-03-27T15:47:36Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm5", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm5", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.", + "id": "CVE-2020-8231", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0026499999 + }, + "references": [ + "https://hackerone.com/reports/948876", + "https://www.debian.org/security/2021/dsa-4881", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://security.gentoo.org/glsa/202012-14", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://alas.aws.amazon.com/ALAS-2020-1444.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968831", + "https://www.cve.org/CVERecord?id=CVE-2020-8231", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html", + "https://ubuntu.com/security/notices/USN-4466-2", + "https://ubuntu.com/security/notices/USN-4466-1", + "https://ubuntu.com/security/notices/USN-4665-1", + "https://access.redhat.com/errata/RHSA-2021:1610", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8231" + ], + "related": [ + "USN-4466-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8231", + "updated": "2024-03-27T16:04:17Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2021-08-05T21:15:11Z", + "description": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.", + "id": "CVE-2021-22925", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 908, + 200 + ], + "epss": 0.00296 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://security.gentoo.org/glsa/202212-01", + "https://hackerone.com/reports/1223882", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRUCW2UVNYUDZF72DQLFQR4PJEC6CF7V/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://support.apple.com/kb/HT212805", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://support.apple.com/kb/HT212804", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1700.html", + "https://ubuntu.com/security/notices/USN-5021-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5021-1", + "https://ubuntu.com/security/notices/USN-5894-1", + "https://www.cve.org/CVERecord?id=CVE-2021-22925", + "https://access.redhat.com/errata/RHSA-2021:4511" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-22925", + "updated": "2024-03-27T15:11:42Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-08-07T13:15:12Z", + "description": "Divide By Zero in vim/vim from 9.0.1367-1 to 9.0.1367-3\n", + "id": "CVE-2023-3896", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 369 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3896", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://www.cve.org/CVERecord?id=CVE-2023-3896" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-3896", + "updated": "2023-08-31T19:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-01T15:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0101.", + "id": "CVE-2022-2571", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 7.4E-4 + }, + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2571", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2571", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2571", + "updated": "2022-08-04T23:31:14Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-22T20:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.4436.", + "id": "CVE-2022-0714", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 7.4E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0714", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0714", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5460-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0714", + "updated": "2023-11-07T03:41:31Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm6", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-01-26T21:15:12Z", + "description": "Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via \"sudoedit -s\" and a command-line argument that ends with a single backslash character.", + "id": "CVE-2021-3156", + "properties": { + "cisa_kev_date_added": "2022-04-06T00:00:00Z", + "cisa_kev_date_due": "2022-04-27T00:00:00Z", + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 193 + ], + "epss": 0.9695199728, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T23:29:00Z" + }, + "references": [ + "https://support.apple.com/kb/HT212177", + "https://security.gentoo.org/glsa/202101-33", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CALA5FTXIQBRRYUA2ZQNJXB6OQMAXEII/", + "https://www.kb.cert.org/vuls/id/794544", + "https://www.debian.org/security/2021/dsa-4839", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.debian.org/debian-lts-announce/2021/01/msg00022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LHXK6ICO5AYLGFK2TAX5MZKUXTUKWOJY/", + "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sudo-privesc-jan2021-qnYQfcM", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10348", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1590.html", + "https://alas.aws.amazon.com/ALAS-2021-1478.html", + "https://access.redhat.com/errata/RHSA-2021:0227", + "https://access.redhat.com/errata/RHSA-2021:0225", + "https://access.redhat.com/errata/RHSA-2021:0401", + "https://www.cve.org/CVERecord?id=CVE-2021-3156", + "https://access.redhat.com/errata/RHSA-2021:0226", + "https://access.redhat.com/errata/RHSA-2021:0218", + "https://ubuntu.com/security/notices/USN-4705-1", + "https://access.redhat.com/errata/RHSA-2021:0219", + "https://ubuntu.com/security/notices/USN-4705-2", + "https://access.redhat.com/errata/RHSA-2021:0395", + "https://access.redhat.com/errata/RHSA-2021:0220", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:0223", + "https://access.redhat.com/errata/RHSA-2021:0224", + "https://access.redhat.com/errata/RHSA-2021:0221", + "https://access.redhat.com/errata/RHSA-2021:0222" + ], + "related": [ + "USN-4705-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3156", + "updated": "2024-02-04T09:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1ubuntu2.24+esm3", + "installed_version": "pkg:deb/ubuntu/apt@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-12-10T04:15:11Z", + "description": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;", + "id": "CVE-2020-27350", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 4.8E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-15T20:18:49Z" + }, + "references": [ + "https://bugs.launchpad.net/bugs/1899193", + "https://usn.ubuntu.com/usn/usn-4667-1", + "https://www.debian.org/security/2020/dsa-4808", + "https://ubuntu.com/security/notices/USN-4667-1", + "https://ubuntu.com/security/notices/USN-4667-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2020-27350" + ], + "related": [ + "USN-4667-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-27350", + "updated": "2022-10-29T02:41:36Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-19T13:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0225.", + "id": "CVE-2022-2889", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2889", + "https://ubuntu.com/security/notices/USN-6302-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2889" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2889", + "updated": "2023-11-07T03:47:02Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2017-02-27T07:59:00Z", + "description": "An integer overflow at an unserialize_uep memory allocation site would occur for vim before patch 8.0.0378, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", + "id": "CVE-2017-6350", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0093900003 + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://security.gentoo.org/glsa/201706-26", + "https://groups.google.com/forum/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856266", + "https://www.cve.org/CVERecord?id=CVE-2017-6350", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-6350", + "updated": "2023-11-07T02:49:54Z" + }, + { + "affects": [ + { + "name": "Ubuntu", + "version": "14.04" + } + ], + "created": "2024-04-08T15:09:42Z", + "description": "Discontinued Operating System: This resource relies on an operating system that was discontinued and is no longer actively supported or maintained by the original developer or a trusted proxy for the original developer. Amazon Inspector previously provided full support for this operating system and will continue to scan impacted resources. However, any findings Amazon Inspector generates for a discontinued operating system are for informational purposes only.", + "id": "IN-DISCONTINUED-001", + "properties": { + "cwes": [ + 1104 + ] + }, + "references": [ + "https://docs.aws.amazon.com/inspector/latest/user/supported.html" + ], + "severity": "critical", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-04-08T15:09:42Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0260.", + "id": "CVE-2022-2982", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:20:29Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2982", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2982", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2982", + "updated": "2023-11-07T03:47:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm3", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-09-15T08:15:06Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2021-3778", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.001 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/", + "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE62UMYBZE4AE53K6OBBWK32XQ7544QM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/", + "https://access.redhat.com/errata/RHSA-2021:4517", + "https://ubuntu.com/security/notices/USN-5093-1", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1728.html", + "https://www.cve.org/CVERecord?id=CVE-2021-3778", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994498", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3778" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3778", + "updated": "2023-11-07T03:38:15Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2021-10-12T18:15:08Z", + "description": "A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server.", + "id": "CVE-2021-3671", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0052499999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T12:42:44Z" + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2013080,", + "https://bugzilla.samba.org/show_bug.cgi?id=14770,", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html", + "https://www.debian.org/security/2022/dsa-5287", + "https://www.cve.org/CVERecord?id=CVE-2021-3671", + "https://ubuntu.com/security/notices/USN-5174-1", + "https://ubuntu.com/security/notices/USN-5675-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=996586", + "https://ubuntu.com/security/notices/USN-5142-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3671", + "updated": "2023-11-07T03:38:11Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-05T19:15:49Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.", + "id": "CVE-2023-4781", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213984", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4781", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4781", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/ALAS-2023-1826.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4781", + "updated": "2024-02-01T17:57:10Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2017-12-01T08:29:00Z", + "description": "fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.", + "id": "CVE-2017-17087", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 668 + ], + "epss": 4.2E-4 + }, + "references": [ + "https://groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJ", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", + "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html", + "https://usn.ubuntu.com/4582-1/", + "https://ubuntu.com/security/notices/USN-4582-1", + "https://www.cve.org/CVERecord?id=CVE-2017-17087", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5147-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-17087", + "updated": "2022-02-20T05:58:55Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm7", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + }, + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm7", + "installed_version": "pkg:deb/ubuntu/expat@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-10-24T14:15:53Z", + "description": "In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.", + "id": "CVE-2022-43680", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0048699998, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T13:23:29Z" + }, + "references": [ + "https://www.debian.org/security/2022/dsa-5266", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/", + "https://security.gentoo.org/glsa/202210-38", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43680", + "https://access.redhat.com/errata/RHSA-2023:3355", + "https://access.redhat.com/errata/RHSA-2023:0103", + "https://alas.aws.amazon.com/ALAS-2022-1655.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:8550", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1885.html", + "https://access.redhat.com/errata/RHSA-2023:0337", + "https://access.redhat.com/errata/RHSA-2022:8554", + "https://access.redhat.com/errata/RHSA-2022:8553", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022743", + "https://access.redhat.com/errata/RHSA-2022:8548", + "https://access.redhat.com/errata/RHSA-2022:8549", + "https://www.cve.org/CVERecord?id=CVE-2022-43680", + "https://access.redhat.com/errata/RHSA-2024:0421", + "https://ubuntu.com/security/notices/USN-5638-2", + "https://ubuntu.com/security/notices/USN-5638-3", + "https://ubuntu.com/security/notices/USN-5638-4" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-43680", + "updated": "2024-01-21T02:08:05Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.3-1ubuntu2+esm1", + "installed_version": "pkg:deb/ubuntu/python-setuptools@3.3-1ubuntu2?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-12-23T00:15:13Z", + "description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", + "id": "CVE-2022-40897", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 1333 + ], + "epss": 0.0045799999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-14T02:32:48Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1979.html", + "https://ubuntu.com/security/notices/USN-5817-1", + "https://www.cve.org/CVERecord?id=CVE-2022-40897", + "https://access.redhat.com/errata/RHSA-2023:0952", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-245.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-40897", + "https://access.redhat.com/errata/RHSA-2023:0835", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-003.html", + "https://access.redhat.com/errata/RHSA-2023:6793", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2196.html", + "https://access.redhat.com/errata/RHSA-2023:7395" + ], + "related": [ + "USN-5817-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897", + "updated": "2023-11-07T03:52:38Z" + }, + { + "affects": [ + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/systemd@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/libudev1@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=systemd" + } + ], + "created": "2023-01-11T15:15:09Z", + "description": "A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.", + "id": "CVE-2022-4415", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 200 + ], + "epss": 4.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:52:33Z" + }, + "references": [ + "https://www.cve.org/CVERecord?id=CVE-2022-4415", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026831", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-025.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-4415", + "https://access.redhat.com/errata/RHSA-2023:0954", + "https://ubuntu.com/security/notices/USN-5928-1", + "https://access.redhat.com/errata/RHSA-2024:1105", + "https://access.redhat.com/errata/RHSA-2023:0837" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-4415", + "updated": "2023-02-02T16:19:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm8", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm8", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-09-27T04:15:11Z", + "description": "http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.", + "id": "CVE-2020-26116", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.1999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.1999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 74 + ], + "epss": 0.00306, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QOX7DGMMWWL6POCRYGAUCISOLR2IG3XV/", + "https://usn.ubuntu.com/4581-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BW4GCLQISJCOEGQNIMVUZDQMIY6RR6CC/", + "https://bugs.python.org/issue39603", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HDQ2THWU4GPV4Y5H5WW5PFMSWXL2CRFD/", + "https://security.gentoo.org/glsa/202101-18", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWMAVY4T4257AZHTF2RZJKNJNSJFY24O/", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1670.html", + "https://ubuntu.com/security/notices/USN-4581-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2317.html", + "https://access.redhat.com/errata/RHSA-2020:4299", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1669.html", + "https://alas.aws.amazon.com/ALAS-2020-1454.html", + "https://access.redhat.com/errata/RHSA-2022:5235", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://access.redhat.com/errata/RHSA-2021:1633", + "https://www.cve.org/CVERecord?id=CVE-2020-26116", + "https://access.redhat.com/errata/RHSA-2021:1879", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-26116", + "https://access.redhat.com/errata/RHSA-2021:3366", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://access.redhat.com/errata/RHSA-2020:4273", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:1761" + ], + "related": [ + "USN-4581-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-26116", + "updated": "2023-11-07T03:20:30Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "2-2" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Weakened Environment Variable: 'NPM_CONFIG_STRICT_SSL' is false, disabling TLS certificate validation when 'npm' makes requests to the Node Package Manager registry via https.", + "id": "IN-DOCKER-006-001", + "properties": {}, + "references": [ + "https://docs.npmjs.com/cli/v10/using-npm/config" + ], + "severity": "high", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-10T14:15:08Z", + "description": "Buffer Over-read in function find_next_quote in GitHub repository vim/vim prior to 8.2.4925. This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution", + "id": "CVE-2022-1629", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 126 + ], + "epss": 0.00266 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", + "https://security.gentoo.org/glsa/202208-32", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1629", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://access.redhat.com/errata/RHSA-2022:5319", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-1629", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://access.redhat.com/errata/RHSA-2022:5242", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1629", + "updated": "2023-11-07T03:42:04Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. A floating point exception may occur when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. This may happen when a window border is present and when the wrapped line continues on the next physical line directly in the window border because the 'cpo' setting includes the 'n' flag. Only users with non-default settings are affected and the exception should only result in a crash. This issue has been addressed in commit `cb0b99f0` which has been included in release version 9.0.2107. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48232", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 755 + ], + "epss": 0.00101 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://www.cve.org/CVERecord?id=CVE-2023-48232", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48232", + "updated": "2024-01-25T21:37:57Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-01T19:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).", + "id": "CVE-2021-45960", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 682 + ], + "epss": 0.0102199996 + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://bugzilla.mozilla.org/show_bug.cgi?id=1217609", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1788.html", + "https://alas.aws.amazon.com/ALAS-2022-1588.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-45960", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://www.cve.org/CVERecord?id=CVE-2021-45960", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002994" + ], + "related": [ + "USN-5288-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-45960", + "updated": "2022-10-06T19:08:03Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm12", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm12", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2022-09-23T14:15:12Z", + "description": "When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a\"sister site\" to deny service to all siblings.", + "id": "CVE-2022-35252", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.0014600001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:25Z" + }, + "references": [ + "https://hackerone.com/reports/1613943", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html", + "https://security.gentoo.org/glsa/202212-01", + "https://support.apple.com/kb/HT213603", + "https://support.apple.com/kb/HT213604", + "https://access.redhat.com/errata/RHSA-2023:2478", + "https://ubuntu.com/security/notices/USN-5587-1", + "https://access.redhat.com/errata/RHSA-2023:2963", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html", + "https://access.redhat.com/errata/RHSA-2024:0428", + "https://www.cve.org/CVERecord?id=CVE-2022-35252", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1875.html", + "https://alas.aws.amazon.com/ALAS-2022-1646.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018831", + "https://access.redhat.com/errata/RHSA-2022:8840", + "https://access.redhat.com/errata/RHSA-2022:8841", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35252" + ], + "related": [ + "USN-5587-1" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-35252", + "updated": "2024-03-27T15:00:36Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2019-10-14T21:15:11Z", + "description": "There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.", + "id": "CVE-2019-17594", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 5.5E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202101-28", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://ubuntu.com/security/notices/USN-6099-1", + "https://www.cve.org/CVERecord?id=CVE-2019-17594", + "https://access.redhat.com/errata/RHSA-2021:4426", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-17594", + "updated": "2021-02-10T15:13:31Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", + "id": "CVE-2017-11112", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.0023099999 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1464686", + "https://security.gentoo.org/glsa/201804-13", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://www.cve.org/CVERecord?id=CVE-2017-11112", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-11112", + "updated": "2018-10-21T10:29:05Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-03-04T16:15:09Z", + "description": "Incorrect Calculation of Buffer Size in GitHub repository vim/vim prior to 9.0.1378.", + "id": "CVE-2023-1175", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 131 + ], + "epss": 5.6E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T12:28:27Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html", + "https://www.cve.org/CVERecord?id=CVE-2023-1175", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1175" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-1175", + "updated": "2023-11-07T04:02:44Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-17T19:15:08Z", + "description": "Classic Buffer Overflow in GitHub repository vim/vim prior to 8.2.4969.", + "id": "CVE-2022-1735", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 120 + ], + "epss": 0.00103, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1735", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1735" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1735", + "updated": "2023-05-03T12:15:27Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-28T20:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2231", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00119 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2231", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2231", + "updated": "2023-11-07T03:46:19Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm6", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm6", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-01-30T19:15:12Z", + "description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.", + "id": "CVE-2020-8492", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400 + ], + "epss": 0.0083699999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://usn.ubuntu.com/4333-2/", + "https://usn.ubuntu.com/4333-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5NSAX4SC3V64PGZUPH7PRDLSON34Q5A/", + "https://lists.apache.org/thread.html/rfec113c733162b39633fd86a2d0f34bf42ac35f711b3ec1835c774da@\u003ccommits.cassandra.apache.org\u003e", + "https://bugs.python.org/issue39503", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://security.gentoo.org/glsa/202005-09", + "https://lists.apache.org/thread.html/rdb31a608dd6758c6093fd645aea3fbf022dd25b37109b6aaea5bc0b5@\u003ccommits.cassandra.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UESGYI5XDAHJBATEZN3MHNDUBDH47AS6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WOKDEXLYW5UQ4S7PA7E37IITOC7C56J/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APGWEMYZIY5VHLCSZ3HD67PA5Z2UQFGH/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://access.redhat.com/errata/RHSA-2020:4433", + "https://access.redhat.com/errata/RHSA-2020:4641", + "https://ubuntu.com/security/notices/USN-4333-1", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://www.cve.org/CVERecord?id=CVE-2020-8492", + "https://ubuntu.com/security/notices/USN-4333-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099", + "https://alas.aws.amazon.com/ALAS-2020-1406.html", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-006.html", + "https://access.redhat.com/errata/RHSA-2020:3888", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1432.html", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1471.html", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://alas.aws.amazon.com/ALAS-2020-1407.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8492", + "updated": "2023-11-07T03:26:36Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-06-29T23:29:00Z", + "description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", + "id": "CVE-2017-10684", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0221999995 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1464687", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html", + "https://www.cve.org/CVERecord?id=CVE-2017-10684" + ], + "related": [ + "USN-5448-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-10684", + "updated": "2023-11-07T02:38:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-26T19:15:08Z", + "description": "Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.", + "id": "CVE-2022-23990", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00642, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://www.cve.org/CVERecord?id=CVE-2022-23990", + "https://alas.aws.amazon.com/ALAS-2023-1882.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2280.html", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-23990", + "updated": "2023-11-07T03:44:21Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "4-4" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems.", + "id": "IN-DOCKER-002", + "properties": {}, + "references": [ + "https://docs.docker.com/develop/develop-images/instructions/" + ], + "severity": "info", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-02T18:15:20Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.", + "id": "CVE-2023-4735", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213984", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4735", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/ALAS-2023-1826.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4735", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4735", + "updated": "2023-12-22T17:54:28Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-23T22:15:09Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0552.", + "id": "CVE-2022-3278", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00119, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:48:35Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://www.cve.org/CVERecord?id=CVE-2022-3278", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3278" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3278", + "updated": "2023-11-07T03:51:03Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm11", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm11", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2022-03-04T19:15:08Z", + "description": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.", + "id": "CVE-2021-3737", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400, + 835 + ], + "epss": 0.01559 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://ubuntu.com/security/CVE-2021-3737", + "https://bugzilla.redhat.com/show_bug.cgi?id=1995162", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://bugs.python.org/issue44022", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3737", + "https://access.redhat.com/errata/RHSA-2021:4160", + "https://ubuntu.com/security/notices/USN-5201-1", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://access.redhat.com/errata/RHSA-2022:1821", + "https://access.redhat.com/errata/RHSA-2022:1986", + "https://access.redhat.com/errata/RHSA-2022:1764", + "https://access.redhat.com/errata/RHSA-2022:1663", + "https://www.cve.org/CVERecord?id=CVE-2021-3737", + "https://ubuntu.com/security/notices/USN-5199-1", + "https://alas.aws.amazon.com/ALAS-2022-1593.html", + "https://ubuntu.com/security/notices/USN-5083-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737", + "updated": "2023-11-07T03:38:13Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2019-07-31T15:15:11Z", + "description": "A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.", + "id": "CVE-2018-16860", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 358 + ], + "epss": 0.00285 + }, + "references": [ + "https://seclists.org/bugtraq/2019/Aug/25", + "https://www.samba.org/samba/security/CVE-2018-16860.html", + "https://support.apple.com/HT210353", + "https://seclists.org/bugtraq/2019/Aug/21", + "https://support.apple.com/HT210351", + "https://seclists.org/bugtraq/2019/Aug/23", + "https://seclists.org/bugtraq/2019/Aug/22", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16860", + "https://support.apple.com/HT210348", + "https://security.gentoo.org/glsa/202003-52", + "https://support.apple.com/HT210346", + "https://www.cve.org/CVERecord?id=CVE-2018-16860", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928966", + "https://ubuntu.com/security/notices/USN-5675-1", + "https://ubuntu.com/security/notices/USN-3976-1", + "https://ubuntu.com/security/notices/USN-3976-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-16860", + "updated": "2019-08-14T12:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Additions in the malloc() function may result in an integer overflow and a subsequent heap buffer overflow.", + "id": "CVE-2021-31873", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00654 + }, + "references": [ + "https://kernel.org/pub/linux/libs/klibc/2.0/", + "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html", + "https://www.cve.org/CVERecord?id=CVE-2021-31873", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505", + "https://ubuntu.com/security/notices/USN-5379-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31873", + "updated": "2023-11-07T22:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm4", + "installed_version": "pkg:deb/ubuntu/libpam-runtime@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm4", + "installed_version": "pkg:deb/ubuntu/libpam-modules-bin@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm4", + "installed_version": "pkg:deb/ubuntu/libpam0g@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + }, + { + "fixed_version": "0:1.1.8-1ubuntu2.2+esm4", + "installed_version": "pkg:deb/ubuntu/libpam-modules@1.1.8-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=pam" + } + ], + "created": "2024-02-06T08:15:52Z", + "description": "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + "id": "CVE-2024-22365", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:21:49Z" + }, + "references": [ + "https://www.cve.org/CVERecord?id=CVE-2024-22365", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2435.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-502.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061097", + "https://ubuntu.com/security/notices/USN-6588-1", + "https://access.redhat.com/errata/RHSA-2024:2438", + "https://ubuntu.com/security/notices/USN-6588-2" + ], + "related": [ + "USN-6588-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-22365", + "updated": "2024-02-14T00:27:40Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2017-05-23T04:29:01Z", + "description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.", + "id": "CVE-2016-9841", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0116100004, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T07:53:46Z" + }, + "references": [ + "https://support.apple.com/HT208112", + "https://support.apple.com/HT208113", + "https://support.apple.com/HT208115", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html", + "https://wiki.mozilla.org/images/0/09/Zlib-report.pdf", + "https://security.gentoo.org/glsa/201701-56", + "https://support.apple.com/HT208144", + "https://access.redhat.com/errata/RHSA-2017:3046", + "https://access.redhat.com/errata/RHSA-2017:3453", + "https://access.redhat.com/errata/RHSA-2017:1220", + "https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed", + "https://access.redhat.com/errata/RHSA-2017:1222", + "https://access.redhat.com/errata/RHSA-2017:1221", + "https://usn.ubuntu.com/4292-1/", + "https://access.redhat.com/errata/RHSA-2017:3047", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html", + "https://access.redhat.com/errata/RHSA-2017:2999", + "https://security.gentoo.org/glsa/202007-54", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=1402346", + "https://usn.ubuntu.com/4246-1/", + "https://ubuntu.com/security/notices/USN-4246-1", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847270", + "https://ubuntu.com/security/notices/USN-4292-1", + "https://www.cve.org/CVERecord?id=CVE-2016-9841" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-9841", + "updated": "2023-11-07T02:37:36Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-25T13:15:07Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1851", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00122, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1851", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1851" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1851", + "updated": "2023-11-07T03:42:14Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. An integer overflow in the cpio command may result in a NULL pointer dereference on 64-bit systems.", + "id": "CVE-2021-31871", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0020000001, + "exploit_available": true, + "exploit_last_seen_in_public": "2023-11-27T17:15:44Z" + }, + "references": [ + "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5", + "https://kernel.org/pub/linux/libs/klibc/2.0/", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html", + "https://www.cve.org/CVERecord?id=CVE-2021-31871", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505", + "https://ubuntu.com/security/notices/USN-5379-1" + ], + "related": [ + "USN-5379-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31871", + "updated": "2022-04-19T03:52:40Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-21T14:15:07Z", + "description": "Out-of-bounds Read in vim/vim prior to 8.2.", + "id": "CVE-2022-0319", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 8.6E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T07:15:25Z" + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-0319", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0319", + "updated": "2022-11-09T03:32:14Z" + }, + { + "affects": [ + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm4", + "installed_version": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + }, + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm4", + "installed_version": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + } + ], + "created": "2023-12-27T16:15:13Z", + "description": "A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.", + "id": "CVE-2023-4641", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 303, + 287 + ], + "epss": 4.4E-4 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2215945", + "https://access.redhat.com/errata/RHSA-2024:0417", + "https://access.redhat.com/errata/RHSA-2023:6632", + "https://access.redhat.com/errata/RHSA-2023:7112", + "https://access.redhat.com/errata/RHSA-2024:2577", + "https://access.redhat.com/security/cve/CVE-2023-4641", + "https://alas.aws.amazon.com/ALAS-2023-1873.html", + "https://ubuntu.com/security/notices/USN-6640-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-450.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4641", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051062", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2247.html" + ], + "related": [ + "USN-6640-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4641", + "updated": "2024-05-03T16:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-04T16:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.", + "id": "CVE-2023-0049", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 7.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T10:07:58Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3Y752EAVACVC5XY2TMGGOAIU25VQRPDW/", + "https://support.apple.com/kb/HT213670", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T33LLWHLH63XDCO5OME7NWN63RA4U5HF/", + "https://ubuntu.com/security/notices/USN-5836-1", + "https://alas.aws.amazon.com/ALAS-2023-1681.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0049", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://www.cve.org/CVERecord?id=CVE-2023-0049", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1927.html" + ], + "related": [ + "USN-5836-1", + "USN-5963-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0049", + "updated": "2023-11-07T03:59:30Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-12-03T13:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0742.", + "id": "CVE-2022-3491", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 6.2E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3491", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3491", + "updated": "2023-05-03T12:16:25Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.", + "id": "CVE-2017-11113", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0022199999 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1464691", + "https://security.gentoo.org/glsa/201804-13", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html", + "https://www.cve.org/CVERecord?id=CVE-2017-11113" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-11113", + "updated": "2019-05-06T15:00:36Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm4", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm4", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-09-06T18:15:15Z", + "description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.", + "id": "CVE-2019-16056", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 0.00153, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/", + "https://bugs.python.org/issue34155", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QASRD4E2G65GGEHYKVHYCXB2XWAGTNL4/", + "https://access.redhat.com/errata/RHSA-2019:3948", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://usn.ubuntu.com/4151-2/", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QP46PQSUKYPGWTADQ67NOV3BUN6JM34Z/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://usn.ubuntu.com/4151-1/", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDQQ56P7ZZR64XV5DUVWNSNXKKEXUG2J/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://access.redhat.com/errata/RHSA-2020:2520", + "https://access.redhat.com/errata/RHSA-2020:1132", + "https://access.redhat.com/errata/RHBA-2020:1539", + "https://ubuntu.com/security/notices/USN-4151-2", + "https://access.redhat.com/errata/RHSA-2020:1131", + "https://ubuntu.com/security/notices/USN-4151-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940901", + "https://access.redhat.com/errata/RHSA-2020:1605", + "https://access.redhat.com/errata/RHBA-2020:1540", + "https://alas.aws.amazon.com/ALAS-2019-1314.html", + "https://access.redhat.com/errata/RHSA-2020:1764", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1368.html", + "https://www.cve.org/CVERecord?id=CVE-2019-16056" + ], + "related": [ + "USN-4151-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-16056", + "updated": "2023-11-07T03:05:37Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the function dump_uses() in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "id": "CVE-2017-13732", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0022400001 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1484287", + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://www.cve.org/CVERecord?id=CVE-2017-13732" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13732", + "updated": "2023-11-07T02:38:42Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "The dump_callback function in SQLite 3.20.0 allows remote attackers to cause a denial of service (EXC_BAD_ACCESS and application crash) via a crafted file.", + "id": "CVE-2017-13685", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.0062099998 + }, + "references": [ + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873762", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2", + "https://www.cve.org/CVERecord?id=CVE-2017-13685" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13685", + "updated": "2017-08-31T01:29:01Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm9", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm9", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-09-21T13:07:33Z", + "description": "USN-5079-2 fixed vulnerabilities in curl. One of the fixes introduced a\nregression. This update fixes the problem.\n\nOriginal advisory details:\n\n Patrick Monnerat discovered that curl incorrectly handled upgrades to TLS.\n When receiving certain responses from servers, curl would continue without\n TLS even when the option to require a successful upgrade to TLS was\n specified. (CVE-2021-22946)\n\n Patrick Monnerat discovered that curl incorrectly handled responses\n received before STARTTLS. A remote attacker could possibly use this issue\n to inject responses and intercept communications. (CVE-2021-22947)\n", + "id": "USN-5079-4", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/5079-4" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-19T16:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.4979.", + "id": "CVE-2022-1796", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1796", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1796" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1796", + "updated": "2024-02-15T21:28:57Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-26T12:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0359", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00128 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html", + "https://access.redhat.com/errata/RHSA-2022:0894", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0359", + "https://ubuntu.com/security/notices/USN-5458-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0359" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0359", + "updated": "2022-11-09T18:58:32Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-03-23T18:29:02Z", + "description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.", + "id": "CVE-2019-9948", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 22 + ], + "epss": 0.0046000001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@\u003cissues.bookkeeper.apache.org\u003e", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3335", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00011.html", + "https://usn.ubuntu.com/4127-2/", + "https://seclists.org/bugtraq/2019/Oct/29", + "https://usn.ubuntu.com/4127-1/", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://bugs.python.org/issue35907", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://access.redhat.com/errata/RHSA-2020:1268", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1291.html", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://access.redhat.com/errata/RHSA-2020:1462", + "https://access.redhat.com/errata/RHSA-2020:1346", + "https://alas.aws.amazon.com/ALAS-2019-1258.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2019-9948", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://ubuntu.com/security/notices/USN-4127-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9948", + "updated": "2023-11-07T03:13:49Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/bzip2@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/libbz2-1.0@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=bzip2" + } + ], + "created": "2016-06-30T17:59:01Z", + "description": "Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.", + "id": "CVE-2016-3189", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0356799997, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:01:21Z" + }, + "references": [ + "https://seclists.org/bugtraq/2019/Aug/4", + "https://lists.apache.org/thread.html/redf17d8ad16140733b25ca402ae825d6dfa9b85f73d9fb3fd0c75d73@\u003cdev.kafka.apache.org\u003e", + "https://usn.ubuntu.com/4038-2/", + "https://security.gentoo.org/glsa/201708-08", + "https://usn.ubuntu.com/4038-1/", + "https://lists.apache.org/thread.html/r5f80cf3ade5bb73410643e885fe6b7bf9f0222daf3533e42c7ae240c@\u003cjira.kafka.apache.org\u003e", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://lists.apache.org/thread.html/r1dc4c9b3bd559301bdb1557245f78b8910146efb1ee534b774c5f6af@\u003cdev.kafka.apache.org\u003e", + "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@\u003cusers.kafka.apache.org\u003e", + "https://lists.apache.org/thread.html/r6e3962fc9f6a79851f70cffdec5759065969cec9c6708b964464b301@\u003cjira.kafka.apache.org\u003e", + "https://lists.apache.org/thread.html/rffebcbeaace56ff1fed7916700d2f414ca1366386fb1293e99b3e31e@\u003cjira.kafka.apache.org\u003e", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", + "https://lists.apache.org/thread.html/r481cda41fefb03e04c51484ed14421d812e5ce9e0972edff10f37260@\u003cjira.kafka.apache.org\u003e", + "https://lists.apache.org/thread.html/r4ad2ea01354e394b7fa8c78a184b7e1634d51be9bc0e9e4d7e6c9305@\u003cjira.kafka.apache.org\u003e", + "https://seclists.org/bugtraq/2019/Jul/22", + "https://lists.apache.org/thread.html/r19b4a70ac52093115fd71d773a7a4f579599e6275a13cfcf6252c3e3@\u003cjira.kafka.apache.org\u003e", + "https://bugzilla.redhat.com/show_bug.cgi?id=1319648", + "https://lists.apache.org/thread.html/r5f7ac2bd631ccb12ced65b71ff11f94e76d05b22000795e4a7b61203@\u003cjira.kafka.apache.org\u003e", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2016-3189", + "https://ubuntu.com/security/notices/USN-4038-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827744", + "https://www.cve.org/CVERecord?id=CVE-2016-3189", + "https://ubuntu.com/security/notices/USN-4038-2" + ], + "related": [ + "USN-4038-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-3189", + "updated": "2023-11-07T02:32:12Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm16", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm16", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-05-26T21:15:16Z", + "description": "An information disclosure vulnerability exists in curl \u003cv8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.", + "id": "CVE-2023-28322", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 200 + ], + "epss": 0.00108, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-14T15:14:50Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html", + "https://support.apple.com/kb/HT213843", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://hackerone.com/reports/1954658", + "https://security.gentoo.org/glsa/202310-12", + "https://access.redhat.com/errata/RHSA-2023:5598", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-270.html", + "https://www.cve.org/CVERecord?id=CVE-2023-28322", + "https://ubuntu.com/security/notices/USN-6237-1", + "https://access.redhat.com/errata/RHSA-2023:4628", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2230.html", + "https://access.redhat.com/errata/RHSA-2023:4629", + "https://access.redhat.com/errata/RHSA-2024:0428", + "https://ubuntu.com/security/notices/USN-6237-3", + "https://access.redhat.com/errata/RHSA-2023:4354", + "https://access.redhat.com/errata/RHSA-2024:0585", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239", + "https://access.redhat.com/errata/RHSA-2024:1601" + ], + "related": [ + "USN-6237-3" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-28322", + "updated": "2023-12-22T16:15:07Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-23T01:15:13Z", + "description": "multiSelect in select.c in SQLite 3.30.1 mishandles certain errors during parsing, as demonstrated by errors from sqlite3WindowRewrite() calls. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-19880.", + "id": "CVE-2019-19926", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.01382 + }, + "references": [ + "https://usn.ubuntu.com/4298-2/", + "https://www.debian.org/security/2020/dsa-4638", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://usn.ubuntu.com/4298-1/", + "https://access.redhat.com/errata/RHSA-2020:0514", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://www.cve.org/CVERecord?id=CVE-2019-19926", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-19926", + "updated": "2022-04-15T16:17:32Z" + }, + { + "affects": [ + { + "fixed_version": "0:4.2.4-7ubuntu12.13+esm2", + "installed_version": "pkg:deb/ubuntu/isc-dhcp-client@4.2.4-7ubuntu12.13?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=isc-dhcp" + } + ], + "created": "2022-10-07T05:15:11Z", + "description": "In ISC DHCP 1.0 -\u003e 4.4.3, ISC DHCP 4.1-ESV-R1 -\u003e 4.1-ESV-R16-P1 a system with access to a DHCP server, sending DHCP packets crafted to include fqdn labels longer than 63 bytes, could eventually cause the server to run out of memory.", + "id": "CVE-2022-2929", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 770 + ], + "epss": 9.9E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/", + "https://kb.isc.org/docs/cve-2022-2929", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html", + "https://security.gentoo.org/glsa/202305-22", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1874.html", + "https://access.redhat.com/errata/RHSA-2023:2502", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021320", + "https://www.cve.org/CVERecord?id=CVE-2022-2929", + "https://lists.isc.org/pipermail/dhcp-announce/2022-October/000437.html", + "https://ubuntu.com/security/notices/USN-5658-2", + "https://ubuntu.com/security/notices/USN-5658-1", + "https://access.redhat.com/errata/RHSA-2023:3000", + "https://ubuntu.com/security/notices/USN-5658-3" + ], + "related": [ + "USN-5658-3" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2929", + "updated": "2023-11-07T03:47:05Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-07-08T22:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0046.", + "id": "CVE-2022-2345", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://www.cve.org/CVERecord?id=CVE-2022-2345", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2345" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2345", + "updated": "2023-11-07T03:46:32Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-12-31T15:15:08Z", + "description": "vim is vulnerable to Use After Free", + "id": "CVE-2021-4192", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00137 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://support.apple.com/kb/HT213343", + "https://support.apple.com/kb/HT213256", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://support.apple.com/kb/HT213183", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://ubuntu.com/security/notices/USN-5433-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:0366", + "https://www.cve.org/CVERecord?id=CVE-2021-4192", + "https://alas.aws.amazon.com/ALAS-2022-1557.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4192" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-4192", + "updated": "2023-11-07T03:40:20Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-03-30T20:15:07Z", + "description": "An authentication bypass vulnerability exists libcurl \u003c8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.", + "id": "CVE-2023-27536", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 305, + 287 + ], + "epss": 0.0021899999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:07:05Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/", + "https://hackerone.com/reports/1895135", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html", + "https://security.gentoo.org/glsa/202310-12", + "https://www.cve.org/CVERecord?id=CVE-2023-27536", + "https://access.redhat.com/errata/RHSA-2024:0428", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2070.html", + "https://ubuntu.com/security/notices/USN-5964-1", + "https://ubuntu.com/security/notices/USN-5964-2", + "https://access.redhat.com/errata/RHSA-2023:6679", + "https://access.redhat.com/errata/RHSA-2023:4523", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-27536", + "https://alas.aws.amazon.com/ALAS-2023-1727.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-27536", + "updated": "2024-03-27T14:46:55Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm4", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm4", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).", + "id": "CVE-2020-8169", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 200 + ], + "epss": 0.0065299999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-03-28T12:17:35Z" + }, + "references": [ + "https://www.debian.org/security/2021/dsa-4881", + "https://hackerone.com/reports/874778", + "https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://access.redhat.com/errata/RHSA-2021:2471", + "https://ubuntu.com/security/notices/USN-4402-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965280", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8169", + "https://access.redhat.com/errata/RHSA-2021:2472", + "https://www.cve.org/CVERecord?id=CVE-2020-8169" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169", + "updated": "2024-03-27T16:04:23Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm6", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2023-02-08T20:15:24Z", + "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", + "id": "CVE-2023-0215", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0036500001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T20:01:03Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202402-08", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb", + "https://www.openssl.org/news/secadv/20230207.txt", + "https://access.redhat.com/errata/RHSA-2023:4128", + "https://access.redhat.com/errata/RHSA-2023:2932", + "https://access.redhat.com/errata/RHSA-2023:3355", + "https://access.redhat.com/errata/RHSA-2023:3421", + "https://access.redhat.com/errata/RHSA-2023:3354", + "https://access.redhat.com/errata/RHSA-2023:3420", + "https://access.redhat.com/errata/RHSA-2023:1199", + "https://access.redhat.com/errata/RHSA-2023:1405", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1935.html", + "https://access.redhat.com/errata/RHSA-2023:0946", + "https://access.redhat.com/errata/RHSA-2023:3408", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1934.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0215", + "https://alas.aws.amazon.com/ALAS-2023-1683.html", + "https://ubuntu.com/security/notices/USN-5844-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-101.html", + "https://ubuntu.com/security/notices/USN-5845-2", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://ubuntu.com/security/notices/USN-5845-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2023:2165", + "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html", + "https://ubuntu.com/security/notices/USN-6564-1" + ], + "related": [ + "USN-5845-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215", + "updated": "2024-02-04T09:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-12-02T19:15:11Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765.", + "id": "CVE-2022-3520", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00147 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3520", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/ALAS-2023-1663.html" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3520", + "updated": "2023-05-03T12:16:25Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-10-02T20:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.", + "id": "CVE-2023-5344", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00182 + }, + "references": [ + "https://support.apple.com/kb/HT214038", + "https://support.apple.com/kb/HT214036", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/", + "https://support.apple.com/kb/HT214037", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOXBUJLJ5VSPN3YXWN7XZA4JDYKNE7GZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4W665GQBN6S6ZDMYWVF4X7KMFI7AQKJL/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-378.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053694", + "https://alas.aws.amazon.com/ALAS-2023-1893.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2288.html", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://www.cve.org/CVERecord?id=CVE-2023-5344", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-5344" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-5344", + "updated": "2023-12-13T01:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "1:1.21.0-1ubuntu1.4+esm1", + "installed_version": "pkg:deb/ubuntu/busybox@1.21.0-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "fixed_version": "1:1.21.0-1ubuntu1.4+esm1", + "installed_version": "pkg:deb/ubuntu/busybox-initramfs@1.21.0-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=busybox" + } + ], + "created": "2021-03-19T05:15:13Z", + "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", + "id": "CVE-2021-28831", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 755 + ], + "epss": 0.0076700002 + }, + "references": [ + "https://security.gentoo.org/glsa/202105-09", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UDQGJRECXFS5EZVDH2OI45FMO436AC4/", + "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZASBW7QRRLY5V2R44MQ4QQM4CZIDHM2U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7ZIFKPRR32ZYA3WAA2NXFA3QHHOU6FJ/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28831", + "https://ubuntu.com/security/notices/USN-5179-1", + "https://ubuntu.com/security/notices/USN-5179-2", + "https://www.cve.org/CVERecord?id=CVE-2021-28831", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985674", + "https://ubuntu.com/security/notices/USN-6335-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", + "updated": "2023-11-07T03:32:23Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm2", + "installed_version": "pkg:deb/ubuntu/krb5-locales@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm2", + "installed_version": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm2", + "installed_version": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm2", + "installed_version": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm2", + "installed_version": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + } + ], + "created": "2020-11-06T08:15:13Z", + "description": "MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite lengths lacks a recursion limit.", + "id": "CVE-2020-28196", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 674 + ], + "epss": 0.0052, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-12T01:34:38Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://security.gentoo.org/glsa/202011-17", + "https://www.debian.org/security/2020/dsa-4795", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-28196", + "https://access.redhat.com/errata/RHSA-2021:2239", + "https://ubuntu.com/security/notices/USN-4635-1", + "https://access.redhat.com/errata/RHSA-2021:1593", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973880", + "https://www.cve.org/CVERecord?id=CVE-2020-28196", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1845.html" + ], + "related": [ + "USN-4635-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-28196", + "updated": "2023-11-07T03:21:07Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-20T19:15:17Z", + "description": "A null pointer dereference issue was discovered in function gui_x11_create_blank_mouse in gui_x11.c in vim 8.1.2269 thru 9.0.0339 allows attackers to cause denial of service or other unspecified impacts.", + "id": "CVE-2022-47024", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-19T02:56:04Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EX6N2DB75A73MQGVW3CS4VTNPAYVM2M/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZWIJBSQX53P7DHV77KRXJIXA4GH7XHC/", + "https://ubuntu.com/security/notices/USN-5836-1", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://www.cve.org/CVERecord?id=CVE-2022-47024", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://access.redhat.com/errata/RHSA-2023:0958" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-47024", + "updated": "2023-11-07T03:56:06Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-10-27T19:15:41Z", + "description": "Vim is an improved version of the good old UNIX editor Vi. Heap-use-after-free in memory allocated in the function `ga_grow_inner` in in the file `src/alloc.c` at line 748, which is freed in the file `src/ex_docmd.c` in the function `do_cmdline` at line 1010 and then used again in `src/cmdhist.c` at line 759. When using the `:history` command, it's possible that the provided argument overflows the accepted value. Causing an Integer Overflow and potentially later an use-after-free. This vulnerability has been patched in version 9.0.2068.\n", + "id": "CVE-2023-46246", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190, + 416 + ], + "epss": 4.2E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/", + "https://alas.aws.amazon.com/ALAS-2023-1893.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-431.html", + "https://www.cve.org/CVERecord?id=CVE-2023-46246", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2338.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-46246", + "updated": "2023-12-17T03:15:07Z" + }, + { + "affects": [ + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm3", + "installed_version": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + }, + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm3", + "installed_version": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + } + ], + "created": "2022-11-29T17:23:51Z", + "description": "USN-5745-1 fixed vulnerabilities in shadow. Unfortunately that update\nintroduced a regression that caused useradd to behave incorrectly in Ubuntu\n14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This\nupdate reverts the security fix pending further investigation.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n Florian Weimer discovered that shadow was not properly copying and removing\n user directory trees, which could lead to a race condition. A local attacker\n could possibly use this issue to setup a symlink attack and alter or remove\n directories without authorization.\n", + "id": "USN-5745-2", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/5745-2" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-30T21:15:10Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2257", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://www.cve.org/CVERecord?id=CVE-2022-2257", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2257" + ], + "related": [ + "USN-6270-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2257", + "updated": "2023-11-07T03:46:22Z" + }, + { + "affects": [ + { + "fixed_version": "0:0.11-3ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libjson-c2@0.11-3ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=json-c" + }, + { + "fixed_version": "0:0.11-3ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libjson0@0.11-3ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=json-c" + } + ], + "created": "2020-05-09T18:15:11Z", + "description": "json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.", + "id": "CVE-2020-12762", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 190 + ], + "epss": 0.00111, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:26Z" + }, + "references": [ + "https://usn.ubuntu.com/4360-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W226TSCJBEOXDUFVKNWNH7ETG7AR6MCS/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://www.debian.org/security/2020/dsa-4741", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CQQRRGBQCAWNCCJ2HN3W5SSCZ4QGMXQI/", + "https://usn.ubuntu.com/4360-4/", + "https://lists.debian.org/debian-lts-announce/2020/05/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBR36IXYBHITAZFB5PFBJTED22WO5ONB/", + "https://lists.debian.org/debian-lts-announce/2020/05/msg00032.html", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00031.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00023.html", + "https://security.gentoo.org/glsa/202006-13", + "https://ubuntu.com/security/notices/USN-4360-4", + "https://www.cve.org/CVERecord?id=CVE-2020-12762", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960326", + "https://access.redhat.com/errata/RHSA-2024:1086", + "https://access.redhat.com/errata/RHSA-2023:6976", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-12762", + "https://access.redhat.com/errata/RHSA-2024:1154", + "https://access.redhat.com/errata/RHSA-2021:4382", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-205.html", + "https://ubuntu.com/security/notices/USN-4360-1", + "https://alas.aws.amazon.com/ALAS-2020-1381.html", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1442.html", + "https://access.redhat.com/errata/RHSA-2024:0573", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-232.html", + "https://access.redhat.com/errata/RHSA-2023:6431", + "https://access.redhat.com/errata/RHSA-2024:0411", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2079.html" + ], + "related": [ + "USN-4360-1", + "USN-4360-4" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-12762", + "updated": "2023-11-07T03:15:44Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "7-7" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: GitHub Personal Access Token.", + "id": "IN-DOCKER-007-003", + "properties": {}, + "severity": "critical", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-08T10:15:07Z", + "description": "Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub repository vim/vim prior to 8.2.4899. This vulnerabilities are capable of crashing software, modify memory, and possible remote execution", + "id": "CVE-2022-1619", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0104, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", + "https://security.gentoo.org/glsa/202208-32", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1619", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1619", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1619", + "updated": "2023-11-07T03:42:02Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.27.1-1ubuntu0.1+esm4", + "installed_version": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2024-03-27T04:15:08Z", + "description": "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.", + "id": "CVE-2023-39804", + "properties": { + "epss": 4.5E-4 + }, + "references": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079", + "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4", + "https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34", + "https://www.cve.org/CVERecord?id=CVE-2023-39804", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-475.html", + "https://ubuntu.com/security/notices/USN-6543-1", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2390.html" + ], + "related": [ + "USN-6543-1" + ], + "severity": "unknown", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804", + "updated": "2024-03-27T12:29:30Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. In affected versions when shifting lines in operator pending mode and using a very large value, it may be possible to overflow the size of integer. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `6bf131888` which has been included in version 9.0.2112. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48237", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00101 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://www.cve.org/CVERecord?id=CVE-2023-48237", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48237", + "updated": "2024-01-25T21:33:53Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-12-02T17:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0789.", + "id": "CVE-2022-3591", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 6.2E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1902.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3591", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/ALAS-2023-1663.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3591", + "updated": "2023-05-03T12:16:25Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22825", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0073899999 + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://www.cve.org/CVERecord?id=CVE-2022-22825", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22825", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22825", + "updated": "2022-10-06T14:47:18Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm8", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm8", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2021-09-29T20:15:08Z", + "description": "A user can tell curl \u003e= 7.20.0 and \u003c= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.", + "id": "CVE-2021-22946", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 325, + 319 + ], + "epss": 0.0027900001 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/", + "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://hackerone.com/reports/1334111", + "https://security.gentoo.org/glsa/202212-01", + "https://support.apple.com/kb/HT213183", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html", + "https://www.debian.org/security/2022/dsa-5197", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22946", + "https://access.redhat.com/errata/RHSA-2022:0635", + "https://www.cve.org/CVERecord?id=CVE-2021-22946", + "https://alas.aws.amazon.com/ALAS-2021-1549.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1724.html", + "https://access.redhat.com/errata/RHSA-2021:4059", + "https://ubuntu.com/security/notices/USN-5079-2", + "https://access.redhat.com/errata/RHSA-2022:1354", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017589", + "https://ubuntu.com/security/notices/USN-5079-1" + ], + "related": [ + "USN-5079-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-22946", + "updated": "2024-03-27T15:12:52Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.18.2-2ubuntu1.7+esm4", + "installed_version": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-12-13T18:15:07Z", + "description": "CPAN 2.28 allows Signature Verification Bypass.", + "id": "CVE-2020-16156", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 347 + ], + "epss": 0.00165 + }, + "references": [ + "https://metacpan.org/pod/distribution/CPAN/scripts/cpan", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/", + "https://www.cve.org/CVERecord?id=CVE-2020-16156", + "https://ubuntu.com/security/notices/USN-5689-2", + "https://ubuntu.com/security/notices/USN-5689-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985" + ], + "related": [ + "USN-5689-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156", + "updated": "2023-11-07T03:18:12Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the fmt_entry function in progs/dump_entry.c in ncurses 6.0 that might lead to a remote denial of service attack.", + "id": "CVE-2017-13733", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0022400001 + }, + "references": [ + "https://security.gentoo.org/glsa/201804-13", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugzilla.redhat.com/show_bug.cgi?id=1484290", + "https://www.cve.org/CVERecord?id=CVE-2017-13733", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873746", + "https://ubuntu.com/security/notices/USN-5448-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13733", + "updated": "2023-11-07T02:38:42Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-10-12T13:15:10Z", + "description": "library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated \"finds all the pathnames matching a specified pattern according to the rules used by the Unix shell,\" one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.", + "id": "CVE-2019-17514", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 682 + ], + "epss": 0.0032800001 + }, + "references": [ + "https://web.archive.org/web/20160526201356/https://docs.python.org/2.7/library/glob.html", + "https://twitter.com/chris_bloke/status/1181997278136958976", + "https://web.archive.org/web/20150906020027/https://docs.python.org/2.7/library/glob.html", + "https://web.archive.org/web/20150822013622/https://docs.python.org/3/library/glob.html", + "https://pubs.acs.org/doi/suppl/10.1021/acs.orglett.9b03216/suppl_file/ol9b03216_si_002.zip", + "https://usn.ubuntu.com/4428-1/", + "https://twitter.com/LucasCMoore/status/1181615421922824192", + "https://web.archive.org/web/20160309211341/https://docs.python.org/3/library/glob.html", + "https://bugs.python.org/issue33275", + "https://pubs.acs.org/doi/full/10.1021/acs.orglett.9b03216", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://ubuntu.com/security/notices/USN-4428-1", + "https://www.cve.org/CVERecord?id=CVE-2019-17514" + ], + "related": [ + "USN-4428-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-17514", + "updated": "2020-07-27T18:15:12Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:08Z", + "description": "Vim is an open source command line text editor. If the count after the :s command is larger than what fits into a (signed) long variable, abort with e_value_too_large. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `ac6378773` which has been included in release version 9.0.2108. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48233", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00101 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://www.cve.org/CVERecord?id=CVE-2023-48233", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48233", + "updated": "2024-01-25T21:38:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-26T13:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0361", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 8.9E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0361", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0361", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://access.redhat.com/errata/RHSA-2022:0894", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0361", + "updated": "2022-11-09T18:57:54Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm5", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm5", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2023-12-12T15:15:07Z", + "description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().", + "id": "CVE-2023-50495", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 5.2E-4 + }, + "references": [ + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2380.html", + "https://ubuntu.com/security/notices/USN-6684-1", + "https://www.cve.org/CVERecord?id=CVE-2023-50495", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-466.html" + ], + "related": [ + "USN-6684-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-50495", + "updated": "2024-01-31T03:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + }, + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-12-13T16:15:22Z", + "description": "If an X.509 certificate contains a malformed policy constraint and\npolicy processing is enabled, then a write lock will be taken twice\nrecursively. On some operating systems (most widely: Windows) this\nresults in a denial of service when the affected process hangs. Policy\nprocessing being enabled on a publicly facing server is not considered\nto be a common setup.\n\nPolicy processing is enabled by passing the `-policy'\nargument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.\n\nUpdate (31 March 2023): The description of the policy processing enablement\nwas corrected based on CVE-2023-0466.", + "id": "CVE-2022-3996", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 667 + ], + "epss": 0.00103 + }, + "references": [ + "https://www.openssl.org/news/secadv/20221213.txt", + "https://www.cve.org/CVERecord?id=CVE-2022-3996", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027102", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-095.html", + "https://ubuntu.com/security/notices/USN-6039-1" + ], + "related": [ + "USN-6039-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3996", + "updated": "2023-11-07T03:52:05Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm6", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.", + "id": "CVE-2022-25314", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0089100003, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:48:01Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5085", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25314", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://access.redhat.com/errata/RHSA-2022:5314", + "https://ubuntu.com/security/notices/USN-5320-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://www.cve.org/CVERecord?id=CVE-2022-25314", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://access.redhat.com/errata/RHSA-2022:5244" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-25314", + "updated": "2023-11-07T03:44:45Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-25T18:15:08Z", + "description": "Access of Memory Location Before Start of Buffer in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0351", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 786, + 119 + ], + "epss": 7.7E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0351", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0351", + "updated": "2022-11-09T19:20:23Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-28T12:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0286.", + "id": "CVE-2022-3016", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:30:35Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://www.cve.org/CVERecord?id=CVE-2022-3016", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3016", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3016", + "updated": "2023-11-07T03:50:42Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow.", + "id": "CVE-2021-31870", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00244, + "exploit_available": true, + "exploit_last_seen_in_public": "2023-11-27T17:15:44Z" + }, + "references": [ + "https://kernel.org/pub/linux/libs/klibc/2.0/", + "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505", + "https://ubuntu.com/security/notices/USN-5379-1", + "https://www.cve.org/CVERecord?id=CVE-2021-31870" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31870", + "updated": "2022-04-19T03:51:14Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-31T14:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1942", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 8.7E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://ubuntu.com/security/notices/USN-5507-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1942", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1942", + "updated": "2023-11-07T03:42:19Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm3", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2022-08-03T06:15:07Z", + "description": "SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.", + "id": "CVE-2022-35737", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 129 + ], + "epss": 0.00254, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T14:16:53Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202210-40", + "https://sqlite.org/releaselog/3_39_2.html", + "https://www.sqlite.org/cves.html", + "https://kb.cert.org/vuls/id/720344", + "https://ubuntu.com/security/notices/USN-5716-2", + "https://access.redhat.com/errata/RHSA-2023:0110", + "https://ubuntu.com/security/notices/USN-5716-1", + "https://ubuntu.com/security/notices/USN-5712-1", + "https://access.redhat.com/errata/RHSA-2023:0339", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034122", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-089.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1911.html", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034127", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034129", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35737", + "https://support.microsoft.com/help/5034122", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-35737", + "https://access.redhat.com/errata/RHSA-2024:0425" + ], + "related": [ + "USN-5716-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-35737", + "updated": "2024-03-27T16:05:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Uninitialized data in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "id": "CVE-2019-13751", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 908 + ], + "epss": 0.01021, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:26Z" + }, + "references": [ + "https://www.debian.org/security/2020/dsa-4606", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://usn.ubuntu.com/4298-2/", + "https://usn.ubuntu.com/4298-1/", + "https://security.gentoo.org/glsa/202003-08", + "https://seclists.org/bugtraq/2020/Jan/27", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/", + "https://www.cve.org/CVERecord?id=CVE-2019-13751", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://access.redhat.com/errata/RHSA-2021:4396", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13751", + "updated": "2023-11-07T03:04:22Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-02T14:15:34Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1968", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00102 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1968", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://ubuntu.com/security/notices/USN-5507-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1968", + "updated": "2023-05-03T12:15:38Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-02T20:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.", + "id": "CVE-2023-4738", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213984", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4738", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4738", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2023-1826.html", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4738", + "updated": "2024-02-01T16:16:44Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-10-11T20:15:10Z", + "description": "Use After Free in GitHub repository vim/vim prior to v9.0.2010.", + "id": "CVE-2023-5535", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-403.html", + "https://alas.aws.amazon.com/ALAS-2023-1893.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2319.html", + "https://www.cve.org/CVERecord?id=CVE-2023-5535" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-5535", + "updated": "2023-11-15T02:31:02Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm11", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm11", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-07-07T13:15:08Z", + "description": "When curl \u003c 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.", + "id": "CVE-2022-32208", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 840, + 787 + ], + "epss": 0.00296 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEV6BR4MTI3CEWK2YU2HQZUW5FAS3FEY/", + "https://security.gentoo.org/glsa/202212-01", + "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", + "https://hackerone.com/reports/1590071", + "https://www.debian.org/security/2022/dsa-5197", + "https://access.redhat.com/errata/RHSA-2022:6159", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html", + "https://ubuntu.com/security/notices/USN-5499-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-32208", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1875.html", + "https://ubuntu.com/security/notices/USN-5495-1", + "https://alas.aws.amazon.com/ALAS-2022-1646.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:8840", + "https://access.redhat.com/errata/RHSA-2022:8841", + "https://access.redhat.com/errata/RHSA-2022:6157", + "https://www.cve.org/CVERecord?id=CVE-2022-32208" + ], + "related": [ + "USN-5499-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-32208", + "updated": "2024-03-27T15:00:41Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm2", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2018-11-12T19:29:00Z", + "description": "In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a \"dubious character `*' in name or alias field\" detection.", + "id": "CVE-2018-19211", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 5.6E-4 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1643754", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2018-19211" + ], + "related": [ + "USN-5477-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-19211", + "updated": "2019-04-23T13:15:28Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-02T19:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2286", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2286", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2286", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2286", + "updated": "2023-11-07T03:46:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-19T12:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2125", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00147 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://support.apple.com/kb/HT213443", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://www.cve.org/CVERecord?id=CVE-2022-2125", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2125", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2125", + "updated": "2023-11-07T03:46:13Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-11-05T15:15:08Z", + "description": "vim is vulnerable to Use of Uninitialized Variable", + "id": "CVE-2021-3928", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 457, + 908 + ], + "epss": 5.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-12T13:30:31Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/", + "https://www.cve.org/CVERecord?id=CVE-2021-3928", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3928", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5147-1", + "https://alas.aws.amazon.com/ALAS-2022-1557.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3928", + "updated": "2023-11-07T03:38:25Z" + }, + { + "affects": [ + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/systemd@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:204-5ubuntu20.31+esm2", + "installed_version": "pkg:deb/ubuntu/libudev1@204-5ubuntu20.31?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=systemd" + } + ], + "created": "2022-11-23T23:15:10Z", + "description": "systemd 250 and 251 allows local users to achieve a systemd-coredump deadlock by triggering a crash that has a long backtrace. This occurs in parse_elf_object in shared/elf-util.c. The exploitation methodology is to crash a binary calling the same function recursively, and put it in a deeply nested directory to make its backtrace large enough to cause the deadlock. This must be done 16 times when MaxConnections=16 is set for the systemd/units/systemd-coredump.socket file.", + "id": "CVE-2022-45873", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400 + ], + "epss": 4.2E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MS5N5SLYAHKENLAJWYBDKU55ICU3SVZF/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-025.html", + "https://www.cve.org/CVERecord?id=CVE-2022-45873", + "https://ubuntu.com/security/notices/USN-5928-1", + "https://access.redhat.com/errata/RHSA-2023:0954", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-45873" + ], + "related": [ + "USN-5928-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-45873", + "updated": "2023-11-07T03:54:55Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-04T14:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1857.", + "id": "CVE-2023-4750", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 5.6E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/", + "https://support.apple.com/kb/HT213984", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/", + "https://alas.aws.amazon.com/ALAS-2023-1837.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://www.cve.org/CVERecord?id=CVE-2023-4750", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4750" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4750", + "updated": "2024-02-01T18:01:58Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm14", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-02-09T20:15:10Z", + "description": "A use after free vulnerability exists in curl \u003c7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.", + "id": "CVE-2022-43552", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00104, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:25Z" + }, + "references": [ + "https://hackerone.com/reports/1764858", + "https://support.apple.com/kb/HT213670", + "https://security.gentoo.org/glsa/202310-12", + "https://access.redhat.com/errata/RHSA-2023:2478", + "https://access.redhat.com/errata/RHSA-2023:2963", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html", + "https://support.microsoft.com/help/5025229", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025229", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026830", + "https://support.microsoft.com/help/5025239", + "https://access.redhat.com/errata/RHSA-2023:3355", + "https://access.redhat.com/errata/RHSA-2023:3354", + "https://access.redhat.com/errata/RHSA-2023:7743", + "https://ubuntu.com/security/notices/USN-5788-1", + "https://support.microsoft.com/help/5025221", + "https://ubuntu.com/security/notices/USN-5894-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1924.html", + "https://support.microsoft.com/help/5025224", + "https://access.redhat.com/errata/RHSA-2024:0428", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025230", + "https://support.microsoft.com/help/5025230", + "https://www.cve.org/CVERecord?id=CVE-2022-43552", + "https://alas.aws.amazon.com/ALAS-2023-1729.html", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025224", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025221", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5025239", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43552" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-43552", + "updated": "2024-03-27T14:55:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-07-25T14:15:10Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0061.", + "id": "CVE-2022-2522", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.0012300001 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2522", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016068", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2522", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2522", + "updated": "2023-05-03T12:16:00Z" + }, + { + "affects": [ + { + "fixed_version": "1:1.21.0-1ubuntu1.4+esm1", + "installed_version": "pkg:deb/ubuntu/busybox@1.21.0-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "fixed_version": "1:1.21.0-1ubuntu1.4+esm1", + "installed_version": "pkg:deb/ubuntu/busybox-initramfs@1.21.0-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=busybox" + } + ], + "created": "2023-08-22T19:16:31Z", + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "id": "CVE-2022-48174", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00134, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:52:39Z" + }, + "references": [ + "https://bugs.busybox.net/show_bug.cgi?id=15216", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049", + "https://access.redhat.com/errata/RHSA-2023:5178", + "https://ubuntu.com/security/notices/USN-6335-1", + "https://www.cve.org/CVERecord?id=CVE-2022-48174" + ], + "related": [ + "USN-6335-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174", + "updated": "2023-08-28T18:53:37Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm1", + "installed_version": "pkg:deb/ubuntu/e2fsprogs@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.42.9-3ubuntu1.3+esm1", + "installed_version": "pkg:deb/ubuntu/libss2@1.42.9-3ubuntu1.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=e2fsprogs" + } + ], + "created": "2019-09-24T22:15:13Z", + "description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "id": "CVE-2019-5094", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 8.2E-4 + }, + "references": [ + "https://www.debian.org/security/2019/dsa-4535", + "https://usn.ubuntu.com/4142-2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html", + "https://security.gentoo.org/glsa/202003-05", + "https://seclists.org/bugtraq/2019/Sep/58", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/", + "https://usn.ubuntu.com/4142-1/", + "https://alas.aws.amazon.com/ALAS-2021-1458.html", + "https://www.cve.org/CVERecord?id=CVE-2019-5094", + "https://ubuntu.com/security/notices/USN-4142-1", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1509.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941139", + "https://access.redhat.com/errata/RHSA-2020:4011", + "https://ubuntu.com/security/notices/USN-4142-2", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-5094", + "https://access.redhat.com/errata/RHSA-2020:1913" + ], + "related": [ + "USN-4142-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-5094", + "updated": "2023-11-07T03:11:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Out of bounds read in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.", + "id": "CVE-2019-13752", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0074300002, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:20:48Z" + }, + "references": [ + "https://www.debian.org/security/2020/dsa-4606", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://usn.ubuntu.com/4298-2/", + "https://usn.ubuntu.com/4298-1/", + "https://security.gentoo.org/glsa/202003-08", + "https://seclists.org/bugtraq/2020/Jan/27", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/", + "https://www.cve.org/CVERecord?id=CVE-2019-13752", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2020:1810" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13752", + "updated": "2023-11-07T03:04:22Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.27.1-1ubuntu0.1+esm1", + "installed_version": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-03-22T08:29:00Z", + "description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.", + "id": "CVE-2019-9923", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0108599998 + }, + "references": [ + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2064.html", + "https://www.cve.org/CVERecord?id=CVE-2019-9923", + "https://alas.aws.amazon.com/ALAS-2023-1755.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925286", + "https://ubuntu.com/security/notices/USN-4692-1" + ], + "related": [ + "USN-4692-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9923", + "updated": "2023-11-07T03:13:48Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm13", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm13", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-04-13T16:15:08Z", + "description": "In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9", + "id": "CVE-2015-20107", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 77 + ], + "epss": 0.00141 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAY6VBNVEFUXKJF37WFHYXUSRDEK34N3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERYMM2QVDPOJLX4LYXWYIQN5FOIJLDRY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57NECACX333A3BBZM2TR2VZ4ZE3UG3SN/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WXF6MQ74HVIDDSR5AE2UDR24I6D4FEPC/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4E2WBEJ42CGLGDHD6ZXOLZ2W6G3YOVD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AKGMYDVKI3XNM27B6I6RQ6QV3TVJAUCG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIKVSW3H6W2GQGDE5DTIWLGFNH6KKEW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FIRUTX47BJD2HYJDLMI7JJBVCYFAPKAQ/", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTTZGLD2YBMMG6U6F5HOTPOGGPBIURMA/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFGV7P2PYFBMK32OKHCAC2ZPJQV5AUDF/", + "https://bugs.python.org/issue24778", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAI2GBC7WKH7J5NH6J2IW5RT3VF2SF5M/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPCLGZZJPVXFWUWVV5WCD5FNUAFLKBDN/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCIO2W4DUVVMI6L52QCC4TT2B3K5VWHS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ONXSGLASNLGFL57YU6WT6Y5YURSFV43U/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DBVY4YC2P6EPZZ2DROOXHDOWZ4BJFLW/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XO2H6CKWLRGTTZCGUQVELW6LUH437Q3O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46KWPTI72SSEOF53DOYQBQOCN4QQB2GE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MYG3EMFR7ZHC46TDNM7SNWO64A3W7EUF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W5664BGZVTA46LQDNTYX5THG6CN4FYJX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F3LNY2NHM6J22O6Q5ANOE3SZRK3OACKR/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIOJUZ5JMEMGSKNISTOVI4PDP36FDL5Y/", + "https://security.gentoo.org/glsa/202305-02", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/53TQZFLS6O3FLIMVSXFEEPZSWLDZLBOX/", + "https://access.redhat.com/errata/RHSA-2022:6766", + "https://www.cve.org/CVERecord?id=CVE-2015-20107", + "https://access.redhat.com/errata/RHSA-2022:6457", + "https://ubuntu.com/security/notices/USN-5888-1", + "https://access.redhat.com/errata/RHSA-2022:7593", + "https://access.redhat.com/errata/RHSA-2022:8353", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:7592", + "https://access.redhat.com/errata/RHSA-2022:7581", + "https://mail.python.org/archives/list/security-announce@python.org/thread/QDSXNCW77UGULFG2JMDFZQ7H4DIR32LA/", + "https://ubuntu.com/security/notices/USN-5519-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2015-20107" + ], + "related": [ + "USN-5519-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2015-20107", + "updated": "2023-11-07T02:25:00Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm5", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2018-05-29T13:29:00Z", + "description": "sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges.", + "id": "CVE-2016-7076", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 77, + 184 + ], + "epss": 4.2E-4 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7076", + "https://usn.ubuntu.com/3968-3/", + "https://usn.ubuntu.com/3968-1/", + "https://ubuntu.com/security/notices/USN-3968-3", + "https://www.cve.org/CVERecord?id=CVE-2016-7076", + "https://access.redhat.com/errata/RHSA-2016:2872", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842507", + "https://ubuntu.com/security/notices/USN-3968-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-7076", + "updated": "2023-11-07T02:34:14Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2018-12-21T21:29:00Z", + "description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.", + "id": "CVE-2018-20346", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.8999900222, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T16:01:51Z" + }, + "references": [ + "https://support.apple.com/HT209443", + "https://sqlite.org/src/info/940f2adc8541a838", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://support.apple.com/HT209446", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://support.apple.com/HT209450", + "https://support.apple.com/HT209451", + "https://lists.debian.org/debian-lts-announce/2018/12/msg00012.html", + "https://support.apple.com/HT209447", + "https://support.apple.com/HT209448", + "https://bugzilla.redhat.com/show_bug.cgi?id=1659379", + "https://access.redhat.com/articles/3758321", + "https://chromium.googlesource.com/chromium/src/+/c368e30ae55600a1c3c9cb1710a54f9c55de786e", + "https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU4NZ6DDU4BEM3ACM3FM6GLEPX56ZQXK/", + "https://bugzilla.redhat.com/show_bug.cgi?id=1659677", + "https://security.gentoo.org/glsa/201904-21", + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://www.sqlite.org/releaselog/3_25_3.html", + "https://sqlite.org/src/info/d44318f59044162e", + "https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2", + "https://www.cve.org/CVERecord?id=CVE-2018-20346", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20346", + "updated": "2023-11-07T02:56:16Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm1", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm1", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2018-02-01T14:29:00Z", + "description": "An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.", + "id": "CVE-2018-6485", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 190 + ], + "epss": 0.0054799998 + }, + "references": [ + "https://usn.ubuntu.com/4416-1/", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22343", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://usn.ubuntu.com/4218-1/", + "https://alas.aws.amazon.com/ALAS-2018-1109.html", + "https://ubuntu.com/security/notices/USN-4416-1", + "https://ubuntu.com/security/notices/USN-4218-1", + "https://www.cve.org/CVERecord?id=CVE-2018-6485", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878159", + "https://alas.aws.amazon.com/AL2/ALAS-2018-992.html" + ], + "related": [ + "USN-4218-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-6485", + "updated": "2020-08-24T17:37:01Z" + }, + { + "affects": [ + { + "fixed_version": "0:4.2.4-7ubuntu12.13+esm2", + "installed_version": "pkg:deb/ubuntu/isc-dhcp-client@4.2.4-7ubuntu12.13?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=isc-dhcp" + } + ], + "created": "2022-10-07T05:15:08Z", + "description": "In ISC DHCP 4.4.0 -\u003e 4.4.3, ISC DHCP 4.1-ESV-R1 -\u003e 4.1-ESV-R16-P1, when the function option_code_hash_lookup() is called from add_option(), it increases the option's refcount field. However, there is not a corresponding call to option_dereference() to decrement the refcount field. The function add_option() is only used in server responses to lease query packets. Each lease query response calls this function for several options, so eventually, the reference counters could overflow and cause the server to abort.", + "id": "CVE-2022-2928", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00107 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T6IBFH4MRRNJQVWEKILQ6I6CXWW766FX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QQXYCIWUDILRCNBAIMVFCSGXBRKEPB4K/", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00015.html", + "https://kb.isc.org/docs/cve-2022-2928", + "https://security.gentoo.org/glsa/202305-22", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SARIK7KZ7MGQIWDRWZFAOSQSPXY4GOU/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1874.html", + "https://access.redhat.com/errata/RHSA-2023:2502", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021320", + "https://www.cve.org/CVERecord?id=CVE-2022-2928", + "https://lists.isc.org/pipermail/dhcp-announce/2022-October/000437.html", + "https://ubuntu.com/security/notices/USN-5658-2", + "https://access.redhat.com/errata/RHSA-2023:3000", + "https://ubuntu.com/security/notices/USN-5658-1", + "https://ubuntu.com/security/notices/USN-5658-3" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2928", + "updated": "2023-11-07T03:47:05Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1ubuntu2.24+esm1", + "installed_version": "pkg:deb/ubuntu/apt@1.0.1ubuntu2.24?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-05-15T14:15:11Z", + "description": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.", + "id": "CVE-2020-3810", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 20 + ], + "epss": 0.00125, + "exploit_available": true, + "exploit_last_seen_in_public": "2023-06-07T12:15:06Z" + }, + "references": [ + "https://usn.ubuntu.com/4359-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/", + "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/", + "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6", + "https://bugs.launchpad.net/bugs/1878177", + "https://lists.debian.org/debian-security-announce/2020/msg00089.html", + "https://usn.ubuntu.com/4359-2/", + "https://salsa.debian.org/jak/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6", + "https://www.cve.org/CVERecord?id=CVE-2020-3810", + "https://ubuntu.com/security/notices/USN-4359-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4359-1" + ], + "related": [ + "USN-4359-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-3810", + "updated": "2023-11-07T03:23:04Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-12-05T19:15:10Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0882.", + "id": "CVE-2022-4292", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 6.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYC22GGZ6QA66HLNLHCTAJU265TT3O33/", + "https://alas.aws.amazon.com/ALAS-2023-1681.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://www.cve.org/CVERecord?id=CVE-2022-4292", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1927.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-4292", + "updated": "2023-11-07T03:57:26Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-02T15:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2284", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.00131 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2284", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2284", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2284", + "updated": "2023-11-07T03:46:24Z" + }, + { + "affects": [ + { + "fixed_version": "0:4.3-7ubuntu1.8+esm2", + "installed_version": "pkg:deb/ubuntu/bash@4.3-7ubuntu1.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-11-28T01:15:10Z", + "description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.", + "id": "CVE-2019-18276", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 273 + ], + "epss": 0.00108, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T11:35:19Z" + }, + "references": [ + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://security.gentoo.org/glsa/202105-34", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://access.redhat.com/errata/RHSA-2021:1679", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-18276", + "https://ubuntu.com/security/notices/USN-5380-1", + "https://www.cve.org/CVERecord?id=CVE-2019-18276", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-5380-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-18276", + "updated": "2023-11-07T03:06:25Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-15T11:21:31Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0211.", + "id": "CVE-2022-2819", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2819", + "https://www.cve.org/CVERecord?id=CVE-2022-2819", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2819", + "updated": "2023-11-07T03:46:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-20T15:15:10Z", + "description": "Buffer Over-read in function grab_file_name in GitHub repository vim/vim prior to 8.2.4956. This vulnerability is capable of crashing the software, memory modification, and possible remote execution.", + "id": "CVE-2022-1720", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 126 + ], + "epss": 0.0064900001 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://support.apple.com/kb/HT213443", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1720", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1720", + "updated": "2023-11-07T03:42:08Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-15T22:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0212.", + "id": "CVE-2022-2816", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2816", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-2816", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2816", + "updated": "2023-11-07T03:46:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-27T13:15:07Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163.", + "id": "CVE-2022-2208", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00119 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2208", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-2208", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2208", + "updated": "2023-11-07T03:46:17Z" + }, + { + "affects": [ + { + "fixed_version": "0:20230311~14.04.1~esm1", + "installed_version": "pkg:deb/ubuntu/ca-certificates@20170717%7E14.04.2?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-05-24T17:36:21Z", + "description": "USN-6105-1 updated ca-certificates. This provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained outdated CA certificates. This update\n refreshes the included certificates to those contained in the 2.60 version\n of the Mozilla certificate authority bundle.\n", + "id": "USN-6105-2", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/6105-2" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2017-07-08T17:29:00Z", + "description": "Vim 8.0 allows attackers to cause a denial of service (invalid free) or possibly have unspecified other impact via a crafted source (aka -S) file. NOTE: there might be a limited number of scenarios in which this has security relevance.", + "id": "CVE-2017-11109", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00132 + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=1468492", + "https://www.cve.org/CVERecord?id=CVE-2017-11109", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867720", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-11109", + "updated": "2019-08-03T13:15:15Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + }, + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-03-28T15:15:06Z", + "description": "The function X509_VERIFY_PARAM_add0_policy() is documented to\nimplicitly enable the certificate policy check when doing certificate\nverification. However the implementation of the function does not\nenable the check which allows certificates with invalid or incorrect\npolicies to pass the certificate verification.\n\nAs suddenly enabling the policy check could break existing deployments it was\ndecided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()\nfunction.\n\nInstead the applications that require OpenSSL to perform certificate\npolicy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly\nenable the policy check by calling X509_VERIFY_PARAM_set_flags() with\nthe X509_V_FLAG_POLICY_CHECK flag argument.\n\nCertificate policy checks are disabled by default in OpenSSL and are not\ncommonly used by applications.", + "id": "CVE-2023-0466", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 295 + ], + "epss": 0.00127, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:55:43Z" + }, + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72", + "https://security.gentoo.org/glsa/202402-08", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://www.openssl.org/news/secadv/20230328.txt", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a", + "https://www.debian.org/security/2023/dsa-5417", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908", + "https://access.redhat.com/errata/RHSA-2023:3722", + "https://access.redhat.com/errata/RHSA-2023:7626", + "https://access.redhat.com/errata/RHSA-2023:7625", + "https://access.redhat.com/errata/RHSA-2023:7623", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2073.html", + "https://access.redhat.com/errata/RHSA-2023:7622", + "https://ubuntu.com/security/notices/USN-6039-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-181.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0466", + "https://alas.aws.amazon.com/ALAS-2023-1762.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0466", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2039.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466", + "updated": "2024-02-04T09:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-17T15:15:07Z", + "description": "Improper Validation of Specified Quantity in Input in GitHub repository vim/vim prior to 9.0.0218.\n\n", + "id": "CVE-2022-2845", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 1284 + ], + "epss": 0.00105 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2845", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2845" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2845", + "updated": "2023-07-10T16:15:48Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-10-19T13:15:11Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2021-3872", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00127 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/", + "https://www.cve.org/CVERecord?id=CVE-2021-3872", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1728.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3872", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:0366", + "https://ubuntu.com/security/notices/USN-5147-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3872", + "updated": "2023-11-07T03:38:19Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-03-30T20:15:07Z", + "description": "A vulnerability in input validation exists in curl \u003c8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and \"telnet options\" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.", + "id": "CVE-2023-27533", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 75, + 74 + ], + "epss": 0.00199, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:07:05Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html", + "https://hackerone.com/reports/1891474", + "https://security.gentoo.org/glsa/202310-12", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2070.html", + "https://access.redhat.com/errata/RHSA-2023:3355", + "https://ubuntu.com/security/notices/USN-5964-1", + "https://access.redhat.com/errata/RHSA-2023:3354", + "https://access.redhat.com/errata/RHSA-2023:6679", + "https://ubuntu.com/security/notices/USN-5964-2", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-27533", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2023-1727.html", + "https://www.cve.org/CVERecord?id=CVE-2023-27533" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-27533", + "updated": "2024-03-27T14:54:51Z" + }, + { + "affects": [ + { + "fixed_version": "1:8.31-2ubuntu2.3+esm1", + "installed_version": "pkg:deb/ubuntu/libpcre3@8.31-2ubuntu2.3?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=pcre3" + } + ], + "created": "2020-06-15T17:15:10Z", + "description": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.", + "id": "CVE-2020-14155", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00611, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:26Z" + }, + "references": [ + "https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/", + "https://support.apple.com/kb/HT212147", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://bugs.gentoo.org/717920", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://support.apple.com/kb/HT211931", + "https://www.pcre.org/original/changelog.txt", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963086", + "https://access.redhat.com/errata/RHSA-2021:4614", + "https://access.redhat.com/errata/RHSA-2021:4373", + "https://www.cve.org/CVERecord?id=CVE-2020-14155", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-14155", + "https://ubuntu.com/security/notices/USN-5425-1", + "https://access.redhat.com/errata/RHSA-2021:4613" + ], + "related": [ + "USN-5425-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-14155", + "updated": "2024-03-27T16:04:48Z" + }, + { + "affects": [ + { + "fixed_version": "0:0.11-3ubuntu1.2+esm2", + "installed_version": "pkg:deb/ubuntu/libjson0@0.11-3ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=json-c" + }, + { + "fixed_version": "0:0.11-3ubuntu1.2+esm2", + "installed_version": "pkg:deb/ubuntu/libjson-c2@0.11-3ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=json-c" + } + ], + "created": "2020-05-15T12:59:57Z", + "description": "USN-4360-1 fixed a vulnerability in json-c. The security fix introduced\na memory leak in some scenarios. This update reverts the security fix\npending further investigation.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that json-c incorrectly handled certain JSON files.\n An attacker could possibly use this issue to execute arbitrary code.\n", + "id": "USN-4360-3", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/4360-3" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-10T22:15:07Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0554", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 823, + 119 + ], + "epss": 9.8E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0554", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://access.redhat.com/errata/RHSA-2022:5242", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0554" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0554", + "updated": "2023-11-07T03:41:22Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm2", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2020-12-08T16:15:11Z", + "description": "The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the \"-crl_download\" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).", + "id": "CVE-2020-1971", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0042500002, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:45:29Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc", + "https://www.openssl.org/news/secadv/20201208.txt", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html", + "https://security.gentoo.org/glsa/202012-13", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e", + "https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@\u003ccommits.pulsar.apache.org\u003e", + "https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@\u003cdev.tomcat.apache.org\u003e", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.debian.org/security/2020/dsa-4807", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/errata/RHSA-2020:5623", + "https://access.redhat.com/errata/RHSA-2020:5566", + "https://access.redhat.com/errata/RHSA-2020:5588", + "https://access.redhat.com/errata/RHSA-2020:5642", + "https://access.redhat.com/errata/RHSA-2020:5422", + "https://access.redhat.com/errata/RHSA-2020:5641", + "https://access.redhat.com/errata/RHSA-2020:5640", + "https://www.cve.org/CVERecord?id=CVE-2020-1971", + "https://ubuntu.com/security/notices/USN-4745-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1971", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://access.redhat.com/errata/RHSA-2021:0494", + "https://access.redhat.com/errata/RHSA-2021:0495", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:0056", + "https://access.redhat.com/errata/RHSA-2020:5476", + "https://access.redhat.com/errata/RHSA-2021:0491", + "https://access.redhat.com/errata/RHSA-2020:5639", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1573.html", + "https://access.redhat.com/errata/RHSA-2020:5637", + "https://alas.aws.amazon.com/ALAS-2020-1456.html", + "https://access.redhat.com/errata/RHSA-2021:0489", + "https://ubuntu.com/security/notices/USN-4662-1", + "https://access.redhat.com/errata/RHSA-2021:0488", + "https://access.redhat.com/errata/RHSA-2021:0486" + ], + "related": [ + "USN-4745-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-1971", + "updated": "2023-11-07T03:19:39Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-04-21T11:15:08Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4774.", + "id": "CVE-2022-1420", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 823, + 119 + ], + "epss": 8.1E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVPZVE2CIE2NGCHZDMEHPBWN3LK2UQAA/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6E457NYOIRWBJHKB7ON44UY5AVTG4HU/", + "https://www.cve.org/CVERecord?id=CVE-2022-1420", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1420", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://access.redhat.com/errata/RHSA-2022:5242" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1420", + "updated": "2023-11-07T03:41:55Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-17T18:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0220.", + "id": "CVE-2022-2849", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2849", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2849" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2849", + "updated": "2023-11-07T03:46:57Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-10T19:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2042", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00102 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://support.apple.com/kb/HT213443", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5492-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2042", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2042", + "updated": "2023-05-03T12:15:40Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-22T21:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0240.", + "id": "CVE-2022-2923", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 9.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T08:13:31Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2923", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2923" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2923", + "updated": "2023-11-07T03:47:04Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm4", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2023-03-06T23:15:11Z", + "description": "The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding \"!= 0\" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.", + "id": "CVE-2022-45142", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 354 + ], + "epss": 6.5E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-22T19:46:09Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202310-06", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-45142", + "https://ubuntu.com/security/notices/USN-5849-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030849", + "https://www.cve.org/CVERecord?id=CVE-2022-45142" + ], + "related": [ + "USN-5849-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-45142", + "updated": "2023-10-08T09:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm1", + "installed_version": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + }, + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm1", + "installed_version": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + } + ], + "created": "2018-02-15T20:29:00Z", + "description": "An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used \"group blacklisting\" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.", + "id": "CVE-2018-7169", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 732 + ], + "epss": 8.1E-4 + }, + "references": [ + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357", + "https://security.gentoo.org/glsa/201805-09", + "https://www.cve.org/CVERecord?id=CVE-2018-7169", + "https://ubuntu.com/security/notices/USN-5254-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890557" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-7169", + "updated": "2019-10-03T00:03:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm6", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.", + "id": "CVE-2022-25313", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 674 + ], + "epss": 0.0064099999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:48:01Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5085", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25313", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://access.redhat.com/errata/RHSA-2022:5314", + "https://ubuntu.com/security/notices/USN-5320-1", + "https://www.cve.org/CVERecord?id=CVE-2022-25313", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2280.html", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://access.redhat.com/errata/RHSA-2022:5244" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-25313", + "updated": "2023-11-07T03:44:45Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-12-31T16:15:07Z", + "description": "vim is vulnerable to Out-of-bounds Read", + "id": "CVE-2021-4193", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00119 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://support.apple.com/kb/HT213343", + "https://support.apple.com/kb/HT213256", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://support.apple.com/kb/HT213183", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-4193", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://www.cve.org/CVERecord?id=CVE-2021-4193", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:0366", + "https://ubuntu.com/security/notices/USN-5458-1", + "https://alas.aws.amazon.com/ALAS-2022-1557.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-4193", + "updated": "2023-11-07T03:40:20Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm10", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm10", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-10-22T03:16:31Z", + "description": "In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.", + "id": "CVE-2020-27619", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0066, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T06:13:01Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202402-04", + "https://bugs.python.org/issue41944", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1670.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2317.html", + "https://access.redhat.com/errata/RHSA-2021:3252", + "https://access.redhat.com/errata/RHSA-2021:4151", + "https://access.redhat.com/errata/RHSA-2021:4162", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-009.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-27619", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://alas.aws.amazon.com/ALAS-2022-1593.html", + "https://access.redhat.com/errata/RHSA-2021:1633", + "https://ubuntu.com/security/notices/USN-4754-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:3254", + "https://www.cve.org/CVERecord?id=CVE-2020-27619" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-27619", + "updated": "2024-02-03T07:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-30T21:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0322.", + "id": "CVE-2022-3037", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHJ6LCLHGGVI2U6ZHXHTZ2PYP4STC23N/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RY3GEN2Q46ZJKSNHTN2XB6B3VAJBEILN/", + "https://www.cve.org/CVERecord?id=CVE-2022-3037", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3037", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3037", + "updated": "2023-11-07T03:50:43Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-27T16:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2210", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00124 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2210", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2210", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5516-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2210", + "updated": "2023-11-07T03:46:17Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm5", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2022-03-15T17:15:08Z", + "description": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).", + "id": "CVE-2022-0778", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 835 + ], + "epss": 0.0134199997, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T11:37:08Z" + }, + "references": [ + "https://support.apple.com/kb/HT213257", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246", + "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf", + "https://www.debian.org/security/2022/dsa-5103", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.openssl.org/news/secadv/20220315.txt", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://security.gentoo.org/glsa/202210-02", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html", + "https://access.redhat.com/errata/RHSA-2022:1519", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-037.html", + "https://access.redhat.com/errata/RHSA-2022:1476", + "https://access.redhat.com/errata/RHSA-2022:1112", + "https://ubuntu.com/security/notices/USN-6457-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1766.html", + "https://access.redhat.com/errata/RHSA-2022:1078", + "https://access.redhat.com/errata/RHSA-2022:1077", + "https://access.redhat.com/errata/RHSA-2022:1076", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0778", + "https://access.redhat.com/errata/RHSA-2022:1082", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-051.html", + "https://access.redhat.com/errata/RHSA-2022:1389", + "https://access.redhat.com/errata/RHSA-2022:1520", + "https://ubuntu.com/security/notices/USN-5328-1", + "https://ubuntu.com/security/notices/USN-5328-2", + "https://alas.aws.amazon.com/AL2/ALASNITRO-ENCLAVES-2022-018.html", + "https://access.redhat.com/errata/RHSA-2022:1066", + "https://access.redhat.com/errata/RHSA-2022:1065", + "https://access.redhat.com/errata/RHSA-2022:1263", + "https://alas.aws.amazon.com/ALAS-2022-1575.html", + "https://access.redhat.com/errata/RHSA-2022:1073", + "https://access.redhat.com/errata/RHSA-2022:4896", + "https://alas.aws.amazon.com/AL2/ALASMARIADB10.5-2023-003.html", + "https://access.redhat.com/errata/RHSA-2022:1390", + "https://access.redhat.com/errata/RHSA-2022:1071", + "https://access.redhat.com/errata/RHSA-2022:5326", + "https://access.redhat.com/errata/RHSA-2022:1091", + "https://access.redhat.com/errata/RHSA-2022:4899", + "https://access.redhat.com/errata/RHSA-2022:4956", + "https://www.cve.org/CVERecord?id=CVE-2022-0778" + ], + "related": [ + "USN-5328-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778", + "updated": "2023-11-07T03:41:33Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm1", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2019-02-27T23:29:00Z", + "description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).", + "id": "CVE-2019-1559", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 203 + ], + "epss": 0.0102300001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:10:56Z" + }, + "references": [ + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html", + "https://access.redhat.com/errata/RHSA-2019:3931", + "https://access.redhat.com/errata/RHSA-2019:2304", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://security.gentoo.org/glsa/201903-10", + "https://www.debian.org/security/2019/dsa-4400", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://support.f5.com/csp/article/K18549143", + "https://access.redhat.com/errata/RHSA-2019:2439", + "https://access.redhat.com/errata/RHSA-2019:2437", + "https://access.redhat.com/errata/RHSA-2019:3929", + "https://usn.ubuntu.com/3899-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282", + "https://access.redhat.com/errata/RHSA-2019:2471", + "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.openssl.org/news/secadv/20190226.txt", + "https://usn.ubuntu.com/4376-2/", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://ubuntu.com/security/notices/USN-4376-2", + "https://ubuntu.com/security/notices/USN-3899-1", + "https://alas.aws.amazon.com/ALAS-2019-1188.html", + "https://www.cve.org/CVERecord?id=CVE-2019-1559", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1362.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1188.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-1559", + "updated": "2023-11-07T03:08:30Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.27.1-1ubuntu0.1+esm1", + "installed_version": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2018-12-26T18:29:00Z", + "description": "GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).", + "id": "CVE-2018-20482", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 835 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-05T01:18:03Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html", + "https://lists.debian.org/debian-lts-announce/2021/11/msg00025.html", + "https://twitter.com/thatcks/status/1076166645708668928", + "https://security.gentoo.org/glsa/201903-05", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377", + "https://www.cve.org/CVERecord?id=CVE-2018-20482", + "https://ubuntu.com/security/notices/USN-4692-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20482", + "updated": "2021-11-30T19:52:03Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm6", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-02-18T05:15:08Z", + "description": "In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.", + "id": "CVE-2022-25315", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0200299993, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5085", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", + "https://access.redhat.com/errata/RHSA-2022:0847", + "https://access.redhat.com/errata/RHSA-2022:0824", + "https://access.redhat.com/errata/RHSA-2022:0845", + "https://access.redhat.com/errata/RHSA-2022:0843", + "https://www.cve.org/CVERecord?id=CVE-2022-25315", + "https://access.redhat.com/errata/RHSA-2022:1012", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://ubuntu.com/security/notices/USN-5320-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1759.html", + "https://access.redhat.com/errata/RHSA-2022:0816", + "https://access.redhat.com/errata/RHSA-2022:0815", + "https://alas.aws.amazon.com/ALAS-2022-1570.html", + "https://access.redhat.com/errata/RHSA-2022:1309", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25315", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:0853", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html", + "https://access.redhat.com/errata/RHSA-2022:0850", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:1068", + "https://access.redhat.com/errata/RHSA-2022:1263", + "https://access.redhat.com/errata/RHSA-2022:1053", + "https://access.redhat.com/errata/RHSA-2022:1070", + "https://access.redhat.com/errata/RHSA-2022:0818", + "https://access.redhat.com/errata/RHSA-2022:0817" + ], + "related": [ + "USN-5320-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-25315", + "updated": "2023-11-07T03:44:45Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm8", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm8", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2021-09-29T20:15:08Z", + "description": "When curl \u003e= 7.20.0 and \u003c= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server.", + "id": "CVE-2021-22947", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 345, + 310 + ], + "epss": 0.00101, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:20:52Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/", + "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://hackerone.com/reports/1334763", + "https://security.gentoo.org/glsa/202212-01", + "https://support.apple.com/kb/HT213183", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html", + "https://www.debian.org/security/2022/dsa-5197", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://access.redhat.com/errata/RHSA-2022:0635", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1724.html", + "https://www.cve.org/CVERecord?id=CVE-2021-22947", + "https://access.redhat.com/errata/RHSA-2022:1354", + "https://support.microsoft.com/help/5009555", + "https://support.microsoft.com/help/5009566", + "https://support.microsoft.com/help/5009543", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009557", + "https://support.microsoft.com/help/5009557", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947", + "https://alas.aws.amazon.com/ALAS-2021-1549.html", + "https://access.redhat.com/errata/RHSA-2021:4059", + "https://ubuntu.com/security/notices/USN-5079-4", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5079-2", + "https://ubuntu.com/security/notices/USN-5079-3", + "https://ubuntu.com/security/notices/USN-5079-1", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009543", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009555", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009566", + "https://launchpad.net/bugs/1944120(regressionbug)", + "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5009545" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-22947", + "updated": "2024-03-27T15:03:30Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2022-12-26T05:15:10Z", + "description": "Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept.", + "id": "CVE-2021-44758", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 8.8E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202310-06", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44758", + "https://ubuntu.com/security/notices/USN-5800-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187", + "https://www.cve.org/CVERecord?id=CVE-2021-44758" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-44758", + "updated": "2023-10-08T09:15:10Z" + }, + { + "affects": [ + { + "fixed_version": "1:5.14-2ubuntu3.4+esm1", + "installed_version": "pkg:deb/ubuntu/file@5.14-2ubuntu3.4?arch=amd64\u0026distro=14.04\u0026epoch=1" + }, + { + "fixed_version": "1:5.14-2ubuntu3.4+esm1", + "installed_version": "pkg:deb/ubuntu/libmagic1@5.14-2ubuntu3.4?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=file" + } + ], + "created": "2019-10-21T05:15:10Z", + "description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).", + "id": "CVE-2019-18218", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00118, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:26Z" + }, + "references": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780", + "https://security.gentoo.org/glsa/202003-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html", + "https://www.debian.org/security/2019/dsa-4550", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6BJVGXSCC6NMIAWX36FPWHEIFON3OSE/", + "https://usn.ubuntu.com/4172-2/", + "https://lists.debian.org/debian-lts-announce/2021/07/msg00008.html", + "https://usn.ubuntu.com/4172-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942830", + "https://alas.aws.amazon.com/ALAS-2019-1326.html", + "https://alas.aws.amazon.com/ALAS-2024-1918.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1370.html", + "https://access.redhat.com/errata/RHSA-2021:4374", + "https://ubuntu.com/security/notices/USN-4172-2", + "https://ubuntu.com/security/notices/USN-4172-1", + "https://alas.aws.amazon.com/ALAS-2024-1921.html", + "https://www.cve.org/CVERecord?id=CVE-2019-18218" + ], + "related": [ + "USN-4172-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-18218", + "updated": "2023-11-07T03:06:24Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-06-07T18:29:00Z", + "description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.", + "id": "CVE-2019-10160", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 522, + 172 + ], + "epss": 0.00291, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-28T04:45:38Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/", + "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://access.redhat.com/errata/RHSA-2019:1587", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KRYFIMISZ47NTAU3XWZUOFB7CYL62KES/", + "https://usn.ubuntu.com/4127-2/", + "https://usn.ubuntu.com/4127-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQEQLXLOCR3SNM3AA5RRYJFQ5AZBYJ4L/", + "https://access.redhat.com/errata/RHSA-2019:1700", + "https://access.redhat.com/errata/RHSA-2019:2437", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://www.cve.org/CVERecord?id=CVE-2019-10160", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1258.html", + "https://alas.aws.amazon.com/ALAS-2019-1258.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1259.html", + "https://ubuntu.com/security/notices/USN-4127-1", + "https://alas.aws.amazon.com/ALAS-2019-1259.html" + ], + "related": [ + "USN-4127-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-10160", + "updated": "2023-02-12T23:33:11Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm7", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm7", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-04-01T18:15:12Z", + "description": "curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.", + "id": "CVE-2021-22876", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 359, + 200 + ], + "epss": 0.0092700003 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/", + "https://security.gentoo.org/glsa/202105-36", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/", + "https://hackerone.com/reports/1101882", + "https://www.cve.org/CVERecord?id=CVE-2021-22876", + "https://alas.aws.amazon.com/ALAS-2021-1509.html", + "https://ubuntu.com/security/notices/USN-4898-1", + "https://access.redhat.com/errata/RHSA-2021:2471", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1653.html", + "https://ubuntu.com/security/notices/USN-4903-1", + "https://access.redhat.com/errata/RHSA-2021:2472", + "https://access.redhat.com/errata/RHSA-2022:1354", + "https://access.redhat.com/errata/RHSA-2021:4511", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986269" + ], + "related": [ + "USN-4903-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876", + "updated": "2024-03-27T15:47:49Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-23T17:15:14Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0246.", + "id": "CVE-2022-2946", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 7.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T13:18:48Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2946", + "https://www.cve.org/CVERecord?id=CVE-2022-2946", + "https://ubuntu.com/security/notices/USN-5995-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2946", + "updated": "2023-11-07T03:47:07Z" + }, + { + "affects": [ + { + "fixed_version": "0:0.6.0-2ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libbsd0@0.6.0-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libbsd" + } + ], + "created": "2017-01-13T16:59:00Z", + "description": "Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.", + "id": "CVE-2016-2090", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0118100001 + }, + "references": [ + "https://cgit.freedesktop.org/libbsd/commit/?id=c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7", + "https://bugs.freedesktop.org/show_bug.cgi?id=93881", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KJE5SPSX7HEKLZ34LUTZLXWPEL2K353/", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00036.html", + "https://blog.fuzzing-project.org/36-Heap-buffer-overflow-in-fgetwln-function-of-libbsd.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIQKQ42Z7553D46QY3IMIQKS52QTNIHY/", + "https://security.gentoo.org/glsa/201607-13", + "https://usn.ubuntu.com/4243-1/", + "https://www.cve.org/CVERecord?id=CVE-2016-2090", + "https://ubuntu.com/security/notices/USN-4243-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-4243-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-2090", + "updated": "2023-11-07T02:30:55Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2022-04-18T21:15:07Z", + "description": "ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.", + "id": "CVE-2022-29458", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00102 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870", + "https://www.cve.org/CVERecord?id=CVE-2022-29458", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://ubuntu.com/security/notices/USN-6099-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29458", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1893.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-023.html" + ], + "related": [ + "USN-6099-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-29458", + "updated": "2023-11-07T03:46:02Z" + }, + { + "affects": [ + { + "fixed_version": "1:2.24-0ubuntu2+esm1", + "installed_version": "pkg:deb/ubuntu/libcap2-bin@2.24-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=libcap2" + }, + { + "fixed_version": "1:2.24-0ubuntu2+esm1", + "installed_version": "pkg:deb/ubuntu/libcap2@2.24-0ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=1" + } + ], + "created": "2023-06-06T20:15:13Z", + "description": "A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.", + "id": "CVE-2023-2603", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 5.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:44:22Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ57ICDLMVYEREXQGZWL4GWI7FRJCRQT/", + "https://bugzilla.redhat.com/show_bug.cgi?id=2209113", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPEGCFMCN5KGCFX5Y2VTKR732TTD4ADW/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036114", + "https://access.redhat.com/errata/RHSA-2023:5071", + "https://ubuntu.com/security/notices/USN-6166-1", + "https://access.redhat.com/errata/RHSA-2023:4524", + "https://ubuntu.com/security/notices/USN-6166-2", + "https://www.cve.org/CVERecord?id=CVE-2023-2603", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2603", + "https://access.redhat.com/errata/RHSA-2023:7400", + "https://sites.google.com/site/fullycapable/release-notes-for-libcap", + "https://access.redhat.com/errata/RHSA-2024:0436" + ], + "related": [ + "USN-6166-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-2603", + "updated": "2023-11-30T05:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm2", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-10-17T18:15:12Z", + "description": "In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a \"sudo -u \\#$((0xffffffff))\" command.", + "id": "CVE-2019-14287", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 755 + ], + "epss": 0.3081400096, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-16T00:46:12Z" + }, + "references": [ + "https://access.redhat.com/errata/RHSA-2019:3278", + "https://access.redhat.com/errata/RHSA-2019:3754", + "https://access.redhat.com/errata/RHSA-2019:3755", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPLAM57TPJQGKQMNG6RHFBLACD6K356N/", + "https://access.redhat.com/errata/RHSA-2019:3694", + "https://access.redhat.com/errata/RHSA-2019:3895", + "https://access.redhat.com/errata/RHSA-2019:3197", + "https://security.gentoo.org/glsa/202003-12", + "https://usn.ubuntu.com/4154-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUVAOZBYUHZS56A5FQSCDVGXT7PW7FL2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IP7SIOAVLSKJGMTIULX52VQUPTVSC43U/", + "https://www.debian.org/security/2019/dsa-4543", + "https://support.f5.com/csp/article/K53746212?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://access.redhat.com/errata/RHSA-2019:3209", + "https://access.redhat.com/errata/RHBA-2019:3248", + "https://access.redhat.com/errata/RHSA-2019:3941", + "https://access.redhat.com/errata/RHSA-2020:0388", + "https://seclists.org/bugtraq/2019/Oct/20", + "https://access.redhat.com/errata/RHSA-2019:3205", + "https://seclists.org/bugtraq/2019/Oct/21", + "https://access.redhat.com/errata/RHSA-2019:3204", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00022.html", + "https://access.redhat.com/errata/RHSA-2019:4191", + "https://access.redhat.com/errata/RHSA-2019:3916", + "https://access.redhat.com/errata/RHSA-2019:3219", + "https://ubuntu.com/security/notices/USN-4154-1", + "https://alas.aws.amazon.com/ALAS-2019-1309.html", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1315.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942322", + "https://www.cve.org/CVERecord?id=CVE-2019-14287" + ], + "related": [ + "USN-4154-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-14287", + "updated": "2023-11-07T03:04:52Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22822", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0034, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22822", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://www.cve.org/CVERecord?id=CVE-2022-22822", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22822", + "updated": "2022-10-06T15:29:48Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-26T19:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2206", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2206", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2206", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2206", + "updated": "2023-11-07T03:46:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-27T09:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1898", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00129, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1898", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://www.cve.org/CVERecord?id=CVE-2022-1898", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1898", + "updated": "2023-11-07T03:42:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-05-09T18:15:14Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1531.", + "id": "CVE-2023-2609", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 4.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T13:39:33Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2085.html", + "https://ubuntu.com/security/notices/USN-6154-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-194.html", + "https://alas.aws.amazon.com/ALAS-2023-1761.html", + "https://www.cve.org/CVERecord?id=CVE-2023-2609", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-2609", + "updated": "2023-12-23T07:15:49Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-07-13T13:15:10Z", + "description": "In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.", + "id": "CVE-2019-20907", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 835 + ], + "epss": 0.0110799996, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html", + "https://bugs.python.org/issue39017", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://usn.ubuntu.com/4428-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/", + "https://security.gentoo.org/glsa/202008-01", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1483.html", + "https://access.redhat.com/errata/RHSA-2020:4654", + "https://access.redhat.com/errata/RHSA-2020:4433", + "https://ubuntu.com/security/notices/USN-4428-1", + "https://access.redhat.com/errata/RHSA-2020:4641", + "https://alas.aws.amazon.com/ALAS-2020-1429.html", + "https://access.redhat.com/errata/RHSA-2020:4299", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-008.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099", + "https://alas.aws.amazon.com/ALAS-2020-1427.html", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1484.html", + "https://access.redhat.com/errata/RHSA-2020:5009", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20907", + "https://alas.aws.amazon.com/ALAS-2020-1432.html", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://access.redhat.com/errata/RHSA-2021:0528", + "https://www.cve.org/CVERecord?id=CVE-2019-20907", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://access.redhat.com/errata/RHSA-2020:4273", + "https://access.redhat.com/errata/RHSA-2020:5010", + "https://alas.aws.amazon.com/ALAS-2020-1428.html", + "https://access.redhat.com/errata/RHSA-2021:0881", + "https://access.redhat.com/errata/RHSA-2021:0761" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-20907", + "updated": "2023-11-07T03:09:14Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-06-09T16:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2000", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0018 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://support.apple.com/kb/HT213443", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JJNUS4AEVYSEJMCK6JZB57QHD5V2G4O/", + "https://www.cve.org/CVERecord?id=CVE-2022-2000", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5516-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2000", + "updated": "2023-11-07T03:46:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm4", + "installed_version": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm4", + "installed_version": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm4", + "installed_version": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm4", + "installed_version": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + } + ], + "created": "2023-08-07T19:15:09Z", + "description": "lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.", + "id": "CVE-2023-36054", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 824 + ], + "epss": 0.0026700001 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html", + "https://web.mit.edu/kerberos/www/advisories/", + "https://www.cve.org/CVERecord?id=CVE-2023-36054", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043431", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-321.html", + "https://access.redhat.com/errata/RHSA-2023:6699", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36054", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2225.html", + "https://alas.aws.amazon.com/ALAS-2023-1818.html", + "https://ubuntu.com/security/notices/USN-6467-2", + "https://ubuntu.com/security/notices/USN-6467-1" + ], + "related": [ + "USN-6467-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-36054", + "updated": "2023-11-15T03:23:27Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-12T11:15:07Z", + "description": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in GitHub repository vim/vim prior to 8.2.4938. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 allows attackers to cause a denial of service (application crash) via a crafted input.", + "id": "CVE-2022-1674", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 9.4E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFAZTAT5CZC2R6KYDYA2HBAVEDSIX6MW/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODXVYZC5Z4XRRZK7CK6B6IURYVYHA25U/", + "https://www.cve.org/CVERecord?id=CVE-2022-1674", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1674", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1674", + "updated": "2023-11-07T03:42:06Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-01-30T15:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0413", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.8E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-5498-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://access.redhat.com/errata/RHSA-2022:0894", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0413", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0413" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0413", + "updated": "2023-11-07T03:41:15Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-12-05T19:15:10Z", + "description": "Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804.", + "id": "CVE-2022-4293", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 697, + 1077 + ], + "epss": 7.0E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://www.cve.org/CVERecord?id=CVE-2022-4293" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-4293", + "updated": "2023-05-03T12:16:42Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-08-29T06:29:00Z", + "description": "There is an illegal address access in the _nc_safe_strcat function in strings.c in ncurses 6.0 that will lead to a remote denial of service attack.", + "id": "CVE-2017-13734", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 9.2E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/201804-13", + "https://bugzilla.redhat.com/show_bug.cgi?id=1484291", + "https://www.cve.org/CVERecord?id=CVE-2017-13734", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873723", + "https://ubuntu.com/security/notices/USN-5448-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-13734", + "updated": "2018-10-21T10:29:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2016-09-26T16:59:03Z", + "description": "os_unix.c in SQLite before 3.13.0 improperly implements the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files.", + "id": "CVE-2016-6153", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.00115 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU4NZ6DDU4BEM3ACM3FM6GLEPX56ZQXK/", + "https://www.sqlite.org/releaselog/3_13_0.html", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00022.html", + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGQTH7V45QVHFDXJAEECHEO3HHD644WZ/", + "https://www.cve.org/CVERecord?id=CVE-2016-6153", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2016-6153", + "updated": "2023-11-07T02:33:53Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2023-06-25T17:15:14Z", + "description": "end_pattern (called from internal_fnmatch) in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash), as demonstrated by use of the fnmatch library function with the **(!() pattern. NOTE: this is not the same as CVE-2015-8984; also, some Linux distributions have fixed CVE-2015-8984 but have not fixed this additional fnmatch issue.", + "id": "CVE-2015-20109", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 120 + ], + "epss": 4.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-03T15:26:36Z" + }, + "references": [ + "https://sourceware.org/bugzilla/show_bug.cgi?id=18036", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c2c6d39fab901c97c18fa3a3a3658d9dc3f7df61(glibc-2.22)", + "https://www.cve.org/CVERecord?id=CVE-2015-20109", + "https://ubuntu.com/security/notices/USN-6762-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2015-20109", + "updated": "2023-07-31T19:15:15Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-30T15:15:07Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0408", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 121 + ], + "epss": 0.00103 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0408", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-0408", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0408", + "updated": "2023-11-07T03:41:15Z" + }, + { + "affects": [ + { + "fixed_version": "0:4.2.4-7ubuntu12.13+esm1", + "installed_version": "pkg:deb/ubuntu/isc-dhcp-client@4.2.4-7ubuntu12.13?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=isc-dhcp" + } + ], + "created": "2021-05-26T22:15:07Z", + "description": "In ISC DHCP 4.1-ESV-R1 -\u003e 4.1-ESV-R16, ISC DHCP 4.4.0 -\u003e 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.", + "id": "CVE-2021-25217", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0027699999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-25T15:54:42Z" + }, + "references": [ + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://kb.isc.org/docs/cve-2021-25217", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5QI4DYC7J4BGHEW3NH4XHMWTHYC36UK4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LB42JWIV4M4WDNXX5VGIP26FEYWKIF/", + "https://security.gentoo.org/glsa/202305-22", + "https://cert-portal.siemens.com/productcert/pdf/ssa-406691.pdf", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00002.html", + "https://alas.aws.amazon.com/ALAS-2021-1510.html", + "https://ubuntu.com/security/notices/USN-4969-2", + "https://ubuntu.com/security/notices/USN-4969-1", + "https://access.redhat.com/errata/RHSA-2021:2405", + "https://access.redhat.com/errata/RHSA-2021:2416", + "https://access.redhat.com/errata/RHSA-2021:2415", + "https://access.redhat.com/errata/RHSA-2021:2469", + "https://access.redhat.com/errata/RHSA-2021:2414", + "https://access.redhat.com/errata/RHSA-2021:2359", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989157", + "https://access.redhat.com/errata/RHSA-2021:2519", + "https://www.cve.org/CVERecord?id=CVE-2021-25217", + "https://access.redhat.com/errata/RHSA-2021:2419", + "https://access.redhat.com/errata/RHSA-2021:2418", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25217", + "https://access.redhat.com/errata/RHSA-2021:2420", + "https://access.redhat.com/errata/RHSA-2021:2555", + "https://access.redhat.com/errata/RHSA-2021:2357", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1654.html" + ], + "related": [ + "USN-4969-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-25217", + "updated": "2023-11-07T03:31:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-04T19:15:09Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.", + "id": "CVE-2023-0054", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 7.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T10:10:34Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html", + "https://support.apple.com/kb/HT213670", + "https://ubuntu.com/security/notices/USN-5836-1", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0054", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0054", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031875" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0054", + "updated": "2023-06-12T20:15:10Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-15T23:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0213.", + "id": "CVE-2022-2817", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.1E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHFAR6OY6G77M6GXCJT75A4KITLNR6GO/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2817", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-2817", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2817", + "updated": "2023-11-07T03:46:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-01T11:15:07Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2264", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.00131 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2264", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2264", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2264", + "updated": "2023-11-07T03:46:23Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm2", + "installed_version": "pkg:deb/ubuntu/libwind0-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2022-11-15T23:15:27Z", + "description": "Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.", + "id": "CVE-2022-41916", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 193 + ], + "epss": 0.0029800001 + }, + "references": [ + "https://security.gentoo.org/glsa/202310-06", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html", + "https://www.debian.org/security/2022/dsa-5287", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187", + "https://ubuntu.com/security/notices/USN-5766-1", + "https://www.cve.org/CVERecord?id=CVE-2022-41916", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41916" + ], + "related": [ + "USN-5766-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-41916", + "updated": "2023-10-08T09:15:10Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-09-08T15:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0404.", + "id": "CVE-2022-3153", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 8.4E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3153", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3153", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3153", + "updated": "2023-05-03T12:16:14Z" + }, + { + "affects": [ + { + "fixed_version": "1:1.2.8.dfsg-1ubuntu1.1+esm2", + "installed_version": "pkg:deb/ubuntu/zlib1g@1.2.8.dfsg-1ubuntu1.1?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=zlib" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2022-08-05T07:15:07Z", + "description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).", + "id": "CVE-2022-37434", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0034099999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T13:18:39Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/", + "https://support.apple.com/kb/HT213489", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/", + "https://www.debian.org/security/2022/dsa-5218", + "https://support.apple.com/kb/HT213491", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/", + "https://support.apple.com/kb/HT213493", + "https://support.apple.com/kb/HT213494", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/", + "https://support.apple.com/kb/HT213490", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-002.html", + "https://access.redhat.com/errata/RHSA-2022:8291", + "https://access.redhat.com/errata/RHSA-2022:8841", + "https://access.redhat.com/errata/RHSA-2022:7793", + "https://access.redhat.com/errata/RHSA-2022:7106", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37434", + "https://access.redhat.com/errata/RHSA-2022:7314", + "https://ubuntu.com/security/notices/USN-5570-2", + "https://ubuntu.com/security/notices/USN-5573-1", + "https://www.cve.org/CVERecord?id=CVE-2022-37434", + "https://access.redhat.com/errata/RHSA-2023:1095", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-003.html", + "https://access.redhat.com/errata/RHSA-2024:0254", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://alas.aws.amazon.com/ALAS-2022-1650.html", + "https://ubuntu.com/security/notices/USN-5570-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2074.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016710", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1849.html" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-37434", + "updated": "2023-07-19T00:56:46Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm10", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-05-09T22:15:10Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532.", + "id": "CVE-2023-2610", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 5.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T13:40:42Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCLJN4QINITA3ZASKLEJ64C5TFNKELMO/", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00015.html", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://ubuntu.com/security/notices/USN-6154-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2085.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-194.html", + "https://alas.aws.amazon.com/ALAS-2023-1761.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035955", + "https://www.cve.org/CVERecord?id=CVE-2023-2610" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-2610", + "updated": "2023-12-23T07:15:49Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0102.", + "id": "CVE-2022-2580", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 7.4E-4 + }, + "references": [ + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2580", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-2580", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2580", + "updated": "2022-08-04T23:30:38Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.18.2-2ubuntu1.7+esm3", + "installed_version": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-06-05T14:15:10Z", + "description": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.", + "id": "CVE-2020-10543", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 190 + ], + "epss": 0.0030799999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:11:45Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://security.gentoo.org/glsa/202006-03", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://ubuntu.com/security/notices/USN-4602-1", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html", + "https://ubuntu.com/security/notices/USN-4602-2", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod", + "https://www.cve.org/CVERecord?id=CVE-2020-10543", + "https://access.redhat.com/errata/RHSA-2021:1678", + "https://access.redhat.com/errata/RHSA-2021:2792", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005", + "https://access.redhat.com/errata/RHSA-2021:1032", + "https://access.redhat.com/errata/RHSA-2021:0883", + "https://access.redhat.com/errata/RHSA-2021:1266", + "https://access.redhat.com/errata/RHSA-2021:0343" + ], + "related": [ + "USN-4602-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543", + "updated": "2023-11-07T03:14:10Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-18T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0490.", + "id": "CVE-2022-3235", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://www.cve.org/CVERecord?id=CVE-2022-3235", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3235" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3235", + "updated": "2023-11-07T03:50:59Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2023-01-12T15:15:10Z", + "description": "A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.", + "id": "CVE-2022-3437", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 0.0099499999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T18:45:44Z" + }, + "references": [ + "https://access.redhat.com/security/cve/CVE-2022-3437", + "https://bugzilla.redhat.com/show_bug.cgi?id=2137774", + "https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html", + "https://security.gentoo.org/glsa/202310-06", + "https://www.samba.org/samba/security/CVE-2022-3437.html", + "https://security.gentoo.org/glsa/202309-06", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-032.html", + "https://ubuntu.com/security/notices/USN-5800-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187", + "https://ubuntu.com/security/notices/USN-5822-1", + "https://ubuntu.com/security/notices/USN-5822-2", + "https://ubuntu.com/security/notices/USN-5936-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3437" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3437", + "updated": "2024-04-22T16:15:12Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-03-13T03:29:00Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "id": "CVE-2019-9740", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 93 + ], + "epss": 0.0035300001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T12:44:28Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3335", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://bugs.python.org/issue36276", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://usn.ubuntu.com/4127-2/", + "https://usn.ubuntu.com/4127-1/", + "https://seclists.org/bugtraq/2019/Oct/29", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ORNTF62QPLMJXIQ7KTZQ2776LMIXEKL/", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44TS66GJMO5H3RLMVZEBGEFTB6O2LJJU/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://www.cve.org/CVERecord?id=CVE-2019-9740", + "https://access.redhat.com/errata/RHSA-2020:1268", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://alas.aws.amazon.com/ALAS-2019-1242.html", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://access.redhat.com/errata/RHSA-2020:1462", + "https://access.redhat.com/errata/RHSA-2020:1346", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1247.html", + "https://alas.aws.amazon.com/ALAS-2019-1243.html", + "https://alas.aws.amazon.com/ALAS-2019-1230.html", + "https://alas.aws.amazon.com/ALAS-2019-1204.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://ubuntu.com/security/notices/USN-4127-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9740", + "updated": "2023-11-07T03:13:45Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2017-06-12T13:29:00Z", + "description": "nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon crash or code execution as the user running nscd.", + "id": "CVE-2014-9984", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0148200002 + }, + "references": [ + "https://seclists.org/bugtraq/2019/Jun/14", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=c44496df2f090a56d3bf75df930592dac6bba46f", + "https://seclists.org/bugtraq/2019/Sep/7", + "https://sourceware.org/bugzilla/show_bug.cgi?id=16695", + "https://www.cve.org/CVERecord?id=CVE-2014-9984", + "https://ubuntu.com/security/notices/USN-6762-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-6762-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2014-9984", + "updated": "2023-11-07T02:23:13Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When using the z= command, the user may overflow the count with values larger\nthan MAX_INT. Impact is low, user interaction is required and a crash may not even happen in all situations. This vulnerability has been addressed in commit `73b2d379` which has been included in release version 9.0.2111. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48236", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00101 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://www.cve.org/CVERecord?id=CVE-2023-48236", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48236", + "updated": "2024-01-25T21:38:21Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2017-06-29T23:29:00Z", + "description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.", + "id": "CVE-2017-10685", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 134 + ], + "epss": 0.0213799998 + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=1464692", + "https://security.gentoo.org/glsa/201804-13", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5448-1", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1302.html", + "https://www.cve.org/CVERecord?id=CVE-2017-10685" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-10685", + "updated": "2019-10-03T00:03:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:20211016~14.04.1~esm1", + "installed_version": "pkg:deb/ubuntu/ca-certificates@20170717%7E14.04.2?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-12-06T12:56:08Z", + "description": "USN-5761-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n Due to security concerns, the TrustCor certificate authority has been\n marked as distrusted in Mozilla's root store. This update removes the\n TrustCor CA certificates from the ca-certificates package.\n", + "id": "USN-5761-2", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/5761-2" + }, + { + "affects": [ + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm1", + "installed_version": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + }, + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm1", + "installed_version": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + } + ], + "created": "2017-08-04T09:29:00Z", + "description": "In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.", + "id": "CVE-2017-12424", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 119 + ], + "epss": 0.0054000001 + }, + "references": [ + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630", + "https://security.gentoo.org/glsa/201710-16", + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675", + "https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html", + "https://www.cve.org/CVERecord?id=CVE-2017-12424", + "https://ubuntu.com/security/notices/USN-5254-1" + ], + "related": [ + "USN-5254-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-12424", + "updated": "2021-03-23T20:02:18Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm7", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + }, + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm7", + "installed_version": "pkg:deb/ubuntu/expat@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-09-14T11:15:54Z", + "description": "libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.", + "id": "CVE-2022-40674", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00562, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:06:17Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/", + "https://www.debian.org/security/2022/dsa-5236", + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html", + "https://security.gentoo.org/glsa/202211-06", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1877.html", + "https://access.redhat.com/errata/RHSA-2023:3068", + "https://access.redhat.com/errata/RHSA-2022:7021", + "https://access.redhat.com/errata/RHSA-2022:7022", + "https://access.redhat.com/errata/RHSA-2022:7020", + "https://access.redhat.com/errata/RHSA-2022:7025", + "https://access.redhat.com/errata/RHSA-2022:8598", + "https://access.redhat.com/errata/RHSA-2022:7026", + "https://access.redhat.com/errata/RHSA-2022:7023", + "https://access.redhat.com/errata/RHSA-2022:7024", + "https://www.cve.org/CVERecord?id=CVE-2022-40674", + "https://access.redhat.com/errata/RHSA-2022:7019", + "https://alas.aws.amazon.com/ALAS-2022-1654.html", + "https://access.redhat.com/errata/RHSA-2022:6921", + "https://access.redhat.com/errata/RHSA-2022:6967", + "https://ubuntu.com/security/notices/USN-5726-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019761", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:8841", + "https://alas.aws.amazon.com/AL2/ALASFIREFOX-2023-010.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1900.html", + "https://access.redhat.com/errata/RHSA-2022:6995", + "https://access.redhat.com/errata/RHSA-2022:6832", + "https://access.redhat.com/errata/RHSA-2022:6997", + "https://access.redhat.com/errata/RHSA-2022:6831", + "https://access.redhat.com/errata/RHSA-2022:6996", + "https://access.redhat.com/errata/RHSA-2022:6878", + "https://access.redhat.com/errata/RHSA-2022:6834", + "https://access.redhat.com/errata/RHSA-2022:6998", + "https://access.redhat.com/errata/RHSA-2022:6833", + "https://access.redhat.com/errata/RHSA-2022:6838", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-40674", + "https://ubuntu.com/security/notices/USN-5638-1", + "https://ubuntu.com/security/notices/USN-5638-2", + "https://ubuntu.com/security/notices/USN-5638-4" + ], + "related": [ + "USN-5638-4" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-40674", + "updated": "2023-11-07T03:52:34Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm10", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm10", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2021-01-19T06:15:12Z", + "description": "Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.", + "id": "CVE-2021-3177", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 120 + ], + "epss": 0.0311900005, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://bugs.python.org/issue42938", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/", + "https://security.gentoo.org/glsa/202101-18", + "https://access.redhat.com/errata/RHSA-2021:3252", + "https://ubuntu.com/security/notices/USN-4754-2(regressioninpython2.7)", + "https://access.redhat.com/errata/RHSA-2022:5235", + "https://ubuntu.com/security/notices/USN-4754-4", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://access.redhat.com/errata/RHSA-2021:1633", + "https://ubuntu.com/security/notices/USN-4754-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3177", + "https://access.redhat.com/errata/RHSA-2021:1879", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3177", + "https://ubuntu.com/security/notices/USN-4754-5", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1611.html", + "https://access.redhat.com/errata/RHSA-2021:3254", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2021-1484.html", + "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-005.html", + "https://access.redhat.com/errata/RHSA-2021:1761" + ], + "related": [ + "USN-4754-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3177", + "updated": "2023-11-07T03:37:56Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-10T22:15:14Z", + "description": "Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.", + "id": "CVE-2019-13750", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.0076600001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:26Z" + }, + "references": [ + "https://www.debian.org/security/2020/dsa-4606", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://usn.ubuntu.com/4298-2/", + "https://usn.ubuntu.com/4298-1/", + "https://security.gentoo.org/glsa/202003-08", + "https://seclists.org/bugtraq/2020/Jan/27", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://www.cve.org/CVERecord?id=CVE-2019-13750", + "https://access.redhat.com/errata/RHSA-2021:4396", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13750", + "updated": "2023-11-07T03:04:22Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-07-05T13:15:08Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2304", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 121 + ], + "epss": 0.00103, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2304", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://www.cve.org/CVERecord?id=CVE-2022-2304" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2304", + "updated": "2023-11-07T03:46:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:57Z", + "description": "nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22826", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0073899999 + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://www.cve.org/CVERecord?id=CVE-2022-22826", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22826", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22826", + "updated": "2022-10-06T12:44:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm4", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2021-09-01T18:49:31Z", + "description": "USN-5051-2 introduced a regression in OpenSSL that affected only Ubuntu 14.04 ESM.\nThis update fix the regression.\n\nOriginal advisory details:\n\n Ingo Schwarze discovered that OpenSSL incorrectly handled certain ASN.1\n strings. A remote attacker could use this issue to cause OpenSSL to crash,\n resulting in a denial of service, or possibly obtain sensitive information.\n (CVE-2021-3712)\n", + "id": "USN-5051-4", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/5051-4" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When getting the count for a normal mode z command, it may overflow for large counts given. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `58f9befca1` which has been included in release version 9.0.2109. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48234", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00101 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://www.cve.org/CVERecord?id=CVE-2023-48234", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48234", + "updated": "2024-01-25T21:33:46Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-17T22:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.", + "id": "CVE-2022-3234", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 9.2E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://www.cve.org/CVERecord?id=CVE-2022-3234", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3234" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3234", + "updated": "2023-11-07T03:50:59Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/bzip2@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/libbz2-1.0@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=bzip2" + } + ], + "created": "2019-06-19T23:15:09Z", + "description": "BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.", + "id": "CVE-2019-12900", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0174499992, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:16:20Z" + }, + "references": [ + "https://seclists.org/bugtraq/2019/Aug/4", + "https://lists.apache.org/thread.html/rce8cd8c30f60604b580ea01bebda8a671a25c9a1629f409fc24e7774@\u003cuser.flink.apache.org\u003e", + "https://usn.ubuntu.com/4146-1/", + "https://usn.ubuntu.com/4038-2/", + "https://usn.ubuntu.com/4146-2/", + "https://support.f5.com/csp/article/K68713584?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00014.html", + "https://usn.ubuntu.com/4038-1/", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@\u003cusers.kafka.apache.org\u003e", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00021.html", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00012.html", + "https://seclists.org/bugtraq/2019/Jul/22", + "https://lists.debian.org/debian-lts-announce/2019/10/msg00018.html", + "https://lists.apache.org/thread.html/rda98305669476c4d90cc8527c4deda7e449019dd1fe9936b56671dd4@\u003cuser.flink.apache.org\u003e", + "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc", + "https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc", + "https://ubuntu.com/security/notices/USN-4038-1", + "https://ubuntu.com/security/notices/USN-4146-2", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1652.html", + "https://ubuntu.com/security/notices/USN-4146-1", + "https://bugs.launchpad.net/ubuntu/+source/bzip2/+bug/1834494", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930886", + "https://www.cve.org/CVERecord?id=CVE-2019-12900", + "https://ubuntu.com/security/notices/USN-4038-4", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-12900", + "https://ubuntu.com/security/notices/USN-4038-3", + "https://ubuntu.com/security/notices/USN-4038-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-12900", + "updated": "2023-11-07T03:03:43Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm2", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2019-09-04T06:15:10Z", + "description": "In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read.", + "id": "CVE-2019-15903", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 776 + ], + "epss": 0.0050499998, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:12:19Z" + }, + "references": [ + "https://usn.ubuntu.com/4335-1/", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00006.html", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://access.redhat.com/errata/RHSA-2019:3756", + "https://access.redhat.com/errata/RHSA-2019:3210", + "https://usn.ubuntu.com/4165-1/", + "https://support.apple.com/kb/HT210785", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A4TZKPJFTURRLXIGLB34WVKQ5HGY6JJA/", + "https://lists.debian.org/debian-lts-announce/2019/11/msg00017.html", + "https://access.redhat.com/errata/RHSA-2019:3237", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://support.apple.com/kb/HT210789", + "https://support.apple.com/kb/HT210788", + "https://seclists.org/bugtraq/2019/Dec/21", + "https://seclists.org/bugtraq/2019/Dec/23", + "https://security.gentoo.org/glsa/201911-08", + "https://usn.ubuntu.com/4132-2/", + "https://www.debian.org/security/2019/dsa-4549", + "https://usn.ubuntu.com/4202-1/", + "https://support.apple.com/kb/HT210790", + "https://seclists.org/bugtraq/2019/Nov/24", + "https://seclists.org/bugtraq/2019/Sep/37", + "https://support.apple.com/kb/HT210795", + "https://support.apple.com/kb/HT210794", + "https://support.apple.com/kb/HT210793", + "https://www.debian.org/security/2019/dsa-4571", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BDUTI5TVQWIGGQXPEVI4T2ENHFSBMIBP/", + "https://seclists.org/bugtraq/2019/Sep/30", + "https://seclists.org/bugtraq/2019/Oct/29", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S26LGXXQ7YF2BP3RGOWELBFKM6BHF6UG/", + "https://www.debian.org/security/2019/dsa-4530", + "https://seclists.org/bugtraq/2019/Nov/1", + "https://seclists.org/bugtraq/2019/Dec/17", + "https://usn.ubuntu.com/4132-1/", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://access.redhat.com/errata/RHSA-2020:3952", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1513.html", + "https://ubuntu.com/security/notices/USN-4165-1", + "https://ubuntu.com/security/notices/USN-4132-2", + "https://ubuntu.com/security/notices/USN-4335-1", + "https://ubuntu.com/security/notices/USN-4132-1", + "https://access.redhat.com/errata/RHSA-2020:4484", + "https://access.redhat.com/errata/RHSA-2019:3193", + "https://www.cve.org/CVERecord?id=CVE-2019-15903", + "https://access.redhat.com/errata/RHSA-2020:2646", + "https://alas.aws.amazon.com/ALAS-2021-1459.html", + "https://access.redhat.com/errata/RHSA-2020:2644", + "https://access.redhat.com/errata/RHSA-2019:3196", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1376.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939394", + "https://ubuntu.com/security/notices/USN-4202-1", + "https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/", + "https://ubuntu.com/security/notices/USN-4852-1" + ], + "related": [ + "USN-4132-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-15903", + "updated": "2023-11-07T03:05:35Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-14T12:15:23Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0572", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00124 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GOY5YWTP5QUY2EFLCL7AUWA2CV57C37/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0572", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0572" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572", + "updated": "2023-11-07T03:41:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-16T23:15:09Z", + "description": "Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an\noverflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.", + "id": "CVE-2023-48235", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00164 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/", + "https://www.cve.org/CVERecord?id=CVE-2023-48235", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2353.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2024-1902.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-447.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48235", + "updated": "2024-01-25T21:33:50Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "12-12" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Use of apt: 'apt' does not have a stable CLI interface for non-interactive use.", + "id": "IN-DOCKER-004", + "properties": {}, + "references": [ + "https://manpages.debian.org/stretch/apt/apt.8.en.html" + ], + "severity": "info", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.18.2-2ubuntu1.7+esm3", + "installed_version": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-06-05T14:15:10Z", + "description": "Perl before 5.30.3 has an integer overflow related to mishandling of a \"PL_regkind[OP(n)] == NOTHING\" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.", + "id": "CVE-2020-10878", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.6000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.6000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0028200001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:11:45Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://security.gentoo.org/glsa/202006-03", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://ubuntu.com/security/notices/USN-4602-1", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html", + "https://ubuntu.com/security/notices/USN-4602-2", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod", + "https://www.cve.org/CVERecord?id=CVE-2020-10878", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod", + "https://access.redhat.com/errata/RHSA-2021:1678", + "https://access.redhat.com/errata/RHSA-2021:2792", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005", + "https://access.redhat.com/errata/RHSA-2021:1032", + "https://access.redhat.com/errata/RHSA-2021:0883", + "https://access.redhat.com/errata/RHSA-2021:1266", + "https://access.redhat.com/errata/RHSA-2021:0343" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-10878", + "updated": "2023-11-07T03:14:25Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-14T13:15:07Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2022-0213", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 8.6E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0213", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0213", + "updated": "2022-11-09T03:32:22Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-07-08T19:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0045.", + "id": "CVE-2022-2344", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0012300001 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://www.cve.org/CVERecord?id=CVE-2022-2344", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2344" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2344", + "updated": "2023-11-07T03:46:32Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm1", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2019-09-10T17:15:11Z", + "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "id": "CVE-2019-1563", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 203, + 327 + ], + "epss": 0.0150800003, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:45:29Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://seclists.org/bugtraq/2019/Oct/0", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html", + "https://seclists.org/bugtraq/2019/Oct/1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://www.debian.org/security/2019/dsa-4540", + "https://security.gentoo.org/glsa/201911-04", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/", + "https://www.openssl.org/news/secadv/20190910.txt", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://usn.ubuntu.com/4504-1/", + "https://www.debian.org/security/2019/dsa-4539", + "https://support.f5.com/csp/article/K97324400?utm_source=f5support\u0026amp;utm_medium=RSS", + "https://usn.ubuntu.com/4376-1/", + "https://usn.ubuntu.com/4376-2/", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1456.html", + "https://access.redhat.com/errata/RHSA-2020:1840", + "https://ubuntu.com/security/notices/USN-4376-2", + "https://ubuntu.com/security/notices/USN-4376-1", + "https://ubuntu.com/security/notices/USN-4504-1", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1406.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2019-1563", + "https://access.redhat.com/errata/RHSA-2020:1336", + "https://alas.aws.amazon.com/ALAS-2020-1344.html", + "https://access.redhat.com/errata/RHSA-2020:1337" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-1563", + "updated": "2023-11-07T03:08:32Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm11", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm11", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-06-02T14:15:44Z", + "description": "libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.", + "id": "CVE-2022-27781", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400, + 835 + ], + "epss": 0.00187 + }, + "references": [ + "https://hackerone.com/reports/1555441", + "https://security.gentoo.org/glsa/202212-01", + "https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html", + "https://www.debian.org/security/2022/dsa-5197", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-083.html", + "https://ubuntu.com/security/notices/USN-5499-1", + "https://www.cve.org/CVERecord?id=CVE-2022-27781", + "https://ubuntu.com/security/notices/USN-5412-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-27781", + "https://alas.aws.amazon.com/ALAS-2022-1646.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1924.html", + "https://access.redhat.com/errata/RHSA-2022:8840", + "https://access.redhat.com/errata/RHSA-2022:8841" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-27781", + "updated": "2024-03-27T15:01:53Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-01T15:15:09Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104.", + "id": "CVE-2022-2581", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 7.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2581", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2581", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2581", + "updated": "2022-08-04T23:30:00Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-03T19:15:43Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.", + "id": "CVE-2023-4751", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213984", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4751", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/ALAS-2023-1826.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4751", + "updated": "2023-12-22T18:09:16Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-02-16T01:15:07Z", + "description": "xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.", + "id": "CVE-2022-25235", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 116 + ], + "epss": 0.0147099998, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5085", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", + "https://access.redhat.com/errata/RHSA-2022:0847", + "https://access.redhat.com/errata/RHSA-2022:1539", + "https://access.redhat.com/errata/RHSA-2022:0824", + "https://www.cve.org/CVERecord?id=CVE-2022-25235", + "https://access.redhat.com/errata/RHSA-2022:0845", + "https://access.redhat.com/errata/RHSA-2022:0843", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-068.html", + "https://access.redhat.com/errata/RHSA-2022:1012", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://alas.aws.amazon.com/ALAS-2022-1585.html", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://access.redhat.com/errata/RHSA-2022:0816", + "https://access.redhat.com/errata/RHSA-2022:0815", + "https://access.redhat.com/errata/RHSA-2022:1309", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25235", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1795.html", + "https://access.redhat.com/errata/RHSA-2022:0853", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:1644", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1764.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005894", + "https://access.redhat.com/errata/RHSA-2022:1643", + "https://access.redhat.com/errata/RHSA-2022:0850", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:1068", + "https://alas.aws.amazon.com/ALAS-2022-1573.html", + "https://access.redhat.com/errata/RHSA-2022:1540", + "https://access.redhat.com/errata/RHSA-2022:1263", + "https://access.redhat.com/errata/RHSA-2022:1053", + "https://access.redhat.com/errata/RHSA-2022:1070", + "https://access.redhat.com/errata/RHSA-2022:0818", + "https://access.redhat.com/errata/RHSA-2022:0817" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-25235", + "updated": "2023-11-07T03:44:44Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2017-05-22T05:29:01Z", + "description": "An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the \"SQLite\" component. It allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a crafted SQL statement.", + "id": "CVE-2017-2518", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.0114200003 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html", + "https://usn.ubuntu.com/4019-2/", + "https://usn.ubuntu.com/4019-1/", + "https://support.apple.com/HT207800", + "https://support.apple.com/HT207798", + "https://support.apple.com/HT207797", + "https://support.apple.com/HT207801", + "https://www.cve.org/CVERecord?id=CVE-2017-2518", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2" + ], + "related": [ + "USN-4019-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-2518", + "updated": "2019-10-03T00:03:26Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-03T15:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2289", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00124 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://www.cve.org/CVERecord?id=CVE-2022-2289", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2289" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2289", + "updated": "2023-11-07T03:46:25Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2022-08-24T16:15:09Z", + "description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.", + "id": "CVE-2021-4189", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 252 + ], + "epss": 0.00182 + }, + "references": [ + "https://access.redhat.com/security/cve/CVE-2021-4189", + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://security-tracker.debian.org/tracker/CVE-2021-4189", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://bugs.python.org/issue43285", + "https://bugzilla.redhat.com/show_bug.cgi?id=2036020", + "https://alas.aws.amazon.com/ALAS-2022-1593.html", + "https://www.cve.org/CVERecord?id=CVE-2021-4189", + "https://ubuntu.com/security/notices/USN-5342-2", + "https://ubuntu.com/security/notices/USN-5342-1", + "https://access.redhat.com/errata/RHSA-2022:1821", + "https://access.redhat.com/errata/RHSA-2022:1986", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:3254", + "https://access.redhat.com/errata/RHSA-2022:1663" + ], + "related": [ + "USN-5342-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-4189", + "updated": "2023-06-30T23:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + }, + { + "fixed_version": "0:1.12+dfsg-2ubuntu5.4+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=krb5" + } + ], + "created": "2018-12-26T21:29:02Z", + "description": "A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.", + "id": "CVE-2018-20217", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 617 + ], + "epss": 0.00303 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html", + "https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/", + "https://access.redhat.com/errata/RHBA-2019:2599", + "https://www.cve.org/CVERecord?id=CVE-2018-20217", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387", + "https://ubuntu.com/security/notices/USN-5828-1", + "https://access.redhat.com/errata/RHBA-2020:0547" + ], + "related": [ + "USN-5828-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20217", + "updated": "2023-11-07T02:56:15Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-18T16:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0261", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 8.9E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://ubuntu.com/security/notices/USN-5433-1", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0261", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1567.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0261", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1751.html", + "https://access.redhat.com/errata/RHSA-2022:0894", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1597.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0261", + "updated": "2023-11-07T03:41:10Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "id": "CVE-2024-2961", + "properties": { + "cwes": [ + 787 + ], + "epss": 4.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T07:58:03Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/", + "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004", + "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/", + "https://ubuntu.com/security/notices/USN-6762-1", + "https://ubuntu.com/security/notices/USN-6737-1", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191", + "https://www.cve.org/CVERecord?id=CVE-2024-2961", + "https://access.redhat.com/errata/RHSA-2024:2799", + "https://access.redhat.com/errata/RHSA-2024:2722", + "https://alas.aws.amazon.com/ALAS-2024-1930.html", + "https://ubuntu.com/security/notices/USN-6737-2" + ], + "severity": "unknown", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961", + "updated": "2024-05-04T01:15:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm3", + "installed_version": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2022-12-25T05:15:11Z", + "description": "Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).", + "id": "CVE-2022-44640", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0144999996 + }, + "references": [ + "https://security.gentoo.org/glsa/202310-06", + "https://ubuntu.com/security/notices/USN-5800-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024187", + "https://www.cve.org/CVERecord?id=CVE-2022-44640", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44640" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-44640", + "updated": "2023-10-08T09:15:11Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-11-22T22:15:08Z", + "description": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.", + "id": "CVE-2023-48706", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 4.9E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-518.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-469.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2384.html", + "https://www.cve.org/CVERecord?id=CVE-2023-48706", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2452.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-48706", + "updated": "2024-01-05T18:15:29Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-02T18:15:17Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846.", + "id": "CVE-2023-4734", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 5.0E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213984", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4734", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/ALAS-2023-1826.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4734" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4734", + "updated": "2023-12-21T02:52:18Z" + }, + { + "affects": [ + { + "fixed_version": "0:20190110~14.04.1~esm2", + "installed_version": "pkg:deb/ubuntu/ca-certificates@20170717%7E14.04.2?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2021-09-23T13:01:20Z", + "description": "USN-5089-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained a CA certificate that will expire on\n 2021-09-30 and will cause connectivity issues. This update removes the\n “DST Root CA X3” CA.\n", + "id": "USN-5089-2", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/5089-2" + }, + { + "affects": [ + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm1", + "installed_version": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=dbus" + }, + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm1", + "installed_version": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-06-11T17:29:00Z", + "description": "dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.", + "id": "CVE-2019-12749", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.0999999046, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 59 + ], + "epss": 4.8E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/201909-08", + "https://access.redhat.com/errata/RHSA-2019:2870", + "https://seclists.org/bugtraq/2019/Jun/16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html", + "https://www.debian.org/security/2019/dsa-4462", + "https://access.redhat.com/errata/RHSA-2019:2868", + "https://access.redhat.com/errata/RHSA-2019:3707", + "https://usn.ubuntu.com/4015-2/", + "https://usn.ubuntu.com/4015-1/", + "https://access.redhat.com/errata/RHSA-2019:1726", + "https://ubuntu.com/security/notices/USN-4015-1", + "https://ubuntu.com/security/notices/USN-4015-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375", + "https://www.cve.org/CVERecord?id=CVE-2019-12749", + "https://access.redhat.com/errata/RHSA-2020:4032", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1870.html", + "https://alas.aws.amazon.com/ALAS-2019-1246.html" + ], + "related": [ + "USN-4015-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-12749", + "updated": "2023-11-07T03:03:40Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-05-29T14:15:08Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-1927", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 126 + ], + "epss": 9.2E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://access.redhat.com/errata/RHSA-2022:5942", + "https://www.cve.org/CVERecord?id=CVE-2022-1927", + "https://access.redhat.com/errata/RHSA-2022:5813", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1927", + "updated": "2023-11-07T03:42:18Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm4", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm4", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm4", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm4", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2023-08-22T19:16:01Z", + "description": "Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.", + "id": "CVE-2020-19189", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00296 + }, + "references": [ + "https://support.apple.com/kb/HT214038", + "https://support.apple.com/kb/HT214036", + "https://support.apple.com/kb/HT214037", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00033.html", + "https://www.cve.org/CVERecord?id=CVE-2020-19189", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6451-1", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2412.html" + ], + "related": [ + "USN-6451-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-19189", + "updated": "2023-12-13T01:15:07Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm3", + "installed_version": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=dbus" + } + ], + "created": "2022-10-10T00:15:09Z", + "description": "An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.", + "id": "CVE-2022-42010", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 347 + ], + "epss": 0.00134 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQCSLMCK2XGX23R2DKW2MSAICQAK6MT2/", + "https://security.gentoo.org/glsa/202305-08", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E4CO7N226I3X5FNBR2MACCH6TS764VJP/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ND74SKN56BCYL3QLEAAB6E64UUBRA5UG/", + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/418", + "https://access.redhat.com/errata/RHSA-2022:8812", + "https://access.redhat.com/errata/RHSA-2022:8977", + "https://ubuntu.com/security/notices/USN-5704-1", + "https://access.redhat.com/errata/RHSA-2023:0335", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-100.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-42010", + "https://alas.aws.amazon.com/ALAS-2023-1730.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2006.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-42010", + "https://access.redhat.com/errata/RHSA-2023:0096" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-42010", + "updated": "2023-12-27T16:49:29Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2019-12-30T01:15:12Z", + "description": "The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.", + "id": "CVE-2019-20079", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T12:21:49Z" + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-20079", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2019-20079", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-20079", + "updated": "2020-10-20T16:04:08Z" + }, + { + "affects": [ + { + "fixed_version": "1:1.2.8.dfsg-1ubuntu1.1+esm1", + "installed_version": "pkg:deb/ubuntu/zlib1g@1.2.8.dfsg-1ubuntu1.1?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=zlib" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm3", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2022-03-25T09:15:08Z", + "description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.", + "id": "CVE-2018-25032", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00278, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T19:12:52Z" + }, + "references": [ + "https://support.apple.com/kb/HT213257", + "https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html", + "https://support.apple.com/kb/HT213255", + "https://support.apple.com/kb/HT213256", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html", + "https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/", + "https://security.gentoo.org/glsa/202210-42", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.debian.org/security/2022/dsa-5111", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/", + "https://ubuntu.com/security/notices/USN-5739-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-25032", + "https://access.redhat.com/errata/RHSA-2023:0976", + "https://access.redhat.com/errata/RHSA-2023:0975", + "https://access.redhat.com/errata/RHSA-2022:2201", + "https://access.redhat.com/errata/RHSA-2022:4592", + "https://ubuntu.com/security/notices/USN-5359-2", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://ubuntu.com/security/notices/USN-5359-1", + "https://access.redhat.com/errata/RHSA-2022:2197", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1772.html", + "https://access.redhat.com/errata/RHSA-2022:2192", + "https://access.redhat.com/errata/RHSA-2022:5439", + "https://alas.aws.amazon.com/ALAS-2022-1602.html", + "https://access.redhat.com/errata/RHSA-2022:7813", + "https://access.redhat.com/errata/RHSA-2022:4845", + "https://ubuntu.com/security/notices/USN-6736-1", + "https://alas.aws.amazon.com/ALAS-2022-1640.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-002.html", + "https://access.redhat.com/errata/RHSA-2023:0943", + "https://access.redhat.com/errata/RHSA-2022:1642", + "https://access.redhat.com/errata/RHSA-2022:2214", + "https://access.redhat.com/errata/RHSA-2022:2213", + "https://access.redhat.com/errata/RHSA-2022:1661", + "https://www.cve.org/CVERecord?id=CVE-2018-25032", + "https://access.redhat.com/errata/RHSA-2022:8420", + "https://access.redhat.com/errata/RHSA-2022:4584", + "https://access.redhat.com/errata/RHSA-2022:2198", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265", + "https://access.redhat.com/errata/RHSA-2022:1591", + "https://ubuntu.com/security/notices/USN-5355-2", + "https://ubuntu.com/security/notices/USN-5355-1", + "https://access.redhat.com/errata/RHSA-2022:4896", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-003.html" + ], + "related": [ + "USN-6736-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-25032", + "updated": "2023-11-07T02:56:26Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm4", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm4", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-09-28T02:15:10Z", + "description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.", + "id": "CVE-2019-16935", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 79 + ], + "epss": 0.00214, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M34WOYCDKTDE5KLUACE2YIEH7D37KHRX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BEARDOTXCYPYELKBD2KWZ27GSPXDI3GQ/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JCPGLTTOBB3QEARDX4JOYURP6ELNNA2V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGESQSGIHDCIGOBVF7VXCMIE6YDWRYB/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4X3HW5JRZ7GCPSR7UHJOLD7AWLTQCDVR/", + "https://bugs.python.org/issue38243", + "https://usn.ubuntu.com/4151-1/", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://usn.ubuntu.com/4151-2/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027149", + "https://access.redhat.com/errata/RHSA-2020:4433", + "https://ubuntu.com/security/notices/USN-4151-2", + "https://access.redhat.com/errata/RHSA-2020:4285", + "https://ubuntu.com/security/notices/USN-4151-1", + "https://access.redhat.com/errata/RHSA-2020:1605", + "https://www.cve.org/CVERecord?id=CVE-2019-16935", + "https://access.redhat.com/errata/RHSA-2020:3911", + "https://access.redhat.com/errata/RHSA-2020:3888" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-16935", + "updated": "2023-11-07T03:06:03Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.18.2-2ubuntu1.7+esm3", + "installed_version": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-06-05T15:15:10Z", + "description": "regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.", + "id": "CVE-2020-12723", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 120 + ], + "epss": 0.00239, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T11:11:45Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://security.gentoo.org/glsa/202006-03", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html", + "https://ubuntu.com/security/notices/USN-4602-1", + "https://ubuntu.com/security/notices/USN-4602-2", + "https://access.redhat.com/errata/RHSA-2021:2184", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.30.3/pod/perldelta.pod", + "https://www.cve.org/CVERecord?id=CVE-2020-12723", + "https://metacpan.org/pod/release/XSAWYERX/perl-5.28.3/pod/perldelta.pod", + "https://access.redhat.com/errata/RHSA-2021:0557", + "https://access.redhat.com/errata/RHSA-2021:1032", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962005", + "https://access.redhat.com/errata/RHSA-2021:0883", + "https://access.redhat.com/errata/RHSA-2021:1266", + "https://access.redhat.com/errata/RHSA-2021:0343" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-12723", + "updated": "2023-11-07T03:15:43Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm6", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm6", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2020-12-14T20:15:13Z", + "description": "A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.", + "id": "CVE-2020-8284", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 200 + ], + "epss": 0.00115 + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://support.apple.com/kb/HT212325", + "https://www.debian.org/security/2021/dsa-4881", + "https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html", + "https://support.apple.com/kb/HT212327", + "https://security.gentoo.org/glsa/202012-14", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/", + "https://support.apple.com/kb/HT212326", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://hackerone.com/reports/1040166", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1693.html", + "https://access.redhat.com/errata/RHSA-2021:2471", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977163", + "https://ubuntu.com/security/notices/USN-4665-2", + "https://www.cve.org/CVERecord?id=CVE-2020-8284", + "https://ubuntu.com/security/notices/USN-4665-1", + "https://access.redhat.com/errata/RHSA-2021:2472", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-8284", + "https://access.redhat.com/errata/RHSA-2021:1610" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284", + "updated": "2024-04-08T22:50:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2017-02-10T07:59:00Z", + "description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.", + "id": "CVE-2017-5953", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0104 + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://security.gentoo.org/glsa/201706-26", + "https://usn.ubuntu.com/4016-1/", + "https://groups.google.com/forum/", + "https://ubuntu.com/security/notices/USN-4016-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854969", + "https://www.cve.org/CVERecord?id=CVE-2017-5953", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-5953", + "updated": "2023-11-07T02:49:47Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "9-9" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: AWS Access Key ID.", + "id": "IN-DOCKER-007-001", + "properties": {}, + "references": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html" + ], + "severity": "critical", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2021-09-20T16:15:12Z", + "description": "An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.", + "id": "CVE-2021-39537", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0085899998 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://support.apple.com/kb/HT213443", + "https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html", + "https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html", + "https://ubuntu.com/security/notices/USN-5477-1", + "https://ubuntu.com/security/notices/USN-6099-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2021-39537", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1893.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-39537", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-023.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-39537", + "updated": "2023-12-03T20:15:06Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-04T14:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1858.", + "id": "CVE-2023-4752", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 5.5E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T16:40:08Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/", + "https://support.apple.com/kb/HT213984", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/", + "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html", + "https://alas.aws.amazon.com/ALAS-2023-1837.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4752", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4752" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4752", + "updated": "2024-02-01T17:59:00Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm15", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-03-30T20:15:07Z", + "description": "An authentication bypass vulnerability exists in libcurl \u003c8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.", + "id": "CVE-2023-27535", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 305, + 287 + ], + "epss": 0.00154, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:08:25Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/", + "https://hackerone.com/reports/1892780", + "https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html", + "https://security.gentoo.org/glsa/202310-12", + "https://access.redhat.com/errata/RHSA-2023:3106", + "https://www.cve.org/CVERecord?id=CVE-2023-27535", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2070.html", + "https://access.redhat.com/errata/RHSA-2024:0428", + "https://access.redhat.com/errata/RHSA-2023:2650", + "https://ubuntu.com/security/notices/USN-5964-1", + "https://ubuntu.com/security/notices/USN-5964-2", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-193.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-27535", + "https://alas.aws.amazon.com/ALAS-2023-1727.html" + ], + "related": [ + "USN-5964-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-27535", + "updated": "2024-03-27T14:47:21Z" + }, + { + "affects": [ + { + "fixed_version": "0:0.6.0-2ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/libbsd0@0.6.0-2ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=libbsd" + } + ], + "created": "2020-01-08T17:15:11Z", + "description": "nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a comparison for a symbol name from the string table (strtab).", + "id": "CVE-2019-20367", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.1000003815, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00465 + }, + "references": [ + "https://lists.apache.org/thread.html/r0e913668380f59bcbd14fdd8ae8d24f95f99995e290cd18a7822c6e5@\u003cdev.tomee.apache.org\u003e", + "https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b", + "https://lists.apache.org/thread.html/ra781e51cf1ec40381c98cddc073b3576fb56c3978f4564d2fa431550@\u003cdev.tomee.apache.org\u003e", + "https://lists.debian.org/debian-lts-announce/2021/02/msg00027.html", + "https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html", + "https://usn.ubuntu.com/4243-1/", + "https://ubuntu.com/security/notices/USN-4243-1", + "https://www.cve.org/CVERecord?id=CVE-2019-20367", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-20367", + "updated": "2023-11-07T03:09:08Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.8.9p5-1ubuntu1.5+esm3", + "installed_version": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-01-29T18:15:12Z", + "description": "In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. (pwfeedback is a default setting in Linux Mint and elementary OS; however, it is NOT the default for upstream and many other packages, and would exist only if enabled by an administrator.) The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.", + "id": "CVE-2019-18634", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.00184, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-14T14:37:32Z" + }, + "references": [ + "https://access.redhat.com/errata/RHSA-2020:0540", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/", + "https://access.redhat.com/errata/RHSA-2020:0487", + "https://access.redhat.com/errata/RHSA-2020:0726", + "https://seclists.org/bugtraq/2020/Jan/44", + "https://seclists.org/bugtraq/2020/Feb/3", + "https://seclists.org/bugtraq/2020/Feb/2", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/", + "https://security.gentoo.org/glsa/202003-12", + "https://usn.ubuntu.com/4263-2/", + "https://lists.debian.org/debian-lts-announce/2020/02/msg00002.html", + "https://support.apple.com/kb/HT210919", + "https://access.redhat.com/errata/RHSA-2020:0509", + "https://www.debian.org/security/2020/dsa-4614", + "https://usn.ubuntu.com/4263-1/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950371", + "https://ubuntu.com/security/notices/USN-4263-1", + "https://ubuntu.com/security/notices/USN-4263-2", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1404.html", + "https://www.cve.org/CVERecord?id=CVE-2019-18634", + "https://alas.aws.amazon.com/ALAS-2020-1356.html" + ], + "related": [ + "USN-4263-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-18634", + "updated": "2023-11-07T03:06:53Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-03-07T22:15:10Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.1392.", + "id": "CVE-2023-1264", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 5.3E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T12:32:50Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4KDAU76Z7QNSPKZX2JAJ6O7KIEOXWTL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIAKPMKJ4OZ6NYRZJO7YWMNQL2BICLYV/", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-151.html", + "https://www.cve.org/CVERecord?id=CVE-2023-1264", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2005.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1264" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-1264", + "updated": "2023-11-07T04:02:58Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-03-30T12:15:07Z", + "description": "Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8.2.4646.", + "id": "CVE-2022-1154", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00181 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C2CQXRLBIC4S7JQVEIN5QXKQPYWB5E3J/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://ubuntu.com/security/notices/USN-5433-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1154", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://www.cve.org/CVERecord?id=CVE-2022-1154", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:1552", + "https://access.redhat.com/errata/RHSA-2022:5242" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1154", + "updated": "2023-11-07T03:41:45Z" + }, + { + "affects": [ + { + "fixed_version": "0:20190110~14.04.1~esm1", + "installed_version": "pkg:deb/ubuntu/ca-certificates@20170717%7E14.04.2?arch=all\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2020-06-01T17:05:10Z", + "description": "USN-4377-1 updated ca-certificates. This update provides\nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\n The ca-certificates package contained an expired CA certificate that caused\n connectivity issues. This update removes the \"AddTrust External Root\" CA.\n\n In addition, on Ubuntu 12.04 ESM and Ubuntu 14.04 ESM, this update\n refreshes the included certificates to those contained in the 20190110\n package.\n", + "id": "USN-4377-2", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/4377-2" + }, + { + "affects": [ + { + "fixed_version": "0:4.3-7ubuntu1.8+esm1", + "installed_version": "pkg:deb/ubuntu/bash@4.3-7ubuntu1.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-03-22T08:29:00Z", + "description": "rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.", + "id": "CVE-2019-9924", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 862 + ], + "epss": 6.3E-4 + }, + "references": [ + "https://usn.ubuntu.com/4058-2/", + "https://usn.ubuntu.com/4058-1/", + "https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441", + "https://lists.debian.org/debian-lts-announce/2019/03/msg00028.html", + "https://access.redhat.com/errata/RHSA-2020:1113", + "https://access.redhat.com/errata/RHSA-2020:3474", + "https://alas.aws.amazon.com/ALAS-2020-1379.html", + "https://access.redhat.com/errata/RHBA-2020:1539", + "https://access.redhat.com/errata/RHSA-2020:3803", + "https://access.redhat.com/errata/RHBA-2020:1540", + "https://ubuntu.com/security/notices/USN-4058-1", + "https://ubuntu.com/security/notices/USN-4058-2", + "https://lists.gnu.org/archive/html/bug-bash/2017-03/msg00077.html", + "https://www.cve.org/CVERecord?id=CVE-2019-9924", + "https://access.redhat.com/errata/RHSA-2020:3592", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1503.html" + ], + "related": [ + "USN-4058-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9924", + "updated": "2022-04-05T20:11:00Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-07T19:15:07Z", + "description": "Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution", + "id": "CVE-2022-1616", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 0.00403, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1616", + "https://www.cve.org/CVERecord?id=CVE-2022-1616", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1616", + "updated": "2023-11-07T03:42:02Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm6", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2023-02-08T20:15:24Z", + "description": "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n", + "id": "CVE-2023-0286", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 843 + ], + "epss": 0.0025500001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T20:01:58Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202402-08", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", + "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", + "https://www.openssl.org/news/secadv/20230207.txt", + "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", + "https://access.redhat.com/errata/RHSA-2023:5209", + "https://access.redhat.com/errata/RHSA-2023:2932", + "https://access.redhat.com/errata/RHSA-2023:3421", + "https://access.redhat.com/errata/RHSA-2023:1440", + "https://access.redhat.com/errata/RHSA-2023:1441", + "https://access.redhat.com/errata/RHSA-2023:3420", + "https://www.cve.org/CVERecord?id=CVE-2023-0286", + "https://access.redhat.com/errata/RHSA-2023:1405", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1934.html", + "https://alas.aws.amazon.com/ALAS-2023-1683.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-101.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2023:2022", + "https://access.redhat.com/errata/RHSA-2023:2165", + "https://ubuntu.com/security/notices/USN-6564-1", + "https://access.redhat.com/errata/RHSA-2023:4128", + "https://access.redhat.com/errata/RHSA-2023:1335", + "https://access.redhat.com/errata/RHSA-2023:3355", + "https://access.redhat.com/errata/RHSA-2023:4124", + "https://access.redhat.com/errata/RHSA-2023:3354", + "https://access.redhat.com/errata/RHSA-2023:1199", + "https://access.redhat.com/errata/RHSA-2023:1437", + "https://access.redhat.com/errata/RHSA-2023:1438", + "https://access.redhat.com/errata/RHSA-2023:1439", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1935.html", + "https://access.redhat.com/errata/RHSA-2023:0946", + "https://ubuntu.com/security/notices/USN-5844-1", + "https://ubuntu.com/security/notices/USN-5845-2", + "https://ubuntu.com/security/notices/USN-5845-1", + "https://access.redhat.com/errata/RHSA-2023:4252", + "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", + "updated": "2024-02-04T09:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-07-13T21:15:10Z", + "description": "http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py in Python before 3.7.3 does not correctly validate the domain: it can be tricked into sending existing cookies to the wrong server. An attacker may abuse this flaw by using a server with a hostname that has another valid hostname as a suffix (e.g., pythonicexample.com to steal cookies for example.com). When a program uses http.cookiejar.DefaultPolicy and tries to do an HTTP connection to an attacker-controlled server, existing cookies can be leaked to the attacker. This affects 2.x through 2.7.16, 3.x before 3.4.10, 3.5.x before 3.5.7, 3.6.x before 3.6.9, and 3.7.x before 3.7.3.", + "id": "CVE-2018-20852", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.3000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20 + ], + "epss": 0.0048400001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:22:21Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/COATURTCY7G67AYI6UDV5B2JZTBCKIDX/", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K7HNVIFMETMFWWWUNTB72KYJYXCZOS5V/", + "https://bugs.python.org/issue35121", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00040.html", + "https://usn.ubuntu.com/4127-2/", + "https://usn.ubuntu.com/4127-1/", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://access.redhat.com/errata/RHSA-2019:3948", + "https://lists.debian.org/debian-lts-announce/2019/08/msg00022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBTGPBUABGXZ7WH7677OEM3NSP6ZEA76/", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://alas.aws.amazon.com/ALAS-2020-1375.html", + "https://access.redhat.com/errata/RHSA-2020:1132", + "https://access.redhat.com/errata/RHBA-2020:1539", + "https://access.redhat.com/errata/RHSA-2020:1131", + "https://access.redhat.com/errata/RHSA-2020:1605", + "https://access.redhat.com/errata/RHBA-2020:1540", + "https://access.redhat.com/errata/RHSA-2020:1764", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1432.html", + "https://www.cve.org/CVERecord?id=CVE-2018-20852", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://ubuntu.com/security/notices/USN-4127-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20852", + "updated": "2023-11-07T02:56:21Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-09-03T16:15:08Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0360.", + "id": "CVE-2022-3099", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DVWBI4BVTBUMNW4NMB3WZZDQJBKIGXI3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LLK2RMZEECKKWUQK7J46D2FQZOXFQLTC/", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3099", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3099", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3099", + "updated": "2023-11-07T03:50:47Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.5.3-2ubuntu4.6+esm1", + "installed_version": "pkg:deb/ubuntu/libgcrypt11@1.5.3-2ubuntu4.6?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-09-25T15:15:11Z", + "description": "It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.", + "id": "CVE-2019-13627", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 203 + ], + "epss": 0.0020999999 + }, + "references": [ + "https://security-tracker.debian.org/tracker/CVE-2019-13627", + "https://lists.debian.org/debian-lts-announce/2020/01/msg00001.html", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00024.html", + "https://usn.ubuntu.com/4236-1/", + "https://security.gentoo.org/glsa/202003-32", + "https://usn.ubuntu.com/4236-3/", + "https://usn.ubuntu.com/4236-2/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=938938", + "https://ubuntu.com/security/notices/USN-4236-1", + "https://www.cve.org/CVERecord?id=CVE-2019-13627", + "https://access.redhat.com/errata/RHSA-2020:4482", + "https://ubuntu.com/security/notices/USN-4236-3", + "https://ubuntu.com/security/notices/USN-4236-2" + ], + "related": [ + "USN-4236-3" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13627", + "updated": "2021-07-21T11:39:23Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-10-27T21:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2021-3903", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 5.4E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DU26T75PYA3OF7XJGNKMT2ZCQEU4UKP5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN4EX7BPQU7RP6PXCNCSDORUZBXQ4JUH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3903", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2021-3903", + "https://alas.aws.amazon.com/ALAS-2022-1557.html", + "https://ubuntu.com/security/notices/USN-5147-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3903", + "updated": "2023-11-07T03:38:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2017-02-27T07:59:00Z", + "description": "An integer overflow at a u_read_undo memory allocation site would occur for vim before patch 8.0.0377, if it does not properly validate values for tree length when reading a corrupted undo file, which may lead to resultant buffer overflows.", + "id": "CVE-2017-6349", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0093900003 + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://security.gentoo.org/glsa/201706-26", + "https://groups.google.com/forum/", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856266", + "https://www.cve.org/CVERecord?id=CVE-2017-6349", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2017-6349", + "updated": "2023-11-07T02:49:54Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-23T19:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2183", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2183", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://www.cve.org/CVERecord?id=CVE-2022-2183", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2183", + "updated": "2023-11-07T03:46:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-09-06T20:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0389.", + "id": "CVE-2022-3134", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 6.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019590", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3134", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-3134", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6302-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3134", + "updated": "2024-01-25T21:05:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.27.1-1ubuntu0.1+esm3", + "installed_version": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-01-30T04:15:08Z", + "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", + "id": "CVE-2022-48303", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 4.9E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T12:52:50Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/", + "https://savannah.gnu.org/patch/?10307", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/", + "https://savannah.gnu.org/bugs/?62387", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1994.html", + "https://ubuntu.com/security/notices/USN-5900-2", + "https://ubuntu.com/security/notices/USN-5900-1", + "https://access.redhat.com/errata/RHSA-2023:0842", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-153.html", + "https://alas.aws.amazon.com/ALAS-2023-1704.html", + "https://access.redhat.com/errata/RHSA-2023:5610", + "https://www.cve.org/CVERecord?id=CVE-2022-48303", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2023:0959" + ], + "related": [ + "USN-5900-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303", + "updated": "2023-05-30T17:16:57Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2022-08-24T16:15:09Z", + "description": "A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.", + "id": "CVE-2021-3999", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 193 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://bugzilla.redhat.com/show_bug.cgi?id=2024637", + "https://security-tracker.debian.org/tracker/CVE-2021-3999", + "https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e", + "https://access.redhat.com/security/cve/CVE-2021-3999", + "https://sourceware.org/bugzilla/show_bug.cgi?id=28769", + "https://ubuntu.com/security/notices/USN-5310-2", + "https://ubuntu.com/security/notices/USN-5310-1", + "https://ubuntu.com/security/notices/USN-6762-1", + "https://access.redhat.com/errata/RHSA-2022:0896", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2021-3999", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1857.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3999" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3999", + "updated": "2023-02-12T23:43:11Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm16", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm16", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-05-26T21:15:16Z", + "description": "An improper certificate validation vulnerability exists in curl \u003cv8.1.0 in the way it supports matching of wildcard patterns when listed as \"Subject Alternative Name\" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.", + "id": "CVE-2023-28321", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.9000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 295 + ], + "epss": 8.7E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:44:22Z" + }, + "references": [ + "https://support.apple.com/kb/HT213843", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/", + "https://hackerone.com/reports/1950627", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/", + "https://support.apple.com/kb/HT213844", + "https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html", + "https://support.apple.com/kb/HT213845", + "https://security.gentoo.org/glsa/202310-12", + "https://access.redhat.com/errata/RHSA-2023:6292", + "https://ubuntu.com/security/notices/USN-6237-3", + "https://access.redhat.com/errata/RHSA-2023:5598", + "https://access.redhat.com/errata/RHSA-2023:4523", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-270.html", + "https://www.cve.org/CVERecord?id=CVE-2023-28321", + "https://access.redhat.com/errata/RHSA-2023:4354", + "https://ubuntu.com/security/notices/USN-6237-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036239", + "https://access.redhat.com/errata/RHSA-2023:4628", + "https://access.redhat.com/errata/RHSA-2023:4629", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2230.html" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-28321", + "updated": "2023-11-07T04:10:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.25.dfsg1-17ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/libsasl2-2@2.1.25.dfsg1-17build1?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=cyrus-sasl2" + } + ], + "created": "2019-12-19T18:15:12Z", + "description": "cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.", + "id": "CVE-2019-19906", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 193 + ], + "epss": 0.00685 + }, + "references": [ + "https://seclists.org/bugtraq/2019/Dec/42", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MW6GZCLECGL2PBNHVNPJIX4RPVRVFR7R/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OB4GSVOJ6ESHQNT5GSV63OX5D4KPSTGT/", + "https://support.apple.com/kb/HT211289", + "https://support.apple.com/kb/HT211288", + "https://www.debian.org/security/2019/dsa-4591", + "https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html", + "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@\u003cissues.bookkeeper.apache.org\u003e", + "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@\u003cissues.bookkeeper.apache.org\u003e", + "https://www.openldap.org/its/index.cgi/Incoming?id=9123", + "https://usn.ubuntu.com/4256-1/", + "https://ubuntu.com/security/notices/USN-4256-1", + "https://www.cve.org/CVERecord?id=CVE-2019-19906", + "https://access.redhat.com/errata/RHSA-2020:4497", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947043", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-19906" + ], + "related": [ + "USN-4256-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-19906", + "updated": "2023-11-07T03:07:51Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm2", + "installed_version": "pkg:deb/ubuntu/libbz2-1.0@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=bzip2" + }, + { + "fixed_version": "0:1.0.6-5ubuntu0.1~esm2", + "installed_version": "pkg:deb/ubuntu/bzip2@1.0.6-5?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-07-04T15:48:25Z", + "description": "USN-4038-1 fixed a vulnerability in bzip2. The update introduced\na regression causing bzip2 to incorrect raises CRC errors for some\nfiles. This update provides the corresponding update for Ubuntu 12.04 ESM and 14.04 ESM.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that bzip2 incorrectly handled certain files.\n An attacker could possibly use this issue to execute arbitrary code.\n", + "id": "USN-4038-4", + "properties": {}, + "severity": "unknown", + "source": "https://usn.ubuntu.com/4038-4" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-13T16:15:08Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1189.", + "id": "CVE-2023-0288", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 7.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T10:14:08Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYC22GGZ6QA66HLNLHCTAJU265TT3O33/", + "https://support.apple.com/kb/HT213670", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0288", + "https://ubuntu.com/security/notices/USN-5836-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://alas.aws.amazon.com/ALAS-2023-1703.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0288" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0288", + "updated": "2023-11-07T04:00:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm2", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2019-03-23T18:29:02Z", + "description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", + "id": "CVE-2019-9947", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.0999999046, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 93 + ], + "epss": 0.0025200001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T04:04:48Z" + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2019/06/msg00026.html", + "https://access.redhat.com/errata/RHSA-2019:3520", + "https://access.redhat.com/errata/RHSA-2019:3335", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html", + "https://usn.ubuntu.com/4127-2/", + "https://usn.ubuntu.com/4127-1/", + "https://access.redhat.com/errata/RHSA-2019:1260", + "https://access.redhat.com/errata/RHSA-2019:2030", + "https://security.gentoo.org/glsa/202003-26", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/", + "https://bugs.python.org/issue35906", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html", + "https://access.redhat.com/errata/RHSA-2019:3725", + "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html", + "https://alas.aws.amazon.com/ALAS-2019-1324.html", + "https://access.redhat.com/errata/RHSA-2020:1268", + "https://alas.aws.amazon.com/ALAS-2019-1242.html", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://access.redhat.com/errata/RHSA-2020:1462", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1247.html", + "https://access.redhat.com/errata/RHSA-2020:1346", + "https://alas.aws.amazon.com/ALAS-2019-1243.html", + "https://alas.aws.amazon.com/ALAS-2019-1230.html", + "https://alas.aws.amazon.com/ALAS-2019-1204.html", + "https://www.cve.org/CVERecord?id=CVE-2019-9947", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4127-2", + "https://ubuntu.com/security/notices/USN-4127-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9947", + "updated": "2023-11-07T03:13:49Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm15", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-29T03:15:15Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.4959.", + "id": "CVE-2022-1725", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 7.6E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://www.cve.org/CVERecord?id=CVE-2022-1725", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://ubuntu.com/security/notices/USN-6557-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1725", + "updated": "2024-01-25T21:05:13Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-24T02:15:06Z", + "description": "Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.", + "id": "CVE-2022-23852", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0142299999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5073", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1754.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23852", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:4834", + "https://www.cve.org/CVERecord?id=CVE-2022-23852", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://alas.aws.amazon.com/ALAS-2022-1569.html", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-23852", + "updated": "2022-10-29T02:44:33Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6.18-0ubuntu4.5+esm2", + "installed_version": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=dbus" + } + ], + "created": "2020-06-08T17:15:09Z", + "description": "An issue was discovered in dbus \u003e= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.", + "id": "CVE-2020-12049", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 404 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-02-13T02:06:45Z" + }, + "references": [ + "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18", + "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16", + "https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30", + "https://usn.ubuntu.com/4398-1/", + "https://usn.ubuntu.com/4398-2/", + "https://security.gentoo.org/glsa/202007-46", + "https://gitlab.freedesktop.org/dbus/dbus/-/issues/294", + "https://ubuntu.com/security/notices/USN-4398-1", + "https://ubuntu.com/security/notices/USN-4398-2", + "https://www.cve.org/CVERecord?id=CVE-2020-12049", + "https://access.redhat.com/errata/RHSA-2020:3014", + "https://access.redhat.com/errata/RHSA-2020:2894", + "https://access.redhat.com/errata/RHSA-2020:3298", + "https://access.redhat.com/errata/RHSA-2020:3044", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1870.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-4398-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2020-12049", + "updated": "2023-06-12T07:15:13Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm16", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions.", + "id": "CVE-2024-22667", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-07T15:59:10Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UI44Y4LJLG34D4HNB6NTPLUPZREHAEL7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIQLVUSYHDN3644K6EFDI7PRZOTIKXM3/", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-536.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2024-518.html", + "https://www.cve.org/CVERecord?id=CVE-2024-22667", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2452.html", + "https://ubuntu.com/security/notices/USN-6698-1" + ], + "related": [ + "USN-6698-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-22667", + "updated": "2024-02-23T16:15:48Z" + }, + { + "affects": [ + { + "fixed_version": "0:458-2ubuntu0.1~esm1", + "installed_version": "pkg:deb/ubuntu/less@458-2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2024-04-13T15:15:52Z", + "description": "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", + "id": "CVE-2024-32487", + "properties": { + "epss": 4.5E-4 + }, + "references": [ + "https://www.cve.org/CVERecord?id=CVE-2024-32487", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938", + "https://ubuntu.com/security/notices/USN-6756-1" + ], + "related": [ + "USN-6756-1" + ], + "severity": "unknown", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487", + "updated": "2024-05-01T18:15:24Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm12", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-08-18T16:15:08Z", + "description": "NULL Pointer Dereference in GitHub repository vim/vim prior to 9.0.0224.", + "id": "CVE-2022-2874", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.5, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 8.4E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://www.cve.org/CVERecord?id=CVE-2022-2874", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6302-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2874" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2874", + "updated": "2023-05-03T12:16:06Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-20T11:15:07Z", + "description": "Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4418.", + "id": "CVE-2022-0685", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 823 + ], + "epss": 9.8E-4 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0685", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5460-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0685", + "updated": "2023-11-07T03:41:29Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:56Z", + "description": "defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22824", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0082299998, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22824", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://www.cve.org/CVERecord?id=CVE-2022-22824", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22824", + "updated": "2022-10-06T14:47:33Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + }, + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm7", + "installed_version": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2023-03-22T17:15:13Z", + "description": "A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints. Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function.", + "id": "CVE-2023-0464", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 295 + ], + "epss": 0.0025599999, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:45:29Z" + }, + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e", + "https://security.gentoo.org/glsa/202402-08", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b", + "https://www.openssl.org/news/secadv/20230322.txt", + "https://www.debian.org/security/2023/dsa-5417", + "https://access.redhat.com/errata/RHSA-2023:3722", + "https://access.redhat.com/errata/RHSA-2023:7626", + "https://access.redhat.com/errata/RHSA-2023:7625", + "https://access.redhat.com/errata/RHSA-2023:7623", + "https://ubuntu.com/security/notices/USN-6039-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2073.html", + "https://access.redhat.com/errata/RHSA-2023:7622", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-181.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0464", + "https://alas.aws.amazon.com/ALAS-2023-1762.html", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034720", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2039.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0464", + "updated": "2024-02-04T09:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm7", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2020-02-04T15:15:11Z", + "description": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", + "id": "CVE-2019-9674", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400 + ], + "epss": 0.01303 + }, + "references": [ + "https://bugs.python.org/issue36260", + "https://www.python.org/news/security/", + "https://usn.ubuntu.com/4428-1/", + "https://bugs.python.org/issue36462", + "https://ubuntu.com/security/notices/USN-4754-3", + "https://www.cve.org/CVERecord?id=CVE-2019-9674", + "https://ubuntu.com/security/notices/USN-4428-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-9674", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-9674", + "updated": "2023-03-01T16:40:14Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + }, + { + "fixed_version": "0:1.6~git20131207+dfsg-1ubuntu1.2+esm1", + "installed_version": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6%7Egit20131207%2Bdfsg-1ubuntu1.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=heimdal" + } + ], + "created": "2019-05-15T23:29:00Z", + "description": "In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.", + "id": "CVE-2019-12098", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 0.0039300001 + }, + "references": [ + "https://www.debian.org/security/2019/dsa-4455", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/", + "https://seclists.org/bugtraq/2019/Jun/1", + "https://www.cve.org/CVERecord?id=CVE-2019-12098", + "https://ubuntu.com/security/notices/USN-5675-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929064" + ], + "related": [ + "USN-5675-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-12098", + "updated": "2023-11-07T03:03:28Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm3", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm3", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-09-16T19:15:10Z", + "description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "id": "CVE-2019-5482", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.0976099968, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:20:48Z" + }, + "references": [ + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/", + "https://security.gentoo.org/glsa/202003-29", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.debian.org/security/2020/dsa-4633", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://seclists.org/bugtraq/2020/Feb/36", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/", + "https://access.redhat.com/errata/RHSA-2021:0877", + "https://access.redhat.com/errata/RHSA-2021:0759", + "https://access.redhat.com/errata/RHSA-2020:0250", + "https://access.redhat.com/errata/RHSA-2020:1792", + "https://www.cve.org/CVERecord?id=CVE-2019-5482", + "https://alas.aws.amazon.com/ALAS-2019-1294.html", + "https://access.redhat.com/errata/RHSA-2020:3916", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1340.html", + "https://access.redhat.com/errata/RHSA-2021:1027", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940010", + "https://ubuntu.com/security/notices/USN-4129-2", + "https://ubuntu.com/security/notices/USN-4129-1" + ], + "related": [ + "USN-4129-2" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-5482", + "updated": "2023-11-07T03:11:36Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm12", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2021-05-20T13:15:07Z", + "description": "There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.", + "id": "CVE-2021-3426", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 5.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 5.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 22, + 200 + ], + "epss": 6.1E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQYPUKLLBOZMKFPO7RD7CENTXHUUEUV7/", + "https://security.gentoo.org/glsa/202104-04", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5V4VPLBHBEASSAROYPSHXGXGGPHNOE/", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/25HVHLBGO2KNPXJ3G426QEYSSCECJDU5/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPX7Y5GQDNB4FJTREWONGC4ZSVH7TGHF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QNGAFMPIYIVJ47FCF2NK2PIX22HUG35B/", + "https://bugzilla.redhat.com/show_bug.cgi?id=1935913", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BF2K7HEWADHN6P52R3QLIOX27U3DJ4HI/", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1640.html", + "https://access.redhat.com/errata/RHSA-2021:4160", + "https://alas.aws.amazon.com/ALAS-2021-1504.html", + "https://ubuntu.com/security/notices/USN-5342-3", + "https://ubuntu.com/security/notices/USN-5342-1", + "https://access.redhat.com/errata/RHSA-2021:4162", + "https://www.cve.org/CVERecord?id=CVE-2021-3426", + "https://access.redhat.com/errata/RHSA-2021:4399", + "https://access.redhat.com/errata/RHSA-2021:3254", + "https://alas.aws.amazon.com/ALAS-2021-1498.html", + "https://alas.aws.amazon.com/ALAS-2021-1500.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3426", + "updated": "2023-11-07T03:38:00Z" + }, + { + "affects": [ + { + "fixed_version": "1:4.2.6.p5+dfsg-3ubuntu2.14.04.13+esm1", + "installed_version": "pkg:deb/ubuntu/ntp@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64\u0026distro=14.04\u0026epoch=1" + } + ], + "created": "2018-06-20T14:29:00Z", + "description": "Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.", + "id": "CVE-2018-12327", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "info", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0264999997, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:23:25Z" + }, + "references": [ + "https://www.exploit-db.com/exploits/44909/", + "https://access.redhat.com/errata/RHSA-2019:2077", + "https://access.redhat.com/errata/RHSA-2018:3854", + "https://access.redhat.com/errata/RHSA-2018:3853", + "https://security.gentoo.org/glsa/201903-15", + "https://usn.ubuntu.com/4229-1/", + "https://www.cve.org/CVERecord?id=CVE-2018-12327", + "https://access.redhat.com/errata/RHSA-2020:1470", + "https://alas.aws.amazon.com/ALAS-2018-1083.html", + "https://ubuntu.com/security/notices/USN-4229-1", + "https://alas.aws.amazon.com/AL2/ALAS-2019-1367.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4229-2" + ], + "related": [ + "USN-4229-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-12327", + "updated": "2020-08-24T17:37:01Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-02-16T01:15:07Z", + "description": "xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.", + "id": "CVE-2022-25236", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 668 + ], + "epss": 0.0347499996, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.debian.org/security/2022/dsa-5085", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html", + "https://access.redhat.com/errata/RHSA-2022:0847", + "https://access.redhat.com/errata/RHSA-2022:0824", + "https://access.redhat.com/errata/RHSA-2022:0845", + "https://www.cve.org/CVERecord?id=CVE-2022-25236", + "https://access.redhat.com/errata/RHSA-2022:0843", + "https://access.redhat.com/errata/RHSA-2022:1012", + "https://access.redhat.com/errata/RHSA-2022:7144", + "https://access.redhat.com/errata/RHSA-2022:7811", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://access.redhat.com/errata/RHSA-2022:0816", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-25236", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://access.redhat.com/errata/RHSA-2022:0815", + "https://access.redhat.com/errata/RHSA-2022:1309", + "https://access.redhat.com/errata/RHSA-2022:0853", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1764.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005895", + "https://access.redhat.com/errata/RHSA-2022:0850", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1779.html", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://access.redhat.com/errata/RHSA-2022:1068", + "https://alas.aws.amazon.com/ALAS-2022-1573.html", + "https://access.redhat.com/errata/RHSA-2022:1263", + "https://access.redhat.com/errata/RHSA-2022:1053", + "https://access.redhat.com/errata/RHSA-2022:1070", + "https://access.redhat.com/errata/RHSA-2022:0818", + "https://access.redhat.com/errata/RHSA-2022:0817" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-25236", + "updated": "2023-11-07T03:44:45Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-01-26T18:15:08Z", + "description": "Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0368", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.00136, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T07:15:25Z" + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2022-0368", + "https://ubuntu.com/security/notices/USN-5458-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0368" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0368", + "updated": "2022-11-09T03:52:57Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.6-3ubuntu1+esm1", + "installed_version": "pkg:deb/ubuntu/gzip@1.6-3ubuntu1?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:5.1.1alpha+20120614-2ubuntu2.14.04.1+esm1", + "installed_version": "pkg:deb/ubuntu/xz-utils@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:5.1.1alpha+20120614-2ubuntu2.14.04.1+esm1", + "installed_version": "pkg:deb/ubuntu/liblzma5@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=xz-utils" + } + ], + "created": "2022-08-31T16:15:09Z", + "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", + "id": "CVE-2022-1271", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 20, + 179 + ], + "epss": 0.00715, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T17:05:11Z" + }, + "references": [ + "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch", + "https://security.gentoo.org/glsa/202209-01", + "https://access.redhat.com/security/cve/CVE-2022-1271", + "https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6", + "https://security-tracker.debian.org/tracker/CVE-2022-1271", + "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=2073310", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1271", + "https://access.redhat.com/errata/RHSA-2022:1537", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1782.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-042.html", + "https://access.redhat.com/errata/RHSA-2022:1676", + "https://access.redhat.com/errata/RHSA-2022:4991", + "https://ubuntu.com/security/notices/USN-5378-4", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009167", + "https://access.redhat.com/errata/RHSA-2022:4940", + "https://access.redhat.com/errata/RHSA-2022:2191", + "https://access.redhat.com/errata/RHSA-2022:5439", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-043.html", + "https://alas.aws.amazon.com/ALAS-2022-1590.html", + "https://access.redhat.com/errata/RHSA-2022:1665", + "https://www.cve.org/CVERecord?id=CVE-2022-1271", + "https://access.redhat.com/errata/RHSA-2022:5052", + "https://ubuntu.com/security/notices/USN-5378-1", + "https://access.redhat.com/errata/RHSA-2022:4582", + "https://ubuntu.com/security/notices/USN-5378-2", + "https://ubuntu.com/security/notices/USN-5378-3", + "https://access.redhat.com/errata/RHSA-2022:1592", + "https://access.redhat.com/errata/RHSA-2022:4992", + "https://access.redhat.com/errata/RHSA-2022:4993", + "https://access.redhat.com/errata/RHSA-2022:4994", + "https://access.redhat.com/errata/RHSA-2022:4896", + "https://alas.aws.amazon.com/ALAS-2022-1598.html" + ], + "related": [ + "USN-5378-3" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1271", + "updated": "2023-11-07T03:41:52Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.4.16-1ubuntu2.6+esm1", + "installed_version": "pkg:deb/ubuntu/gnupg@1.4.16-1ubuntu2.6?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2022-07-01T22:15:08Z", + "description": "GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.", + "id": "CVE-2022-34903", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 74 + ], + "epss": 0.00422 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VU64FUVG2PRZBSHFOQRSP7KDVEIZ23OS/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPTAR76EIZY7NQFENSOZO7U473257OVZ/", + "https://dev.gnupg.org/T6027", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VN63GBTMRWO36Y7BKA2WQHROAKCXKCBL/", + "https://bugs.debian.org/1014157", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FRLWJQ76A4UKHI3Q36BKSJKS4LFLQO33/", + "https://www.debian.org/security/2022/dsa-5174", + "https://www.cve.org/CVERecord?id=CVE-2022-34903", + "https://alas.aws.amazon.com/ALAS-2022-1630.html", + "https://access.redhat.com/errata/RHSA-2022:6602", + "https://ubuntu.com/security/notices/USN-5503-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-087.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1834.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34903", + "https://ubuntu.com/security/notices/USN-5503-2", + "https://access.redhat.com/errata/RHSA-2022:6463", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014157" + ], + "related": [ + "USN-5503-2" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-34903", + "updated": "2023-11-07T03:48:47Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-17T12:15:07Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0629", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 121 + ], + "epss": 0.00103 + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UURGABNDL77YR5FRQKTFBYNBDQX2KO7Q/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202208-32", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1771.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://www.cve.org/CVERecord?id=CVE-2022-0629", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0629", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0629", + "updated": "2023-11-07T03:41:26Z" + }, + { + "affects": [ + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm2", + "installed_version": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + }, + { + "fixed_version": "1:4.1.5.1-1ubuntu9.5+esm2", + "installed_version": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64\u0026distro=14.04\u0026epoch=1\u0026source=shadow" + } + ], + "created": "2019-12-03T15:15:10Z", + "description": "shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees", + "id": "CVE-2013-4235", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 4.6999998093, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 367 + ], + "epss": 4.7E-4 + }, + "references": [ + "https://access.redhat.com/security/cve/cve-2013-4235", + "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@\u003cdev.mina.apache.org\u003e", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235", + "https://security.gentoo.org/glsa/202210-26", + "https://security-tracker.debian.org/tracker/CVE-2013-4235", + "https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1998169", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950", + "https://ubuntu.com/security/notices/USN-5745-2", + "https://www.cve.org/CVERecord?id=CVE-2013-4235", + "https://ubuntu.com/security/notices/USN-5745-1" + ], + "related": [ + "USN-5745-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2013-4235", + "updated": "2023-02-13T00:28:41Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.1.0-4ubuntu1.4+esm4", + "installed_version": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=expat" + } + ], + "created": "2022-01-10T14:12:57Z", + "description": "storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.", + "id": "CVE-2022-22827", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0077200001 + }, + "references": [ + "https://security.gentoo.org/glsa/202209-24", + "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf", + "https://www.debian.org/security/2022/dsa-5073", + "https://ubuntu.com/security/notices/USN-5455-1", + "https://www.cve.org/CVERecord?id=CVE-2022-22827", + "https://alas.aws.amazon.com/ALAS-2022-1603.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-058.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003474", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1809.html", + "https://access.redhat.com/errata/RHSA-2022:0951", + "https://access.redhat.com/errata/RHSA-2022:7692", + "https://ubuntu.com/security/notices/USN-5288-1", + "https://access.redhat.com/errata/RHSA-2022:1069", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22827", + "https://access.redhat.com/errata/RHSA-2022:7144" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-22827", + "updated": "2022-10-06T12:52:17Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-19T10:15:09Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2124", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 126 + ], + "epss": 0.0017 + }, + "references": [ + "https://support.apple.com/kb/HT213444", + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://support.apple.com/kb/HT213443", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2124", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2124", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2124", + "updated": "2023-11-07T03:46:13Z" + }, + { + "affects": [ + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + }, + { + "fixed_version": "0:5.9+20140118-1ubuntu1+esm3", + "installed_version": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all\u0026distro=14.04\u0026epoch=0\u0026source=ncurses" + } + ], + "created": "2023-04-14T01:15:08Z", + "description": "ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.", + "id": "CVE-2023-29491", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 4.2E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-11T23:09:47Z" + }, + "references": [ + "https://support.apple.com/kb/HT213843", + "https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/", + "https://support.apple.com/kb/HT213844", + "https://support.apple.com/kb/HT213845", + "https://access.redhat.com/errata/RHSA-2024:0416", + "https://www.cve.org/CVERecord?id=CVE-2023-29491", + "https://ubuntu.com/security/notices/USN-6099-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034372", + "https://access.redhat.com/errata/RHSA-2023:5249", + "https://access.redhat.com/errata/RHSA-2023:6698", + "https://alas.aws.amazon.com/ALAS-2023-1778.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-220.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2096.html", + "https://access.redhat.com/errata/RHSA-2023:7361" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-29491", + "updated": "2024-01-31T03:15:07Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm11", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-07-02T16:15:08Z", + "description": "Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.", + "id": "CVE-2022-2285", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 9.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2285", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1868.html", + "https://ubuntu.com/security/notices/USN-6270-1", + "https://alas.aws.amazon.com/ALAS-2022-1639.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2285", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2285", + "updated": "2023-11-07T03:46:24Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm1", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + } + ], + "created": "2019-04-03T18:29:01Z", + "description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.", + "id": "CVE-2018-20506", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.1000003815, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.0178200006, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T16:01:51Z" + }, + "references": [ + "https://support.apple.com/kb/HT209451", + "https://support.apple.com/kb/HT209450", + "https://sqlite.org/src/info/940f2adc8541a838", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365", + "https://support.apple.com/kb/HT209443", + "https://support.apple.com/kb/HT209446", + "https://seclists.org/bugtraq/2019/Jan/28", + "https://seclists.org/bugtraq/2019/Jan/39", + "https://seclists.org/bugtraq/2019/Jan/29", + "https://usn.ubuntu.com/4019-2/", + "https://seclists.org/bugtraq/2019/Jan/33", + "https://usn.ubuntu.com/4019-1/", + "https://seclists.org/bugtraq/2019/Jan/31", + "https://seclists.org/bugtraq/2019/Jan/32", + "https://support.apple.com/kb/HT209448", + "https://support.apple.com/kb/HT209447", + "https://lists.debian.org/debian-lts-announce/2020/08/msg00037.html", + "https://ubuntu.com/security/notices/USN-4019-1", + "https://ubuntu.com/security/notices/USN-4019-2", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2018-20506" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20506", + "updated": "2021-07-31T08:15:08Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm9", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-02-02T21:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-0443", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.8E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/", + "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://www.cve.org/CVERecord?id=CVE-2022-0443", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://ubuntu.com/security/notices/USN-6026-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0443", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5458-1" + ], + "related": [ + "USN-6026-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0443", + "updated": "2023-11-07T03:41:17Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-03-14T21:15:07Z", + "description": "Heap-based Buffer Overflow occurs in vim in GitHub repository vim/vim prior to 8.2.4563.", + "id": "CVE-2022-0943", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 5.4E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-19T03:02:51Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3R36VSLO4TRX72SWB6IDJOD24BQXPX2/", + "https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1805.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0943", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://alas.aws.amazon.com/ALAS-2022-1579.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/ALAS-2022-1597.html", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://access.redhat.com/errata/RHSA-2022:5242", + "https://www.cve.org/CVERecord?id=CVE-2022-0943" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-0943", + "updated": "2023-11-07T03:41:40Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm5", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-05-08T11:15:07Z", + "description": "NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.", + "id": "CVE-2022-1620", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.00291, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://support.apple.com/kb/HT213488", + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/", + "https://security.gentoo.org/glsa/202208-32", + "https://www.cve.org/CVERecord?id=CVE-2022-1620", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://ubuntu.com/security/notices/USN-5613-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5460-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1620" + ], + "related": [ + "USN-5613-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-1620", + "updated": "2023-11-07T03:42:03Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-23T13:15:07Z", + "description": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2175", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125, + 126 + ], + "epss": 0.0011699999 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2175", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://www.cve.org/CVERecord?id=CVE-2022-2175", + "https://ubuntu.com/security/notices/USN-5723-1", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2175", + "updated": "2023-11-07T03:46:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-22T13:15:09Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.0530.", + "id": "CVE-2022-3256", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.7E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://www.cve.org/CVERecord?id=CVE-2022-3256", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3256" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3256", + "updated": "2023-11-07T03:51:01Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm13", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2022-09-27T23:15:15Z", + "description": "Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0598.", + "id": "CVE-2022-3324", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 121 + ], + "epss": 9.5E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4QI7AETXBHPC7SGA77Q7O5IEGULWYET7/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSSEWQLK55MCNT4Z2IIJEJYEI5HLCODI/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GTBVD4J2SKVSWK4VBN5JP5OEVK6GDS3N/", + "https://www.cve.org/CVERecord?id=CVE-2022-3324", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://ubuntu.com/security/notices/USN-5775-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html", + "https://ubuntu.com/security/notices/USN-6420-1", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3324" + ], + "related": [ + "USN-6420-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-3324", + "updated": "2023-11-07T03:51:06Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm11", + "installed_version": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.4.3-1ubuntu1~14.04.7+esm11", + "installed_version": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1%7E14.04.7?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=python3.4" + } + ], + "created": "2022-03-10T17:42:59Z", + "description": "There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.", + "id": "CVE-2021-3733", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 400 + ], + "epss": 0.0026499999 + }, + "references": [ + "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=1995234", + "https://bugs.python.org/issue43075", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html", + "https://ubuntu.com/security/CVE-2021-3733", + "https://access.redhat.com/errata/RHSA-2021:4160", + "https://ubuntu.com/security/notices/USN-5200-1", + "https://access.redhat.com/errata/RHSA-2022:1821", + "https://access.redhat.com/errata/RHSA-2022:1764", + "https://www.cve.org/CVERecord?id=CVE-2021-3733", + "https://access.redhat.com/errata/RHSA-2022:1663", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3733", + "https://ubuntu.com/security/notices/USN-5199-1", + "https://ubuntu.com/security/notices/USN-5083-1", + "https://alas.aws.amazon.com/ALAS-2022-1593.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1802.html", + "https://access.redhat.com/errata/RHSA-2021:3254", + "https://access.redhat.com/errata/RHSA-2021:4057", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + ], + "related": [ + "USN-5083-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3733", + "updated": "2023-06-30T23:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm7", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2023-01-04T18:15:09Z", + "description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1144.", + "id": "CVE-2023-0051", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 122 + ], + "epss": 7.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-13T10:09:10Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://support.apple.com/kb/HT213670", + "https://alas.aws.amazon.com/ALAS-2023-1716.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-117.html", + "https://www.cve.org/CVERecord?id=CVE-2023-0051", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-0051", + "https://ubuntu.com/security/notices/USN-5963-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-1975.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-0051", + "updated": "2023-05-03T12:16:43Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm4", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-11-05T15:15:08Z", + "description": "vim is vulnerable to Heap-based Buffer Overflow", + "id": "CVE-2021-3927", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 122 + ], + "epss": 0.00102 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/", + "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3927", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1743.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://www.cve.org/CVERecord?id=CVE-2021-3927", + "https://ubuntu.com/security/notices/USN-5147-1", + "https://alas.aws.amazon.com/ALAS-2022-1557.html" + ], + "related": [ + "USN-5147-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3927", + "updated": "2023-11-07T03:38:24Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "6-6" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Secret Detected: GitLab Personal Access Token.", + "id": "IN-DOCKER-007-004", + "properties": {}, + "references": [ + "https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html" + ], + "severity": "critical", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm9", + "installed_version": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm9", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2023-05-30T14:15:09Z", + "description": "Issue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit. OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime. The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced. This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL. If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS. It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain. Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates. This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.", + "id": "CVE-2023-2650", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "NVD" + }, + { + "cvss_3_base_score": 6.5, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 770 + ], + "epss": 0.00166, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-16T00:09:51Z" + }, + "references": [ + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c", + "https://security.gentoo.org/glsa/202402-08", + "https://www.openssl.org/news/secadv/20230530.txt", + "https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a", + "https://www.debian.org/security/2023/dsa-5417", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098", + "https://access.redhat.com/errata/RHSA-2023:3722", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2097.html", + "https://access.redhat.com/errata/RHSA-2023:7626", + "https://access.redhat.com/errata/RHSA-2023:7625", + "https://access.redhat.com/errata/RHSA-2023:7623", + "https://access.redhat.com/errata/RHSA-2023:7622", + "https://ubuntu.com/security/notices/USN-6119-1", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2073.html", + "https://www.cve.org/CVERecord?id=CVE-2023-2650", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2650", + "https://ubuntu.com/security/notices/USN-6188-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-222.html", + "https://alas.aws.amazon.com/ALAS-2023-1762.html", + "https://ubuntu.com/security/notices/USN-6672-1", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html", + "https://access.redhat.com/errata/RHSA-2023:6330" + ], + "related": [ + "USN-6188-1" + ], + "severity": "medium", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650", + "updated": "2024-02-04T09:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm1", + "installed_version": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2019-02-24T14:29:00Z", + "description": "libvterm through 0+bzr726, as used in Vim and other products, mishandles certain out-of-memory conditions, leading to a denial of service (application crash), related to screen.c, state.c, and vterm.c.", + "id": "CVE-2018-20786", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.5, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 476 + ], + "epss": 0.0025800001 + }, + "references": [ + "https://usn.ubuntu.com/4309-1/", + "https://www.cve.org/CVERecord?id=CVE-2018-20786", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-4309-1" + ], + "related": [ + "USN-4309-1" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-20786", + "updated": "2020-03-30T20:15:15Z" + }, + { + "affects": [ + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm17", + "installed_version": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:7.35.0-1ubuntu2.20+esm17", + "installed_version": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=curl" + } + ], + "created": "2023-10-18T04:15:11Z", + "description": "This flaw allows an attacker to insert cookies at will into a running program\nusing libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates en easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the file name as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl. And if using the correct file format of course.\n", + "id": "CVE-2023-38546", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "severity": "low", + "source": "NVD" + }, + { + "cvss_3_base_score": 3.7000000477, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "epss": 8.1E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-14T15:14:50Z" + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OGMXNRNSJ4ETDK6FRNU3J7SABXPWCHSQ/", + "https://support.apple.com/kb/HT214057", + "https://support.apple.com/kb/HT214036", + "https://support.apple.com/kb/HT214058", + "https://support.apple.com/kb/HT214063", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2287.html", + "https://access.redhat.com/errata/RHSA-2023:7626", + "https://access.redhat.com/errata/RHSA-2023:7625", + "https://access.redhat.com/errata/RHSA-2023:5700", + "https://access.redhat.com/errata/RHSA-2023:6745", + "https://access.redhat.com/errata/RHSA-2023:5763", + "https://alas.aws.amazon.com/AL2/ALASECS-2023-016.html", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-420.html", + "https://access.redhat.com/errata/RHSA-2023:6292", + "https://www.cve.org/CVERecord?id=CVE-2023-38546", + "https://ubuntu.com/security/notices/USN-6429-1", + "https://ubuntu.com/security/notices/USN-6429-3", + "https://ubuntu.com/security/notices/USN-6429-2", + "https://access.redhat.com/errata/RHSA-2024:2101", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-377.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38546", + "https://access.redhat.com/errata/RHSA-2023:7540", + "https://access.redhat.com/errata/RHSA-2024:1601" + ], + "related": [ + "USN-6429-2" + ], + "severity": "low", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-38546", + "updated": "2024-01-26T17:15:09Z" + }, + { + "affects": [ + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0" + }, + { + "fixed_version": "0:3.8.2-1ubuntu2.2+esm2", + "installed_version": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=sqlite3" + } + ], + "created": "2019-12-10T22:15:13Z", + "description": "Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", + "id": "CVE-2019-13734", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 8.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 0.0042400002, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-10T15:47:08Z" + }, + "references": [ + "https://access.redhat.com/errata/RHSA-2020:0463", + "https://access.redhat.com/errata/RHSA-2020:0451", + "https://access.redhat.com/errata/RHSA-2019:4238", + "https://usn.ubuntu.com/4298-2/", + "https://access.redhat.com/errata/RHSA-2020:0476", + "https://usn.ubuntu.com/4298-1/", + "https://access.redhat.com/errata/RHSA-2020:0273", + "https://access.redhat.com/errata/RHSA-2020:0229", + "https://security.gentoo.org/glsa/202003-08", + "https://seclists.org/bugtraq/2020/Jan/27", + "https://access.redhat.com/errata/RHSA-2020:0227", + "https://www.debian.org/security/2020/dsa-4606", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2Z5M4FPUMDNX2LDPHJKN5ZV5GIS2AKNU/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N5CIQCVS6E3ULJCNU7YJXJPO2BLQZDTK/", + "https://ubuntu.com/security/notices/USN-4298-2", + "https://access.redhat.com/errata/RHSA-2020:2014", + "https://access.redhat.com/errata/RHBA-2020:0547", + "https://ubuntu.com/security/notices/USN-4298-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://alas.aws.amazon.com/AL2/ALAS-2020-1394.html", + "https://www.cve.org/CVERecord?id=CVE-2019-13734" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2019-13734", + "updated": "2023-11-07T03:04:20Z" + }, + { + "affects": [ + { + "file": "dockerfile:comp-1.Dockerfile", + "lines": "10-10" + } + ], + "created": "2024-03-27T14:36:39Z", + "description": "Last USER is root: If a service can run without privileges, use USER to change to a non-root user.", + "id": "IN-DOCKER-003", + "properties": {}, + "references": [ + "https://docs.docker.com/develop/develop-images/instructions/" + ], + "severity": "info", + "source": "https://aws.amazon.com/inspector/", + "updated": "2024-03-27T14:36:39Z" + }, + { + "affects": [ + { + "fixed_version": "0:1.0.1f-1ubuntu2.27+esm3", + "installed_version": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=openssl" + } + ], + "created": "2021-08-24T15:15:09Z", + "description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).", + "id": "CVE-2021-3712", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.4000000954, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 125 + ], + "epss": 0.0041100001, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-05-15T19:45:29Z" + }, + "references": [ + "https://www.debian.org/security/2021/dsa-4963", + "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366", + "https://security.gentoo.org/glsa/202209-02", + "https://www.openssl.org/news/secadv/20210824.txt", + "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@\u003cdev.tomcat.apache.org\u003e", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html", + "https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11", + "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@\u003cdev.tomcat.apache.org\u003e", + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://security.gentoo.org/glsa/202210-02", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1721.html", + "https://www.cve.org/CVERecord?id=CVE-2021-3712", + "https://alas.aws.amazon.com/ALAS-2021-1541.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3712", + "https://access.redhat.com/errata/RHSA-2022:0064", + "https://ubuntu.com/security/notices/USN-5051-1", + "https://ubuntu.com/security/notices/USN-5051-3", + "https://ubuntu.com/security/notices/USN-5051-2", + "https://access.redhat.com/errata/RHSA-2021:4614", + "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html", + "https://access.redhat.com/errata/RHSA-2021:4618", + "https://access.redhat.com/errata/RHSA-2021:5226", + "https://access.redhat.com/errata/RHSA-2021:4861", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://access.redhat.com/errata/RHSA-2021:4613", + "https://ubuntu.com/security/notices/USN-5051-4(regressiononlyintrusty/esm)", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1714.html", + "https://ubuntu.com/security/notices/USN-5088-1", + "https://access.redhat.com/errata/RHSA-2021:4863" + ], + "related": [ + "USN-5051-2" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3712", + "updated": "2023-11-07T03:38:13Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm3", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2021-09-15T13:15:08Z", + "description": "vim is vulnerable to Use After Free", + "id": "CVE-2021-3796", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.3000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 9.9E-4 + }, + "references": [ + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/", + "https://lists.debian.org/debian-lts-announce/2022/01/msg00003.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE62UMYBZE4AE53K6OBBWK32XQ7544QM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/", + "https://access.redhat.com/errata/RHSA-2021:4517", + "https://ubuntu.com/security/notices/USN-5093-1", + "https://www.cve.org/CVERecord?id=CVE-2021-3796", + "https://alas.aws.amazon.com/AL2/ALAS-2021-1728.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-3796", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994497" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-3796", + "updated": "2023-11-07T03:38:16Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm8", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + } + ], + "created": "2022-06-19T19:15:08Z", + "description": "Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.", + "id": "CVE-2022-2129", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787 + ], + "epss": 9.7E-4, + "exploit_available": true, + "exploit_last_seen_in_public": "2024-04-29T14:20:44Z" + }, + "references": [ + "https://security.gentoo.org/glsa/202305-16", + "https://lists.debian.org/debian-lts-announce/2022/11/msg00032.html", + "https://security.gentoo.org/glsa/202208-32", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/", + "https://ubuntu.com/security/notices/USN-5533-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-098.html", + "https://alas.aws.amazon.com/ALAS-2022-1628.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-2129", + "https://ubuntu.com/security/notices/USN-5995-1", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015984", + "https://www.cve.org/CVERecord?id=CVE-2022-2129", + "https://alas.aws.amazon.com/AL2/ALAS-2022-1829.html" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2022-2129", + "updated": "2023-11-07T03:46:14Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + }, + { + "fixed_version": "0:2.19-0ubuntu6.15+esm3", + "installed_version": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=eglibc" + } + ], + "created": "2018-05-18T16:29:00Z", + "description": "stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.", + "id": "CVE-2018-11236", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 787, + 190 + ], + "epss": 0.0141399996 + }, + "references": [ + "https://usn.ubuntu.com/4416-1/", + "https://access.redhat.com/errata/RHSA-2018:3092", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5460617d1567657621107d895ee2dd83bc1f88f2", + "https://access.redhat.com/errata/RHBA-2019:0327", + "https://sourceware.org/bugzilla/show_bug.cgi?id=22786", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899071", + "https://alas.aws.amazon.com/ALAS-2018-1109.html", + "https://ubuntu.com/security/notices/USN-4416-1", + "https://www.cve.org/CVERecord?id=CVE-2018-11236", + "https://ubuntu.com/security/notices/USN-6762-1", + "https://alas.aws.amazon.com/AL2/ALAS-2018-1048.html" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2018-11236", + "updated": "2023-11-07T02:51:38Z" + }, + { + "affects": [ + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2\u0026source=vim" + }, + { + "fixed_version": "2:7.4.052-1ubuntu3.1+esm14", + "installed_version": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64\u0026distro=14.04\u0026epoch=2" + } + ], + "created": "2023-09-04T14:15:07Z", + "description": "Use After Free in GitHub repository vim/vim prior to 9.0.1840.", + "id": "CVE-2023-4733", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "high", + "source": "NVD" + }, + { + "cvss_3_base_score": 7.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "severity": "medium", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 416 + ], + "epss": 5.6E-4 + }, + "references": [ + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/", + "https://support.apple.com/kb/HT213984", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/", + "https://alas.aws.amazon.com/ALAS-2023-1837.html", + "https://alas.aws.amazon.com/AL2/ALAS-2023-2266.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4733", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null", + "https://ubuntu.com/security/notices/USN-6452-1", + "https://alas.aws.amazon.com/AL2023/ALAS-2023-360.html", + "https://www.cve.org/CVERecord?id=CVE-2023-4733" + ], + "severity": "high", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2023-4733", + "updated": "2024-02-01T17:56:32Z" + }, + { + "affects": [ + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + }, + { + "fixed_version": "0:2.0.3-0ubuntu1.14.04.3+esm2", + "installed_version": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64\u0026distro=14.04\u0026epoch=0\u0026source=klibc" + } + ], + "created": "2021-04-30T06:15:07Z", + "description": "An issue was discovered in klibc before 2.0.9. Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact.", + "id": "CVE-2021-31872", + "properties": { + "cvss": [ + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "critical", + "source": "NVD" + }, + { + "cvss_3_base_score": 9.8000001907, + "cvss_3_base_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "low", + "source": "Ubuntu Linux" + } + ], + "cwes": [ + 190 + ], + "epss": 0.00244 + }, + "references": [ + "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff", + "https://kernel.org/pub/linux/libs/klibc/2.0/", + "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html", + "https://www.cve.org/CVERecord?id=CVE-2021-31872", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989505", + "https://ubuntu.com/security/notices/USN-5379-1" + ], + "severity": "critical", + "source": "https://nvd.nist.gov/vuln/detail/CVE-2021-31872", + "updated": "2022-04-19T03:53:13Z" + } + ], + "vulnerability_count": { + "critical": 45, + "high": 201, + "low": 6, + "medium": 106, + "other": 16 + } +} \ No newline at end of file diff --git a/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/sbom.json b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/sbom.json new file mode 100644 index 0000000..18db3e8 --- /dev/null +++ b/entrypoint/tests/test_data/artifacts/containers/dockerfile_checks/sbom.json @@ -0,0 +1,2305 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:bb6c341b-df60-4a43-bab1-06ad7919ca1f", + "version": 1, + "metadata": { + "timestamp": "2024-05-22T13:49:06Z", + "tools": { + "components": [ + { + "type": "application", + "author": "Amazon Web Services, Inc. (AWS)", + "name": "inspector-sbomgen", + "version": "1.1.1", + "hashes": [ + { + "alg": "SHA-256", + "content": "135e174b4302c98e15bbd00abf90339f9d7b83562826e6b8b9eb3b1ba6df55e0" + } + ] + } + ] + }, + "component": { + "bom-ref": "comp-1", + "type": "container", + "name": "dev:latest", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:image_id", + "value": "sha256:dcd749a9292a4412ca00d690ee6e9975553ef3f2e32571ca975e1c435d3e495e" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:f2fa9f4cf8fd0a521d40e34492b522cee3f35004047e617c75fadeb8bfd1e6b7" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:30d3c4334a2379748937816c01f5c972a8291a5ccc958d6b33d735457a16196e" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:83109fa660b2ed9307948505abd3c1f24c27c64009691067edb765bd3714b98d" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:9fd88d1e6b663dd2c010994bfcec9517e7e0240a807c2f8cda1d54fe9a110d2f" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:63cf444f42ce49f70b4c8b70e343e634bdceaacb79016d37f88e815ced400419" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:3ffa63f2bf843069f6a377395e447997a2c57e303e8859e3b18397c248140f02" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef" + }, + { + "name": "amazon:inspector:sbom_generator:layer_diff_id", + "value": "sha256:3861686658f9f188664fb0f6857deb48906641989236ce40db2dbc71770a71eb" + } + ] + } + }, + "components": [ + { + "bom-ref": "comp-2", + "type": "operating-system", + "name": "Ubuntu", + "version": "14.04" + }, + { + "bom-ref": "comp-3", + "type": "application", + "name": "pyyaml", + "version": "3.10-4ubuntu0.1", + "purl": "pkg:deb/ubuntu/pyyaml@3.10-4ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-5", + "type": "application", + "name": "python3-yaml", + "version": "3.10-4ubuntu0.1", + "purl": "pkg:deb/ubuntu/python3-yaml@3.10-4ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=pyyaml" + } + ] + }, + { + "bom-ref": "comp-6", + "type": "application", + "name": "libtext-wrapi18n-perl", + "version": "0.06-7", + "purl": "pkg:deb/ubuntu/libtext-wrapi18n-perl@0.06-7?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-7", + "type": "application", + "name": "ucf", + "version": "3.0027+nmu1", + "purl": "pkg:deb/ubuntu/ucf@3.0027%2Bnmu1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-8", + "type": "application", + "name": "libarchive-extract-perl", + "version": "0.70-1", + "purl": "pkg:deb/ubuntu/libarchive-extract-perl@0.70-1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-9", + "type": "application", + "name": "p11-kit", + "version": "0.20.2-2ubuntu2", + "purl": "pkg:deb/ubuntu/p11-kit@0.20.2-2ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-11", + "type": "application", + "name": "libp11-kit0", + "version": "0.20.2-2ubuntu2", + "purl": "pkg:deb/ubuntu/libp11-kit0@0.20.2-2ubuntu2?arch=amd64&distro=14.04&epoch=0&source=p11-kit" + } + ] + }, + { + "bom-ref": "comp-12", + "type": "application", + "name": "libtext-iconv-perl", + "version": "1.7-5build2", + "purl": "pkg:deb/ubuntu/libtext-iconv-perl@1.7-5build2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-13", + "type": "application", + "name": "attr", + "version": "2.4.47-1ubuntu1", + "purl": "pkg:deb/ubuntu/attr@2.4.47-1ubuntu1?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-15", + "type": "application", + "name": "libattr1", + "version": "2.4.47-1ubuntu1", + "purl": "pkg:deb/ubuntu/libattr1@2.4.47-1ubuntu1?arch=amd64&distro=14.04&epoch=1&source=attr" + } + ] + }, + { + "bom-ref": "comp-16", + "type": "application", + "name": "iputils", + "version": "20121221-4ubuntu1.1", + "purl": "pkg:deb/ubuntu/iputils@20121221-4ubuntu1.1?arch=amd64&distro=14.04&epoch=3", + "components": [ + { + "bom-ref": "comp-18", + "type": "application", + "name": "iputils-ping", + "version": "20121221-4ubuntu1.1", + "purl": "pkg:deb/ubuntu/iputils-ping@20121221-4ubuntu1.1?arch=amd64&distro=14.04&epoch=3&source=iputils" + } + ] + }, + { + "bom-ref": "comp-19", + "type": "application", + "name": "gdbm", + "version": "1.8.3-12build1", + "purl": "pkg:deb/ubuntu/gdbm@1.8.3-12build1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-21", + "type": "application", + "name": "libgdbm3", + "version": "1.8.3-12build1", + "purl": "pkg:deb/ubuntu/libgdbm3@1.8.3-12build1?arch=amd64&distro=14.04&epoch=0&source=gdbm" + } + ] + }, + { + "bom-ref": "comp-22", + "type": "application", + "name": "systemd", + "version": "204-5ubuntu20.31", + "purl": "pkg:deb/ubuntu/systemd@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-24", + "type": "application", + "name": "libudev1", + "version": "204-5ubuntu20.31", + "purl": "pkg:deb/ubuntu/libudev1@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0&source=systemd" + }, + { + "bom-ref": "comp-26", + "type": "application", + "name": "udev", + "version": "204-5ubuntu20.31", + "purl": "pkg:deb/ubuntu/udev@204-5ubuntu20.31?arch=amd64&distro=14.04&epoch=0&source=systemd" + } + ] + }, + { + "bom-ref": "comp-27", + "type": "application", + "name": "adduser", + "version": "3.113+nmu3ubuntu3", + "purl": "pkg:deb/ubuntu/adduser@3.113%2Bnmu3ubuntu3?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-28", + "type": "application", + "name": "gccgo-4.9", + "version": "4.9.3-0ubuntu4", + "purl": "pkg:deb/ubuntu/gccgo-4.9@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-30", + "type": "application", + "name": "libgcc1", + "version": "4.9.3-0ubuntu4", + "purl": "pkg:deb/ubuntu/libgcc1@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0&source=gccgo-4.9" + }, + { + "bom-ref": "comp-32", + "type": "application", + "name": "gcc-4.9-base", + "version": "4.9.3-0ubuntu4", + "purl": "pkg:deb/ubuntu/gcc-4.9-base@4.9.3-0ubuntu4?arch=amd64&distro=14.04&epoch=0&source=gccgo-4.9" + } + ] + }, + { + "bom-ref": "comp-33", + "type": "application", + "name": "readline6", + "version": "6.3-4ubuntu2", + "purl": "pkg:deb/ubuntu/readline6@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-35", + "type": "application", + "name": "libreadline6", + "version": "6.3-4ubuntu2", + "purl": "pkg:deb/ubuntu/libreadline6@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0&source=readline6" + }, + { + "bom-ref": "comp-37", + "type": "application", + "name": "readline-common", + "version": "6.3-4ubuntu2", + "purl": "pkg:deb/ubuntu/readline-common@6.3-4ubuntu2?arch=amd64&distro=14.04&epoch=0&source=readline6" + } + ] + }, + { + "bom-ref": "comp-38", + "type": "application", + "name": "plymouth", + "version": "0.8.8-0ubuntu17.2", + "purl": "pkg:deb/ubuntu/plymouth@0.8.8-0ubuntu17.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-40", + "type": "application", + "name": "libplymouth2", + "version": "0.8.8-0ubuntu17.2", + "purl": "pkg:deb/ubuntu/libplymouth2@0.8.8-0ubuntu17.2?arch=amd64&distro=14.04&epoch=0&source=plymouth" + } + ] + }, + { + "bom-ref": "comp-41", + "type": "application", + "name": "xz-utils", + "version": "5.1.1alpha+20120614-2ubuntu2", + "purl": "pkg:deb/ubuntu/xz-utils@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-43", + "type": "application", + "name": "liblzma5", + "version": "5.1.1alpha+20120614-2ubuntu2", + "purl": "pkg:deb/ubuntu/liblzma5@5.1.1alpha%2B20120614-2ubuntu2?arch=amd64&distro=14.04&epoch=0&source=xz-utils" + } + ] + }, + { + "bom-ref": "comp-44", + "type": "application", + "name": "ca-certificates", + "version": "20170717~14.04.2", + "purl": "pkg:deb/ubuntu/ca-certificates@20170717~14.04.2?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-45", + "type": "application", + "name": "debconf", + "version": "1.5.51ubuntu2", + "purl": "pkg:deb/ubuntu/debconf@1.5.51ubuntu2?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-47", + "type": "application", + "name": "debconf-i18n", + "version": "1.5.51ubuntu2", + "purl": "pkg:deb/ubuntu/debconf-i18n@1.5.51ubuntu2?arch=all&distro=14.04&epoch=0&source=debconf" + } + ] + }, + { + "bom-ref": "comp-48", + "type": "application", + "name": "cdebconf", + "version": "0.187ubuntu1", + "purl": "pkg:deb/ubuntu/cdebconf@0.187ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-50", + "type": "application", + "name": "libdebconfclient0", + "version": "0.187ubuntu1", + "purl": "pkg:deb/ubuntu/libdebconfclient0@0.187ubuntu1?arch=amd64&distro=14.04&epoch=0&source=cdebconf" + } + ] + }, + { + "bom-ref": "comp-51", + "type": "application", + "name": "dh-python", + "version": "1.20140128-1ubuntu8.2", + "purl": "pkg:deb/ubuntu/dh-python@1.20140128-1ubuntu8.2?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-52", + "type": "application", + "name": "liblog-message-simple-perl", + "version": "0.10-1", + "purl": "pkg:deb/ubuntu/liblog-message-simple-perl@0.10-1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-53", + "type": "application", + "name": "pcre3", + "version": "8.31-2ubuntu2.3", + "purl": "pkg:deb/ubuntu/pcre3@8.31-2ubuntu2.3?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-55", + "type": "application", + "name": "libpcre3", + "version": "8.31-2ubuntu2.3", + "purl": "pkg:deb/ubuntu/libpcre3@8.31-2ubuntu2.3?arch=amd64&distro=14.04&epoch=1&source=pcre3" + } + ] + }, + { + "bom-ref": "comp-56", + "type": "application", + "name": "libsemanage", + "version": "2.2-1", + "purl": "pkg:deb/ubuntu/libsemanage@2.2-1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-58", + "type": "application", + "name": "libsemanage1", + "version": "2.2-1", + "purl": "pkg:deb/ubuntu/libsemanage1@2.2-1?arch=amd64&distro=14.04&epoch=0&source=libsemanage" + }, + { + "bom-ref": "comp-60", + "type": "application", + "name": "libsemanage-common", + "version": "2.2-1", + "purl": "pkg:deb/ubuntu/libsemanage-common@2.2-1?arch=amd64&distro=14.04&epoch=0&source=libsemanage" + } + ] + }, + { + "bom-ref": "comp-61", + "type": "application", + "name": "sqlite3", + "version": "3.8.2-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/sqlite3@3.8.2-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-63", + "type": "application", + "name": "libsqlite3-0", + "version": "3.8.2-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libsqlite3-0@3.8.2-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=sqlite3" + } + ] + }, + { + "bom-ref": "comp-64", + "type": "application", + "name": "sed", + "version": "4.2.2-4ubuntu1", + "purl": "pkg:deb/ubuntu/sed@4.2.2-4ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-65", + "type": "application", + "name": "gnutls26", + "version": "2.12.23-12ubuntu2.8", + "purl": "pkg:deb/ubuntu/gnutls26@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-67", + "type": "application", + "name": "libgnutls-openssl27", + "version": "2.12.23-12ubuntu2.8", + "purl": "pkg:deb/ubuntu/libgnutls-openssl27@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0&source=gnutls26" + }, + { + "bom-ref": "comp-69", + "type": "application", + "name": "libgnutls26", + "version": "2.12.23-12ubuntu2.8", + "purl": "pkg:deb/ubuntu/libgnutls26@2.12.23-12ubuntu2.8?arch=amd64&distro=14.04&epoch=0&source=gnutls26" + } + ] + }, + { + "bom-ref": "comp-70", + "type": "application", + "name": "libffi", + "version": "3.1~rc1+r3.0.13-12ubuntu0.2", + "purl": "pkg:deb/ubuntu/libffi@3.1~rc1%2Br3.0.13-12ubuntu0.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-72", + "type": "application", + "name": "libffi6", + "version": "3.1~rc1+r3.0.13-12ubuntu0.2", + "purl": "pkg:deb/ubuntu/libffi6@3.1~rc1%2Br3.0.13-12ubuntu0.2?arch=amd64&distro=14.04&epoch=0&source=libffi" + } + ] + }, + { + "bom-ref": "comp-73", + "type": "application", + "name": "mpdecimal", + "version": "2.4.0-6", + "purl": "pkg:deb/ubuntu/mpdecimal@2.4.0-6?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-75", + "type": "application", + "name": "libmpdec2", + "version": "2.4.0-6", + "purl": "pkg:deb/ubuntu/libmpdec2@2.4.0-6?arch=amd64&distro=14.04&epoch=0&source=mpdecimal" + } + ] + }, + { + "bom-ref": "comp-76", + "type": "application", + "name": "krb5", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/krb5@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-78", + "type": "application", + "name": "libgssapi-krb5-2", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/libgssapi-krb5-2@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5" + }, + { + "bom-ref": "comp-80", + "type": "application", + "name": "libk5crypto3", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/libk5crypto3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5" + }, + { + "bom-ref": "comp-82", + "type": "application", + "name": "krb5-locales", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/krb5-locales@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5" + }, + { + "bom-ref": "comp-84", + "type": "application", + "name": "libkrb5support0", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/libkrb5support0@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5" + }, + { + "bom-ref": "comp-86", + "type": "application", + "name": "libkrb5-3", + "version": "1.12+dfsg-2ubuntu5.4", + "purl": "pkg:deb/ubuntu/libkrb5-3@1.12%2Bdfsg-2ubuntu5.4?arch=amd64&distro=14.04&epoch=0&source=krb5" + } + ] + }, + { + "bom-ref": "comp-87", + "type": "application", + "name": "tzdata", + "version": "2019a-0ubuntu0.14.04", + "purl": "pkg:deb/ubuntu/tzdata@2019a-0ubuntu0.14.04?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-88", + "type": "application", + "name": "sysvinit", + "version": "2.88dsf-41ubuntu6.3", + "purl": "pkg:deb/ubuntu/sysvinit@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-90", + "type": "application", + "name": "sysv-rc", + "version": "2.88dsf-41ubuntu6.3", + "purl": "pkg:deb/ubuntu/sysv-rc@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit" + }, + { + "bom-ref": "comp-92", + "type": "application", + "name": "initscripts", + "version": "2.88dsf-41ubuntu6.3", + "purl": "pkg:deb/ubuntu/initscripts@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit" + }, + { + "bom-ref": "comp-94", + "type": "application", + "name": "sysvinit-utils", + "version": "2.88dsf-41ubuntu6.3", + "purl": "pkg:deb/ubuntu/sysvinit-utils@2.88dsf-41ubuntu6.3?arch=all&distro=14.04&epoch=0&source=sysvinit" + } + ] + }, + { + "bom-ref": "comp-95", + "type": "application", + "name": "mountall", + "version": "2.53ubuntu1", + "purl": "pkg:deb/ubuntu/mountall@2.53ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-96", + "type": "application", + "name": "fribidi", + "version": "0.19.6-1", + "purl": "pkg:deb/ubuntu/fribidi@0.19.6-1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-98", + "type": "application", + "name": "libfribidi0", + "version": "0.19.6-1", + "purl": "pkg:deb/ubuntu/libfribidi0@0.19.6-1?arch=amd64&distro=14.04&epoch=0&source=fribidi" + } + ] + }, + { + "bom-ref": "comp-99", + "type": "application", + "name": "keyutils", + "version": "1.5.6-1", + "purl": "pkg:deb/ubuntu/keyutils@1.5.6-1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-101", + "type": "application", + "name": "libkeyutils1", + "version": "1.5.6-1", + "purl": "pkg:deb/ubuntu/libkeyutils1@1.5.6-1?arch=amd64&distro=14.04&epoch=0&source=keyutils" + } + ] + }, + { + "bom-ref": "comp-102", + "type": "application", + "name": "lsb", + "version": "4.1+Debian11ubuntu6.2", + "purl": "pkg:deb/ubuntu/lsb@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-104", + "type": "application", + "name": "lsb-base", + "version": "4.1+Debian11ubuntu6.2", + "purl": "pkg:deb/ubuntu/lsb-base@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0&source=lsb" + }, + { + "bom-ref": "comp-106", + "type": "application", + "name": "lsb-release", + "version": "4.1+Debian11ubuntu6.2", + "purl": "pkg:deb/ubuntu/lsb-release@4.1%2BDebian11ubuntu6.2?arch=all&distro=14.04&epoch=0&source=lsb" + } + ] + }, + { + "bom-ref": "comp-107", + "type": "application", + "name": "ifupdown", + "version": "0.7.47.2ubuntu4.5", + "purl": "pkg:deb/ubuntu/ifupdown@0.7.47.2ubuntu4.5?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-108", + "type": "application", + "name": "ubuntu-keyring", + "version": "2012.05.19", + "purl": "pkg:deb/ubuntu/ubuntu-keyring@2012.05.19?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-109", + "type": "application", + "name": "rtmpdump", + "version": "2.4+20121230.gitdf6c518-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/rtmpdump@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-111", + "type": "application", + "name": "librtmp0", + "version": "2.4+20121230.gitdf6c518-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/librtmp0@2.4%2B20121230.gitdf6c518-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=rtmpdump" + } + ] + }, + { + "bom-ref": "comp-112", + "type": "application", + "name": "ureadahead", + "version": "0.100.0-16", + "purl": "pkg:deb/ubuntu/ureadahead@0.100.0-16?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-113", + "type": "application", + "name": "openldap", + "version": "2.4.31-1+nmu2ubuntu8.5", + "purl": "pkg:deb/ubuntu/openldap@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-115", + "type": "application", + "name": "libldap-2.4-2", + "version": "2.4.31-1+nmu2ubuntu8.5", + "purl": "pkg:deb/ubuntu/libldap-2.4-2@2.4.31-1%2Bnmu2ubuntu8.5?arch=amd64&distro=14.04&epoch=0&source=openldap" + } + ] + }, + { + "bom-ref": "comp-116", + "type": "application", + "name": "libtext-charwidth-perl", + "version": "0.04-7build3", + "purl": "pkg:deb/ubuntu/libtext-charwidth-perl@0.04-7build3?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-117", + "type": "application", + "name": "apt", + "version": "1.0.1ubuntu2.24", + "purl": "pkg:deb/ubuntu/apt@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-119", + "type": "application", + "name": "apt-transport-https", + "version": "1.0.1ubuntu2.24", + "purl": "pkg:deb/ubuntu/apt-transport-https@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt" + }, + { + "bom-ref": "comp-121", + "type": "application", + "name": "libapt-pkg4.12", + "version": "1.0.1ubuntu2.24", + "purl": "pkg:deb/ubuntu/libapt-pkg4.12@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt" + }, + { + "bom-ref": "comp-123", + "type": "application", + "name": "libapt-inst1.5", + "version": "1.0.1ubuntu2.24", + "purl": "pkg:deb/ubuntu/libapt-inst1.5@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt" + }, + { + "bom-ref": "comp-125", + "type": "application", + "name": "apt-utils", + "version": "1.0.1ubuntu2.24", + "purl": "pkg:deb/ubuntu/apt-utils@1.0.1ubuntu2.24?arch=amd64&distro=14.04&epoch=0&source=apt" + } + ] + }, + { + "bom-ref": "comp-126", + "type": "application", + "name": "findutils", + "version": "4.4.2-7", + "purl": "pkg:deb/ubuntu/findutils@4.4.2-7?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-127", + "type": "application", + "name": "dpkg", + "version": "1.17.5ubuntu5.8", + "purl": "pkg:deb/ubuntu/dpkg@1.17.5ubuntu5.8?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-128", + "type": "application", + "name": "less", + "version": "458-2", + "purl": "pkg:deb/ubuntu/less@458-2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-129", + "type": "application", + "name": "newt", + "version": "0.52.15-2ubuntu5", + "purl": "pkg:deb/ubuntu/newt@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-131", + "type": "application", + "name": "whiptail", + "version": "0.52.15-2ubuntu5", + "purl": "pkg:deb/ubuntu/whiptail@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0&source=newt" + }, + { + "bom-ref": "comp-133", + "type": "application", + "name": "libnewt0.52", + "version": "0.52.15-2ubuntu5", + "purl": "pkg:deb/ubuntu/libnewt0.52@0.52.15-2ubuntu5?arch=amd64&distro=14.04&epoch=0&source=newt" + } + ] + }, + { + "bom-ref": "comp-134", + "type": "application", + "name": "heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-136", + "type": "application", + "name": "libhx509-5-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libhx509-5-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-138", + "type": "application", + "name": "libroken18-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libroken18-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-140", + "type": "application", + "name": "libhcrypto4-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libhcrypto4-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-142", + "type": "application", + "name": "libwind0-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libwind0-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-144", + "type": "application", + "name": "libheimntlm0-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libheimntlm0-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-146", + "type": "application", + "name": "libheimbase1-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libheimbase1-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-148", + "type": "application", + "name": "libgssapi3-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libgssapi3-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-150", + "type": "application", + "name": "libasn1-8-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libasn1-8-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + }, + { + "bom-ref": "comp-152", + "type": "application", + "name": "libkrb5-26-heimdal", + "version": "1.6~git20131207+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/libkrb5-26-heimdal@1.6~git20131207%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=heimdal" + } + ] + }, + { + "bom-ref": "comp-153", + "type": "application", + "name": "lockfile-progs", + "version": "0.1.17", + "purl": "pkg:deb/ubuntu/lockfile-progs@0.1.17?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-154", + "type": "application", + "name": "libtext-soundex-perl", + "version": "3.4-1build1", + "purl": "pkg:deb/ubuntu/libtext-soundex-perl@3.4-1build1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-155", + "type": "application", + "name": "sudo", + "version": "1.8.9p5-1ubuntu1.4", + "purl": "pkg:deb/ubuntu/sudo@1.8.9p5-1ubuntu1.4?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-156", + "type": "application", + "name": "cgmanager", + "version": "0.24-0ubuntu7.5", + "purl": "pkg:deb/ubuntu/cgmanager@0.24-0ubuntu7.5?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-158", + "type": "application", + "name": "libcgmanager0", + "version": "0.24-0ubuntu7.5", + "purl": "pkg:deb/ubuntu/libcgmanager0@0.24-0ubuntu7.5?arch=amd64&distro=14.04&epoch=0&source=cgmanager" + } + ] + }, + { + "bom-ref": "comp-159", + "type": "application", + "name": "liblocale-gettext-perl", + "version": "1.05-7build3", + "purl": "pkg:deb/ubuntu/liblocale-gettext-perl@1.05-7build3?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-160", + "type": "application", + "name": "python-setuptools", + "version": "3.3-1ubuntu2", + "purl": "pkg:deb/ubuntu/python-setuptools@3.3-1ubuntu2?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-162", + "type": "application", + "name": "python3-pkg-resources", + "version": "3.3-1ubuntu2", + "purl": "pkg:deb/ubuntu/python3-pkg-resources@3.3-1ubuntu2?arch=all&distro=14.04&epoch=0&source=python-setuptools" + } + ] + }, + { + "bom-ref": "comp-163", + "type": "application", + "name": "coreutils", + "version": "8.21-1ubuntu5.4", + "purl": "pkg:deb/ubuntu/coreutils@8.21-1ubuntu5.4?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-164", + "type": "application", + "name": "dbus", + "version": "1.6.18-0ubuntu4.5", + "purl": "pkg:deb/ubuntu/dbus@1.6.18-0ubuntu4.5?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-166", + "type": "application", + "name": "libdbus-1-3", + "version": "1.6.18-0ubuntu4.5", + "purl": "pkg:deb/ubuntu/libdbus-1-3@1.6.18-0ubuntu4.5?arch=amd64&distro=14.04&epoch=0&source=dbus" + } + ] + }, + { + "bom-ref": "comp-167", + "type": "application", + "name": "util-linux", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/util-linux@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-169", + "type": "application", + "name": "libuuid1", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/libuuid1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux" + }, + { + "bom-ref": "comp-171", + "type": "application", + "name": "bsdutils", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/bsdutils@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux" + }, + { + "bom-ref": "comp-173", + "type": "application", + "name": "libmount1", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/libmount1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux" + }, + { + "bom-ref": "comp-175", + "type": "application", + "name": "mount", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/mount@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux" + }, + { + "bom-ref": "comp-177", + "type": "application", + "name": "libblkid1", + "version": "2.20.1-5.1ubuntu20.9", + "purl": "pkg:deb/ubuntu/libblkid1@2.20.1-5.1ubuntu20.9?arch=amd64&distro=14.04&epoch=0&source=util-linux" + } + ] + }, + { + "bom-ref": "comp-178", + "type": "application", + "name": "gzip", + "version": "1.6-3ubuntu1", + "purl": "pkg:deb/ubuntu/gzip@1.6-3ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-179", + "type": "application", + "name": "libidn", + "version": "1.28-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libidn@1.28-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-181", + "type": "application", + "name": "libidn11", + "version": "1.28-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libidn11@1.28-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=libidn" + } + ] + }, + { + "bom-ref": "comp-182", + "type": "application", + "name": "initramfs-tools", + "version": "0.103ubuntu4.11", + "purl": "pkg:deb/ubuntu/initramfs-tools@0.103ubuntu4.11?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-184", + "type": "application", + "name": "initramfs-tools-bin", + "version": "0.103ubuntu4.11", + "purl": "pkg:deb/ubuntu/initramfs-tools-bin@0.103ubuntu4.11?arch=all&distro=14.04&epoch=0&source=initramfs-tools" + } + ] + }, + { + "bom-ref": "comp-185", + "type": "application", + "name": "python3-defaults", + "version": "3.4.0-0ubuntu2", + "purl": "pkg:deb/ubuntu/python3-defaults@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-187", + "type": "application", + "name": "libpython3-stdlib", + "version": "3.4.0-0ubuntu2", + "purl": "pkg:deb/ubuntu/libpython3-stdlib@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults" + }, + { + "bom-ref": "comp-189", + "type": "application", + "name": "python3-minimal", + "version": "3.4.0-0ubuntu2", + "purl": "pkg:deb/ubuntu/python3-minimal@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults" + }, + { + "bom-ref": "comp-191", + "type": "application", + "name": "python3", + "version": "3.4.0-0ubuntu2", + "purl": "pkg:deb/ubuntu/python3@3.4.0-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=python3-defaults" + } + ] + }, + { + "bom-ref": "comp-192", + "type": "application", + "name": "netbase", + "version": "5.2", + "purl": "pkg:deb/ubuntu/netbase@5.2?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-193", + "type": "application", + "name": "netcat-openbsd", + "version": "1.105-7ubuntu1", + "purl": "pkg:deb/ubuntu/netcat-openbsd@1.105-7ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-194", + "type": "application", + "name": "console-setup", + "version": "1.70ubuntu8", + "purl": "pkg:deb/ubuntu/console-setup@1.70ubuntu8?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-196", + "type": "application", + "name": "keyboard-configuration", + "version": "1.70ubuntu8", + "purl": "pkg:deb/ubuntu/keyboard-configuration@1.70ubuntu8?arch=all&distro=14.04&epoch=0&source=console-setup" + } + ] + }, + { + "bom-ref": "comp-197", + "type": "application", + "name": "libcap2", + "version": "2.24-0ubuntu2", + "purl": "pkg:deb/ubuntu/libcap2@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-199", + "type": "application", + "name": "libpam-cap", + "version": "2.24-0ubuntu2", + "purl": "pkg:deb/ubuntu/libpam-cap@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1&source=libcap2" + }, + { + "bom-ref": "comp-201", + "type": "application", + "name": "libcap2-bin", + "version": "2.24-0ubuntu2", + "purl": "pkg:deb/ubuntu/libcap2-bin@2.24-0ubuntu2?arch=amd64&distro=14.04&epoch=1&source=libcap2" + } + ] + }, + { + "bom-ref": "comp-202", + "type": "application", + "name": "debianutils", + "version": "4.4", + "purl": "pkg:deb/ubuntu/debianutils@4.4?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-203", + "type": "application", + "name": "curl", + "version": "7.35.0-1ubuntu2.20", + "purl": "pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.20?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-205", + "type": "application", + "name": "libcurl3-gnutls", + "version": "7.35.0-1ubuntu2.20", + "purl": "pkg:deb/ubuntu/libcurl3-gnutls@7.35.0-1ubuntu2.20?arch=amd64&distro=14.04&epoch=0&source=curl" + } + ] + }, + { + "bom-ref": "comp-206", + "type": "application", + "name": "libusb", + "version": "0.1.12-23.3ubuntu1", + "purl": "pkg:deb/ubuntu/libusb@0.1.12-23.3ubuntu1?arch=amd64&distro=14.04&epoch=2", + "components": [ + { + "bom-ref": "comp-208", + "type": "application", + "name": "libusb-0.1-4", + "version": "0.1.12-23.3ubuntu1", + "purl": "pkg:deb/ubuntu/libusb-0.1-4@0.1.12-23.3ubuntu1?arch=amd64&distro=14.04&epoch=2&source=libusb" + } + ] + }, + { + "bom-ref": "comp-209", + "type": "application", + "name": "file", + "version": "5.14-2ubuntu3.4", + "purl": "pkg:deb/ubuntu/file@5.14-2ubuntu3.4?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-211", + "type": "application", + "name": "libmagic1", + "version": "5.14-2ubuntu3.4", + "purl": "pkg:deb/ubuntu/libmagic1@5.14-2ubuntu3.4?arch=amd64&distro=14.04&epoch=1&source=file" + } + ] + }, + { + "bom-ref": "comp-212", + "type": "application", + "name": "zlib", + "version": "1.2.8.dfsg-1ubuntu1.1", + "purl": "pkg:deb/ubuntu/zlib@1.2.8.dfsg-1ubuntu1.1?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-214", + "type": "application", + "name": "zlib1g", + "version": "1.2.8.dfsg-1ubuntu1.1", + "purl": "pkg:deb/ubuntu/zlib1g@1.2.8.dfsg-1ubuntu1.1?arch=amd64&distro=14.04&epoch=1&source=zlib" + } + ] + }, + { + "bom-ref": "comp-215", + "type": "application", + "name": "base-passwd", + "version": "3.5.33", + "purl": "pkg:deb/ubuntu/base-passwd@3.5.33?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-216", + "type": "application", + "name": "hostname", + "version": "3.15ubuntu1", + "purl": "pkg:deb/ubuntu/hostname@3.15ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-217", + "type": "application", + "name": "mime-support", + "version": "3.54ubuntu1.1", + "purl": "pkg:deb/ubuntu/mime-support@3.54ubuntu1.1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-218", + "type": "application", + "name": "gnupg", + "version": "1.4.16-1ubuntu2.6", + "purl": "pkg:deb/ubuntu/gnupg@1.4.16-1ubuntu2.6?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-220", + "type": "application", + "name": "gpgv", + "version": "1.4.16-1ubuntu2.6", + "purl": "pkg:deb/ubuntu/gpgv@1.4.16-1ubuntu2.6?arch=amd64&distro=14.04&epoch=0&source=gnupg" + } + ] + }, + { + "bom-ref": "comp-221", + "type": "application", + "name": "ncurses", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/ncurses@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-223", + "type": "application", + "name": "ncurses-base", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/ncurses-base@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses" + }, + { + "bom-ref": "comp-225", + "type": "application", + "name": "ncurses-bin", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/ncurses-bin@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses" + }, + { + "bom-ref": "comp-227", + "type": "application", + "name": "libncurses5", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/libncurses5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses" + }, + { + "bom-ref": "comp-229", + "type": "application", + "name": "libncursesw5", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/libncursesw5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses" + }, + { + "bom-ref": "comp-231", + "type": "application", + "name": "libtinfo5", + "version": "5.9+20140118-1ubuntu1", + "purl": "pkg:deb/ubuntu/libtinfo5@5.9%2B20140118-1ubuntu1?arch=all&distro=14.04&epoch=0&source=ncurses" + } + ] + }, + { + "bom-ref": "comp-232", + "type": "application", + "name": "libdrm", + "version": "2.4.67-1ubuntu0.14.04.2", + "purl": "pkg:deb/ubuntu/libdrm@2.4.67-1ubuntu0.14.04.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-234", + "type": "application", + "name": "libdrm2", + "version": "2.4.67-1ubuntu0.14.04.2", + "purl": "pkg:deb/ubuntu/libdrm2@2.4.67-1ubuntu0.14.04.2?arch=amd64&distro=14.04&epoch=0&source=libdrm" + } + ] + }, + { + "bom-ref": "comp-235", + "type": "application", + "name": "grep", + "version": "2.16-1", + "purl": "pkg:deb/ubuntu/grep@2.16-1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-236", + "type": "application", + "name": "isc-dhcp", + "version": "4.2.4-7ubuntu12.13", + "purl": "pkg:deb/ubuntu/isc-dhcp@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-238", + "type": "application", + "name": "isc-dhcp-common", + "version": "4.2.4-7ubuntu12.13", + "purl": "pkg:deb/ubuntu/isc-dhcp-common@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0&source=isc-dhcp" + }, + { + "bom-ref": "comp-240", + "type": "application", + "name": "isc-dhcp-client", + "version": "4.2.4-7ubuntu12.13", + "purl": "pkg:deb/ubuntu/isc-dhcp-client@4.2.4-7ubuntu12.13?arch=amd64&distro=14.04&epoch=0&source=isc-dhcp" + } + ] + }, + { + "bom-ref": "comp-241", + "type": "application", + "name": "vim", + "version": "7.4.052-1ubuntu3.1", + "purl": "pkg:deb/ubuntu/vim@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2", + "components": [ + { + "bom-ref": "comp-243", + "type": "application", + "name": "vim-common", + "version": "7.4.052-1ubuntu3.1", + "purl": "pkg:deb/ubuntu/vim-common@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2&source=vim" + }, + { + "bom-ref": "comp-245", + "type": "application", + "name": "vim-tiny", + "version": "7.4.052-1ubuntu3.1", + "purl": "pkg:deb/ubuntu/vim-tiny@7.4.052-1ubuntu3.1?arch=amd64&distro=14.04&epoch=2&source=vim" + } + ] + }, + { + "bom-ref": "comp-246", + "type": "application", + "name": "acl", + "version": "2.2.52-1", + "purl": "pkg:deb/ubuntu/acl@2.2.52-1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-248", + "type": "application", + "name": "libacl1", + "version": "2.2.52-1", + "purl": "pkg:deb/ubuntu/libacl1@2.2.52-1?arch=amd64&distro=14.04&epoch=0&source=acl" + } + ] + }, + { + "bom-ref": "comp-249", + "type": "application", + "name": "libbsd", + "version": "0.6.0-2ubuntu1", + "purl": "pkg:deb/ubuntu/libbsd@0.6.0-2ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-251", + "type": "application", + "name": "libbsd0", + "version": "0.6.0-2ubuntu1", + "purl": "pkg:deb/ubuntu/libbsd0@0.6.0-2ubuntu1?arch=amd64&distro=14.04&epoch=0&source=libbsd" + } + ] + }, + { + "bom-ref": "comp-252", + "type": "application", + "name": "expat", + "version": "2.1.0-4ubuntu1.4", + "purl": "pkg:deb/ubuntu/expat@2.1.0-4ubuntu1.4?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-254", + "type": "application", + "name": "libexpat1", + "version": "2.1.0-4ubuntu1.4", + "purl": "pkg:deb/ubuntu/libexpat1@2.1.0-4ubuntu1.4?arch=amd64&distro=14.04&epoch=0&source=expat" + } + ] + }, + { + "bom-ref": "comp-255", + "type": "application", + "name": "eject", + "version": "2.1.5+deb1+cvs20081104-13.1ubuntu0.14.04.1", + "purl": "pkg:deb/ubuntu/eject@2.1.5%2Bdeb1%2Bcvs20081104-13.1ubuntu0.14.04.1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-256", + "type": "application", + "name": "rsyslog", + "version": "7.4.4-1ubuntu2.7", + "purl": "pkg:deb/ubuntu/rsyslog@7.4.4-1ubuntu2.7?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-257", + "type": "application", + "name": "libgcrypt11", + "version": "1.5.3-2ubuntu4.6", + "purl": "pkg:deb/ubuntu/libgcrypt11@1.5.3-2ubuntu4.6?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-258", + "type": "application", + "name": "sensible-utils", + "version": "0.0.9ubuntu0.14.04.1", + "purl": "pkg:deb/ubuntu/sensible-utils@0.0.9ubuntu0.14.04.1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-259", + "type": "application", + "name": "tar", + "version": "1.27.1-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/tar@1.27.1-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-260", + "type": "application", + "name": "base-files", + "version": "7.2ubuntu5.6", + "purl": "pkg:deb/ubuntu/base-files@7.2ubuntu5.6?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-261", + "type": "application", + "name": "bzip2", + "version": "1.0.6-5", + "purl": "pkg:deb/ubuntu/bzip2@1.0.6-5?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-263", + "type": "application", + "name": "libbz2-1.0", + "version": "1.0.6-5", + "purl": "pkg:deb/ubuntu/libbz2-1.0@1.0.6-5?arch=amd64&distro=14.04&epoch=0&source=bzip2" + } + ] + }, + { + "bom-ref": "comp-264", + "type": "application", + "name": "libterm-ui-perl", + "version": "0.42-1", + "purl": "pkg:deb/ubuntu/libterm-ui-perl@0.42-1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-265", + "type": "application", + "name": "upstart", + "version": "1.12.1-0ubuntu4.2", + "purl": "pkg:deb/ubuntu/upstart@1.12.1-0ubuntu4.2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-266", + "type": "application", + "name": "libnih", + "version": "1.0.3-4ubuntu25", + "purl": "pkg:deb/ubuntu/libnih@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-268", + "type": "application", + "name": "libnih1", + "version": "1.0.3-4ubuntu25", + "purl": "pkg:deb/ubuntu/libnih1@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0&source=libnih" + }, + { + "bom-ref": "comp-270", + "type": "application", + "name": "libnih-dbus1", + "version": "1.0.3-4ubuntu25", + "purl": "pkg:deb/ubuntu/libnih-dbus1@1.0.3-4ubuntu25?arch=amd64&distro=14.04&epoch=0&source=libnih" + } + ] + }, + { + "bom-ref": "comp-271", + "type": "application", + "name": "dash", + "version": "0.5.7-4ubuntu1", + "purl": "pkg:deb/ubuntu/dash@0.5.7-4ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-272", + "type": "application", + "name": "net-tools", + "version": "1.60-25ubuntu2.1", + "purl": "pkg:deb/ubuntu/net-tools@1.60-25ubuntu2.1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-273", + "type": "application", + "name": "klibc", + "version": "2.0.3-0ubuntu1.14.04.3", + "purl": "pkg:deb/ubuntu/klibc@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-275", + "type": "application", + "name": "libklibc", + "version": "2.0.3-0ubuntu1.14.04.3", + "purl": "pkg:deb/ubuntu/libklibc@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0&source=klibc" + }, + { + "bom-ref": "comp-277", + "type": "application", + "name": "klibc-utils", + "version": "2.0.3-0ubuntu1.14.04.3", + "purl": "pkg:deb/ubuntu/klibc-utils@2.0.3-0ubuntu1.14.04.3?arch=amd64&distro=14.04&epoch=0&source=klibc" + } + ] + }, + { + "bom-ref": "comp-278", + "type": "application", + "name": "ntp", + "version": "4.2.6.p5+dfsg-3ubuntu2.14.04.13", + "purl": "pkg:deb/ubuntu/ntp@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-280", + "type": "application", + "name": "ntpdate", + "version": "4.2.6.p5+dfsg-3ubuntu2.14.04.13", + "purl": "pkg:deb/ubuntu/ntpdate@4.2.6.p5%2Bdfsg-3ubuntu2.14.04.13?arch=amd64&distro=14.04&epoch=1&source=ntp" + } + ] + }, + { + "bom-ref": "comp-281", + "type": "application", + "name": "iproute2", + "version": "3.12.0-2ubuntu1.2", + "purl": "pkg:deb/ubuntu/iproute2@3.12.0-2ubuntu1.2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-282", + "type": "application", + "name": "pam", + "version": "1.1.8-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/pam@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-284", + "type": "application", + "name": "libpam0g", + "version": "1.1.8-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libpam0g@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam" + }, + { + "bom-ref": "comp-286", + "type": "application", + "name": "libpam-modules", + "version": "1.1.8-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libpam-modules@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam" + }, + { + "bom-ref": "comp-288", + "type": "application", + "name": "libpam-runtime", + "version": "1.1.8-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libpam-runtime@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam" + }, + { + "bom-ref": "comp-290", + "type": "application", + "name": "libpam-modules-bin", + "version": "1.1.8-1ubuntu2.2", + "purl": "pkg:deb/ubuntu/libpam-modules-bin@1.1.8-1ubuntu2.2?arch=amd64&distro=14.04&epoch=0&source=pam" + } + ] + }, + { + "bom-ref": "comp-291", + "type": "application", + "name": "perl", + "version": "5.18.2-2ubuntu1.7", + "purl": "pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-293", + "type": "application", + "name": "perl-modules", + "version": "5.18.2-2ubuntu1.7", + "purl": "pkg:deb/ubuntu/perl-modules@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0&source=perl" + }, + { + "bom-ref": "comp-295", + "type": "application", + "name": "perl-base", + "version": "5.18.2-2ubuntu1.7", + "purl": "pkg:deb/ubuntu/perl-base@5.18.2-2ubuntu1.7?arch=all&distro=14.04&epoch=0&source=perl" + } + ] + }, + { + "bom-ref": "comp-296", + "type": "application", + "name": "libsepol", + "version": "2.2-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/libsepol@2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-298", + "type": "application", + "name": "libsepol1", + "version": "2.2-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/libsepol1@2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=libsepol" + } + ] + }, + { + "bom-ref": "comp-299", + "type": "application", + "name": "cron", + "version": "3.0pl1-124ubuntu2", + "purl": "pkg:deb/ubuntu/cron@3.0pl1-124ubuntu2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-300", + "type": "application", + "name": "ubuntu-meta", + "version": "1.325.1", + "purl": "pkg:deb/ubuntu/ubuntu-meta@1.325.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-302", + "type": "application", + "name": "ubuntu-minimal", + "version": "1.325.1", + "purl": "pkg:deb/ubuntu/ubuntu-minimal@1.325.1?arch=amd64&distro=14.04&epoch=0&source=ubuntu-meta" + } + ] + }, + { + "bom-ref": "comp-303", + "type": "application", + "name": "makedev", + "version": "2.3.1-93ubuntu2~ubuntu14.04.1", + "purl": "pkg:deb/ubuntu/makedev@2.3.1-93ubuntu2~ubuntu14.04.1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-304", + "type": "application", + "name": "popt", + "version": "1.16-8ubuntu1", + "purl": "pkg:deb/ubuntu/popt@1.16-8ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-306", + "type": "application", + "name": "libpopt0", + "version": "1.16-8ubuntu1", + "purl": "pkg:deb/ubuntu/libpopt0@1.16-8ubuntu1?arch=amd64&distro=14.04&epoch=0&source=popt" + } + ] + }, + { + "bom-ref": "comp-307", + "type": "application", + "name": "json-c", + "version": "0.11-3ubuntu1.2", + "purl": "pkg:deb/ubuntu/json-c@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-309", + "type": "application", + "name": "libjson-c2", + "version": "0.11-3ubuntu1.2", + "purl": "pkg:deb/ubuntu/libjson-c2@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=json-c" + }, + { + "bom-ref": "comp-311", + "type": "application", + "name": "libjson0", + "version": "0.11-3ubuntu1.2", + "purl": "pkg:deb/ubuntu/libjson0@0.11-3ubuntu1.2?arch=amd64&distro=14.04&epoch=0&source=json-c" + } + ] + }, + { + "bom-ref": "comp-312", + "type": "application", + "name": "slang2", + "version": "2.2.4-15ubuntu1", + "purl": "pkg:deb/ubuntu/slang2@2.2.4-15ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-314", + "type": "application", + "name": "libslang2", + "version": "2.2.4-15ubuntu1", + "purl": "pkg:deb/ubuntu/libslang2@2.2.4-15ubuntu1?arch=amd64&distro=14.04&epoch=0&source=slang2" + } + ] + }, + { + "bom-ref": "comp-315", + "type": "application", + "name": "libtasn1-6", + "version": "3.4-3ubuntu0.6", + "purl": "pkg:deb/ubuntu/libtasn1-6@3.4-3ubuntu0.6?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-316", + "type": "application", + "name": "lvm2", + "version": "2.02.98-6ubuntu2", + "purl": "pkg:deb/ubuntu/lvm2@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-318", + "type": "application", + "name": "libdevmapper1.02.1", + "version": "2.02.98-6ubuntu2", + "purl": "pkg:deb/ubuntu/libdevmapper1.02.1@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0&source=lvm2" + }, + { + "bom-ref": "comp-320", + "type": "application", + "name": "dmsetup", + "version": "2.02.98-6ubuntu2", + "purl": "pkg:deb/ubuntu/dmsetup@2.02.98-6ubuntu2?arch=amd64&distro=14.04&epoch=0&source=lvm2" + } + ] + }, + { + "bom-ref": "comp-321", + "type": "application", + "name": "libmodule-pluggable-perl", + "version": "5.1-1", + "purl": "pkg:deb/ubuntu/libmodule-pluggable-perl@5.1-1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-322", + "type": "application", + "name": "eglibc", + "version": "2.19-0ubuntu6.15", + "purl": "pkg:deb/ubuntu/eglibc@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-324", + "type": "application", + "name": "libc-bin", + "version": "2.19-0ubuntu6.15", + "purl": "pkg:deb/ubuntu/libc-bin@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc" + }, + { + "bom-ref": "comp-326", + "type": "application", + "name": "multiarch-support", + "version": "2.19-0ubuntu6.15", + "purl": "pkg:deb/ubuntu/multiarch-support@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc" + }, + { + "bom-ref": "comp-328", + "type": "application", + "name": "libc6", + "version": "2.19-0ubuntu6.15", + "purl": "pkg:deb/ubuntu/libc6@2.19-0ubuntu6.15?arch=amd64&distro=14.04&epoch=0&source=eglibc" + } + ] + }, + { + "bom-ref": "comp-329", + "type": "application", + "name": "audit", + "version": "2.3.2-2ubuntu1", + "purl": "pkg:deb/ubuntu/audit@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-331", + "type": "application", + "name": "libaudit1", + "version": "2.3.2-2ubuntu1", + "purl": "pkg:deb/ubuntu/libaudit1@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1&source=audit" + }, + { + "bom-ref": "comp-333", + "type": "application", + "name": "libaudit-common", + "version": "2.3.2-2ubuntu1", + "purl": "pkg:deb/ubuntu/libaudit-common@2.3.2-2ubuntu1?arch=amd64&distro=14.04&epoch=1&source=audit" + } + ] + }, + { + "bom-ref": "comp-334", + "type": "application", + "name": "libpng", + "version": "1.2.50-1ubuntu2.14.04.3", + "purl": "pkg:deb/ubuntu/libpng@1.2.50-1ubuntu2.14.04.3?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-336", + "type": "application", + "name": "libpng12-0", + "version": "1.2.50-1ubuntu2.14.04.3", + "purl": "pkg:deb/ubuntu/libpng12-0@1.2.50-1ubuntu2.14.04.3?arch=amd64&distro=14.04&epoch=0&source=libpng" + } + ] + }, + { + "bom-ref": "comp-337", + "type": "application", + "name": "python3.4", + "version": "3.4.3-1ubuntu1~14.04.7", + "purl": "pkg:deb/ubuntu/python3.4@3.4.3-1ubuntu1~14.04.7?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-339", + "type": "application", + "name": "libpython3.4-minimal", + "version": "3.4.3-1ubuntu1~14.04.7", + "purl": "pkg:deb/ubuntu/libpython3.4-minimal@3.4.3-1ubuntu1~14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4" + }, + { + "bom-ref": "comp-341", + "type": "application", + "name": "python3.4-minimal", + "version": "3.4.3-1ubuntu1~14.04.7", + "purl": "pkg:deb/ubuntu/python3.4-minimal@3.4.3-1ubuntu1~14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4" + }, + { + "bom-ref": "comp-343", + "type": "application", + "name": "libpython3.4-stdlib", + "version": "3.4.3-1ubuntu1~14.04.7", + "purl": "pkg:deb/ubuntu/libpython3.4-stdlib@3.4.3-1ubuntu1~14.04.7?arch=amd64&distro=14.04&epoch=0&source=python3.4" + } + ] + }, + { + "bom-ref": "comp-344", + "type": "application", + "name": "diffutils", + "version": "3.3-1", + "purl": "pkg:deb/ubuntu/diffutils@3.3-1?arch=amd64&distro=14.04&epoch=1" + }, + { + "bom-ref": "comp-345", + "type": "application", + "name": "logrotate", + "version": "3.8.7-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/logrotate@3.8.7-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-346", + "type": "application", + "name": "ubuntu-advantage-tools", + "version": "19.6~ubuntu14.04.3", + "purl": "pkg:deb/ubuntu/ubuntu-advantage-tools@19.6~ubuntu14.04.3?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-347", + "type": "application", + "name": "openssl", + "version": "1.0.1f-1ubuntu2.27", + "purl": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-349", + "type": "application", + "name": "libssl1.0.0", + "version": "1.0.1f-1ubuntu2.27", + "purl": "pkg:deb/ubuntu/libssl1.0.0@1.0.1f-1ubuntu2.27?arch=amd64&distro=14.04&epoch=0&source=openssl" + } + ] + }, + { + "bom-ref": "comp-350", + "type": "application", + "name": "libestr", + "version": "0.1.9-0ubuntu2", + "purl": "pkg:deb/ubuntu/libestr@0.1.9-0ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-352", + "type": "application", + "name": "libestr0", + "version": "0.1.9-0ubuntu2", + "purl": "pkg:deb/ubuntu/libestr0@0.1.9-0ubuntu2?arch=amd64&distro=14.04&epoch=0&source=libestr" + } + ] + }, + { + "bom-ref": "comp-353", + "type": "application", + "name": "kbd", + "version": "1.15.5-1ubuntu1", + "purl": "pkg:deb/ubuntu/kbd@1.15.5-1ubuntu1?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-354", + "type": "application", + "name": "ustr", + "version": "1.0.4-3ubuntu2", + "purl": "pkg:deb/ubuntu/ustr@1.0.4-3ubuntu2?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-356", + "type": "application", + "name": "libustr-1.0-1", + "version": "1.0.4-3ubuntu2", + "purl": "pkg:deb/ubuntu/libustr-1.0-1@1.0.4-3ubuntu2?arch=amd64&distro=14.04&epoch=0&source=ustr" + } + ] + }, + { + "bom-ref": "comp-357", + "type": "application", + "name": "mawk", + "version": "1.3.3-17ubuntu2", + "purl": "pkg:deb/ubuntu/mawk@1.3.3-17ubuntu2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-358", + "type": "application", + "name": "gcc-4.8", + "version": "4.8.4-2ubuntu1~14.04.4", + "purl": "pkg:deb/ubuntu/gcc-4.8@4.8.4-2ubuntu1~14.04.4?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-360", + "type": "application", + "name": "gcc-4.8-base", + "version": "4.8.4-2ubuntu1~14.04.4", + "purl": "pkg:deb/ubuntu/gcc-4.8-base@4.8.4-2ubuntu1~14.04.4?arch=amd64&distro=14.04&epoch=0&source=gcc-4.8" + }, + { + "bom-ref": "comp-362", + "type": "application", + "name": "libstdc++6", + "version": "4.8.4-2ubuntu1~14.04.4", + "purl": "pkg:deb/ubuntu/libstdc%2B%2B6@4.8.4-2ubuntu1~14.04.4?arch=amd64&distro=14.04&epoch=0&source=gcc-4.8" + } + ] + }, + { + "bom-ref": "comp-363", + "type": "application", + "name": "insserv", + "version": "1.14.0-5ubuntu2", + "purl": "pkg:deb/ubuntu/insserv@1.14.0-5ubuntu2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-364", + "type": "application", + "name": "init-system-helpers", + "version": "1.14ubuntu1", + "purl": "pkg:deb/ubuntu/init-system-helpers@1.14ubuntu1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-365", + "type": "application", + "name": "resolvconf", + "version": "1.69ubuntu1.4", + "purl": "pkg:deb/ubuntu/resolvconf@1.69ubuntu1.4?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-366", + "type": "application", + "name": "xkeyboard-config", + "version": "2.10.1-1ubuntu1", + "purl": "pkg:deb/ubuntu/xkeyboard-config@2.10.1-1ubuntu1?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-368", + "type": "application", + "name": "xkb-data", + "version": "2.10.1-1ubuntu1", + "purl": "pkg:deb/ubuntu/xkb-data@2.10.1-1ubuntu1?arch=all&distro=14.04&epoch=0&source=xkeyboard-config" + } + ] + }, + { + "bom-ref": "comp-369", + "type": "application", + "name": "db5.3", + "version": "5.3.28-3ubuntu3.1", + "purl": "pkg:deb/ubuntu/db5.3@5.3.28-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-371", + "type": "application", + "name": "libdb5.3", + "version": "5.3.28-3ubuntu3.1", + "purl": "pkg:deb/ubuntu/libdb5.3@5.3.28-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0&source=db5.3" + } + ] + }, + { + "bom-ref": "comp-372", + "type": "application", + "name": "bash", + "version": "4.3-7ubuntu1.7", + "purl": "pkg:deb/ubuntu/bash@4.3-7ubuntu1.7?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-373", + "type": "application", + "name": "kmod", + "version": "15-0ubuntu7", + "purl": "pkg:deb/ubuntu/kmod@15-0ubuntu7?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-375", + "type": "application", + "name": "module-init-tools", + "version": "15-0ubuntu7", + "purl": "pkg:deb/ubuntu/module-init-tools@15-0ubuntu7?arch=all&distro=14.04&epoch=0&source=kmod" + }, + { + "bom-ref": "comp-377", + "type": "application", + "name": "libkmod2", + "version": "15-0ubuntu7", + "purl": "pkg:deb/ubuntu/libkmod2@15-0ubuntu7?arch=all&distro=14.04&epoch=0&source=kmod" + } + ] + }, + { + "bom-ref": "comp-378", + "type": "application", + "name": "procps", + "version": "3.3.9-1ubuntu2.3", + "purl": "pkg:deb/ubuntu/procps@3.3.9-1ubuntu2.3?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-380", + "type": "application", + "name": "libprocps3", + "version": "3.3.9-1ubuntu2.3", + "purl": "pkg:deb/ubuntu/libprocps3@3.3.9-1ubuntu2.3?arch=amd64&distro=14.04&epoch=1&source=procps" + } + ] + }, + { + "bom-ref": "comp-381", + "type": "application", + "name": "liblockfile", + "version": "1.09-6ubuntu1", + "purl": "pkg:deb/ubuntu/liblockfile@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-383", + "type": "application", + "name": "liblockfile-bin", + "version": "1.09-6ubuntu1", + "purl": "pkg:deb/ubuntu/liblockfile-bin@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0&source=liblockfile" + }, + { + "bom-ref": "comp-385", + "type": "application", + "name": "liblockfile1", + "version": "1.09-6ubuntu1", + "purl": "pkg:deb/ubuntu/liblockfile1@1.09-6ubuntu1?arch=amd64&distro=14.04&epoch=0&source=liblockfile" + } + ] + }, + { + "bom-ref": "comp-386", + "type": "application", + "name": "libpod-latex-perl", + "version": "0.61-1", + "purl": "pkg:deb/ubuntu/libpod-latex-perl@0.61-1?arch=all&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-387", + "type": "application", + "name": "libyaml", + "version": "0.1.4-3ubuntu3.1", + "purl": "pkg:deb/ubuntu/libyaml@0.1.4-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-389", + "type": "application", + "name": "libyaml-0-2", + "version": "0.1.4-3ubuntu3.1", + "purl": "pkg:deb/ubuntu/libyaml-0-2@0.1.4-3ubuntu3.1?arch=amd64&distro=14.04&epoch=0&source=libyaml" + } + ] + }, + { + "bom-ref": "comp-390", + "type": "application", + "name": "busybox", + "version": "1.21.0-1ubuntu1.4", + "purl": "pkg:deb/ubuntu/busybox@1.21.0-1ubuntu1.4?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-392", + "type": "application", + "name": "busybox-initramfs", + "version": "1.21.0-1ubuntu1.4", + "purl": "pkg:deb/ubuntu/busybox-initramfs@1.21.0-1ubuntu1.4?arch=amd64&distro=14.04&epoch=1&source=busybox" + } + ] + }, + { + "bom-ref": "comp-393", + "type": "application", + "name": "libselinux", + "version": "2.2.2-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/libselinux@2.2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-395", + "type": "application", + "name": "libselinux1", + "version": "2.2.2-1ubuntu0.1", + "purl": "pkg:deb/ubuntu/libselinux1@2.2.2-1ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=libselinux" + } + ] + }, + { + "bom-ref": "comp-396", + "type": "application", + "name": "cpio", + "version": "2.11+dfsg-1ubuntu1.2", + "purl": "pkg:deb/ubuntu/cpio@2.11%2Bdfsg-1ubuntu1.2?arch=amd64&distro=14.04&epoch=0" + }, + { + "bom-ref": "comp-397", + "type": "application", + "name": "shadow", + "version": "4.1.5.1-1ubuntu9.5", + "purl": "pkg:deb/ubuntu/shadow@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1", + "components": [ + { + "bom-ref": "comp-399", + "type": "application", + "name": "login", + "version": "4.1.5.1-1ubuntu9.5", + "purl": "pkg:deb/ubuntu/login@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1&source=shadow" + }, + { + "bom-ref": "comp-401", + "type": "application", + "name": "passwd", + "version": "4.1.5.1-1ubuntu9.5", + "purl": "pkg:deb/ubuntu/passwd@4.1.5.1-1ubuntu9.5?arch=amd64&distro=14.04&epoch=1&source=shadow" + } + ] + }, + { + "bom-ref": "comp-402", + "type": "application", + "name": "libgpg-error", + "version": "1.12-0.2ubuntu1", + "purl": "pkg:deb/ubuntu/libgpg-error@1.12-0.2ubuntu1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-404", + "type": "application", + "name": "libgpg-error0", + "version": "1.12-0.2ubuntu1", + "purl": "pkg:deb/ubuntu/libgpg-error0@1.12-0.2ubuntu1?arch=amd64&distro=14.04&epoch=0&source=libgpg-error" + } + ] + }, + { + "bom-ref": "comp-405", + "type": "application", + "name": "langpack-locales", + "version": "2.13+git20120306-12.1", + "purl": "pkg:deb/ubuntu/langpack-locales@2.13%2Bgit20120306-12.1?arch=all&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-407", + "type": "application", + "name": "locales", + "version": "2.13+git20120306-12.1", + "purl": "pkg:deb/ubuntu/locales@2.13%2Bgit20120306-12.1?arch=all&distro=14.04&epoch=0&source=langpack-locales" + } + ] + }, + { + "bom-ref": "comp-408", + "type": "application", + "name": "e2fsprogs", + "version": "1.42.9-3ubuntu1.3", + "purl": "pkg:deb/ubuntu/e2fsprogs@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-410", + "type": "application", + "name": "e2fslibs", + "version": "1.42.9-3ubuntu1.3", + "purl": "pkg:deb/ubuntu/e2fslibs@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs" + }, + { + "bom-ref": "comp-412", + "type": "application", + "name": "libcomerr2", + "version": "1.42.9-3ubuntu1.3", + "purl": "pkg:deb/ubuntu/libcomerr2@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs" + }, + { + "bom-ref": "comp-414", + "type": "application", + "name": "libss2", + "version": "1.42.9-3ubuntu1.3", + "purl": "pkg:deb/ubuntu/libss2@1.42.9-3ubuntu1.3?arch=amd64&distro=14.04&epoch=0&source=e2fsprogs" + } + ] + }, + { + "bom-ref": "comp-415", + "type": "application", + "name": "cyrus-sasl2", + "version": "2.1.25.dfsg1-17build1", + "purl": "pkg:deb/ubuntu/cyrus-sasl2@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0", + "components": [ + { + "bom-ref": "comp-417", + "type": "application", + "name": "libsasl2-modules", + "version": "2.1.25.dfsg1-17build1", + "purl": "pkg:deb/ubuntu/libsasl2-modules@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2" + }, + { + "bom-ref": "comp-419", + "type": "application", + "name": "libsasl2-2", + "version": "2.1.25.dfsg1-17build1", + "purl": "pkg:deb/ubuntu/libsasl2-2@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2" + }, + { + "bom-ref": "comp-421", + "type": "application", + "name": "libsasl2-modules-db", + "version": "2.1.25.dfsg1-17build1", + "purl": "pkg:deb/ubuntu/libsasl2-modules-db@2.1.25.dfsg1-17build1?arch=amd64&distro=14.04&epoch=0&source=cyrus-sasl2" + } + ] + }, + { + "bom-ref": "comp-422", + "type": "library", + "name": "Python", + "version": "2.7.6", + "purl": "pkg:pypi/Python@2.7.6", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:source_path", + "value": "/usr/lib/python2.7/lib-dynload/Python-2.7.egg-info" + } + ] + }, + { + "bom-ref": "comp-423", + "type": "library", + "name": "ubuntu-advantage-tools", + "version": "19.6", + "purl": "pkg:pypi/ubuntu-advantage-tools@19.6", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:source_path", + "value": "/usr/lib/python3/dist-packages/ubuntu_advantage_tools-19.6.egg-info/PKG-INFO" + }, + { + "name": "amazon:inspector:sbom_generator:is_duplicate_package", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_generator:duplicate_purl", + "value": "pkg:deb/ubuntu/ubuntu-advantage-tools@19.6~ubuntu14.04.3?arch=amd64&distro=14.04&epoch=0" + } + ] + }, + { + "bom-ref": "comp-424", + "type": "library", + "name": "PyYAML", + "version": "3.10", + "purl": "pkg:pypi/PyYAML@3.10", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:source_path", + "value": "/usr/lib/python3/dist-packages/PyYAML-3.10.egg-info" + }, + { + "name": "amazon:inspector:sbom_generator:is_duplicate_package", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_generator:duplicate_purl", + "value": "pkg:deb/ubuntu/python3-yaml@3.10-4ubuntu0.1?arch=amd64&distro=14.04&epoch=0&source=pyyaml" + } + ] + }, + { + "bom-ref": "comp-425", + "type": "library", + "name": "argparse", + "version": "1.2.1", + "purl": "pkg:pypi/argparse@1.2.1", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:source_path", + "value": "/usr/lib/python2.7/argparse.egg-info" + } + ] + }, + { + "bom-ref": "comp-426", + "type": "library", + "name": "wsgiref", + "version": "0.1.2", + "purl": "pkg:pypi/wsgiref@0.1.2", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:source_path", + "value": "/usr/lib/python2.7/wsgiref.egg-info" + } + ] + }, + { + "bom-ref": "comp-427", + "type": "file", + "name": "dockerfile:comp-1.Dockerfile", + "properties": [ + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-006-001", + "value": "affected_lines:2-2" + }, + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-004", + "value": "affected_lines:8-8" + }, + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-001", + "value": "affected_lines:7-7" + }, + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-003", + "value": "affected_lines:6-6" + }, + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-002", + "value": "affected_lines:4-4" + }, + { + "name": "amazon:inspector:sbom_generator:dockerfile_finding:IN-DOCKER-005-003", + "value": "affected_lines:3-3" + } + ] + } + ] +} diff --git a/entrypoint/tests/test_data/scans/alpine:3.18.2.json.scan b/entrypoint/tests/test_data/scans/alpine:3.18.2.json.scan index 4f1805a..cf0d48f 100644 --- a/entrypoint/tests/test_data/scans/alpine:3.18.2.json.scan +++ b/entrypoint/tests/test_data/scans/alpine:3.18.2.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -21,14 +21,18 @@ }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "6" + "value": "7" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "3" } ], - "timestamp": "2024-03-05T15:14:59.088Z" + "timestamp": "2024-05-22T15:40:52.181Z" }, "components": [ { @@ -45,7 +49,7 @@ "version": "3.4.3-r1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -58,7 +62,7 @@ "version": "2.4-r1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -91,7 +95,7 @@ "version": "20230506-r0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -104,7 +108,7 @@ "version": "0.7.2-r5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -137,7 +141,7 @@ "version": "1.3.7-r1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -156,161 +160,112 @@ ] } ], - "serialNumber": "urn:uuid:6065f019-32b2-4cc0-b374-2b52f1fad739", + "serialNumber": "urn:uuid:77391d29-86d6-4773-aafc-ea215ed270c9", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" - }, - { - "url": "https://www.openssl.org/news/secadv/20231106.txt" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6632-1" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://www.openssl.org/news/secadv/20240115.txt" }, { "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2447" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" } ], "bom-ref": "vuln-1", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "affects": [ { "ref": "comp-8" } ], - "id": "CVE-2023-5678", + "id": "CVE-2023-6237", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z", + "updated": "2024-05-01T18:15:12Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.4-r1" + "value": "3.1.4-r4" } ] }, { "advisories": [ { - "url": "https://www.openssl.org/news/secadv/20240109.txt" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://bugs.busybox.net/show_bug.cgi?id=15874" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42366" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059053" } ], "bom-ref": "vuln-2", "ratings": [ { - "severity": "none", - "score": 0.00061, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366" } }, { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42366" } } ], - "created": "2024-01-09T17:15:12Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "created": "2023-11-27T23:15:07Z", + "description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", "affects": [ { - "ref": "comp-8" + "ref": "comp-5" } ], - "id": "CVE-2023-6129", + "id": "CVE-2023-42366", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366" }, "cwes": [ 787 @@ -318,36 +273,36 @@ "analysis": { "state": "in_triage" }, - "updated": "2024-02-16T13:15:09Z", + "updated": "2023-11-30T05:08:23Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.4-r3" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "1.36.1-r6" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" }, { - "url": "https://security.gentoo.org/glsa/202402-08" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb" + "url": "https://security.gentoo.org/glsa/202402-08" }, { - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" }, { - "url": "https://www.openssl.org/news/secadv/20230719.txt" + "url": "https://www.openssl.org/news/secadv/20230731.txt" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528" + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" }, { "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-306.html" @@ -356,10 +311,10 @@ "url": "https://access.redhat.com/errata/RHSA-2023:7626" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3446" + "url": "https://access.redhat.com/errata/RHSA-2023:7625" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7625" + "url": "https://access.redhat.com/errata/RHSA-2023:5931" }, { "url": "https://access.redhat.com/errata/RHSA-2023:7877" @@ -383,16 +338,16 @@ "url": "https://ubuntu.com/security/notices/USN-6435-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0888" + "url": "https://access.redhat.com/errata/RHSA-2024:0208" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://ubuntu.com/security/notices/USN-6709-1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041817" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3817" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0408" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" }, { "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-003.html" @@ -400,6 +355,18 @@ { "url": "https://access.redhat.com/errata/RHSA-2024:0154" }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3817" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2205.html" + }, { "url": "https://alas.aws.amazon.com/ALAS-2023-1843.html" }, @@ -411,12 +378,12 @@ "ratings": [ { "severity": "none", - "score": 0.00215, + "score": 0.0013, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3817" } }, { @@ -426,104 +393,108 @@ "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" } } ], - "created": "2023-07-19T12:15:10Z", - "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "created": "2023-07-31T16:15:10Z", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", "affects": [ { "ref": "comp-8" } ], - "id": "CVE-2023-3446", + "id": "CVE-2023-3817", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" }, "cwes": [ - 1333 + 834 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-04T09:15:09Z", + "updated": "2024-02-04T09:15:10Z", "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-01T16:50:04Z" - }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.1-r3" + "value": "3.1.2-r0" } ] }, { "advisories": [ { - "url": "https://bugs.busybox.net/show_bug.cgi?id=15216" + "url": "https://security.gentoo.org/glsa/202402-08" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48174" + "url": "https://www.openssl.org/news/secadv/20230714.txt" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:5178" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc" }, { - "url": "https://ubuntu.com/security/notices/USN-6335-1" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-306.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041818" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2975" } ], "bom-ref": "vuln-4", "ratings": [ { - "severity": "critical", - "score": 9.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "severity": "none", + "score": 0.00324, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2975" } }, { - "severity": "none", - "score": 0.00134, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975" } } ], - "created": "2023-08-22T19:16:31Z", - "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", + "created": "2023-07-14T12:15:09Z", + "description": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", "affects": [ { - "ref": "comp-5" + "ref": "comp-8" } ], - "id": "CVE-2022-48174", + "id": "CVE-2023-2975", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975" }, "cwes": [ - 787 + 287 ], "analysis": { "state": "exploitable" }, - "updated": "2023-08-28T18:53:37Z", + "updated": "2024-02-04T09:15:09Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -531,83 +502,74 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-26T21:51:13Z" + "value": "2024-05-18T04:18:41Z" }, { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", - "value": "1.36.1-r1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.1-r2" } ] }, { "advisories": [ { - "url": "https://security.gentoo.org/glsa/202402-08" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598" - }, - { - "url": "https://www.openssl.org/news/secadv/20230714.txt" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc" + "url": "https://bugs.busybox.net/show_bug.cgi?id=15216" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-306.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2975" + "url": "https://access.redhat.com/errata/RHSA-2023:5178" }, { - "url": "https://ubuntu.com/security/notices/USN-6450-1" + "url": "https://ubuntu.com/security/notices/USN-6335-1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041818" + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48174" } ], "bom-ref": "vuln-5", "ratings": [ { - "severity": "medium", - "score": 5.3, + "severity": "critical", + "score": 9.8, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" } }, { "severity": "none", - "score": 0.00324, + "score": 0.00134, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48174" } } ], - "created": "2023-07-14T12:15:09Z", - "description": "Issue summary: The AES-SIV cipher implementation contains a bug that causes\nit to ignore empty associated data entries which are unauthenticated as\na consequence.\n\nImpact summary: Applications that use the AES-SIV algorithm and want to\nauthenticate empty data entries as associated data can be mislead by removing\nadding or reordering such empty entries as these are ignored by the OpenSSL\nimplementation. We are currently unaware of any such applications.\n\nThe AES-SIV algorithm allows for authentication of multiple associated\ndata entries along with the encryption. To authenticate empty data the\napplication has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with\nNULL pointer as the output buffer and 0 as the input buffer length.\nThe AES-SIV implementation in OpenSSL just returns success for such a call\ninstead of performing the associated data authentication operation.\nThe empty data thus will not be authenticated.\n\nAs this issue does not affect non-empty associated data authentication and\nwe expect it to be rare for an application to use empty associated data\nentries this is qualified as Low severity issue.", + "created": "2023-08-22T19:16:31Z", + "description": "There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.", "affects": [ { - "ref": "comp-8" + "ref": "comp-5" } ], - "id": "CVE-2023-2975", + "id": "CVE-2022-48174", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2975" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48174" }, "cwes": [ - 287 + 787 ], "analysis": { "state": "exploitable" }, - "updated": "2024-02-04T09:15:09Z", + "updated": "2023-08-28T18:53:37Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -615,159 +577,456 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-29T17:38:03Z" + "value": "2024-05-18T18:45:34Z" }, { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.1-r2" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "1.36.1-r1" } ] }, { "advisories": [ { - "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" }, { - "url": "https://www.openssl.org/news/secadv/20240125.txt" + "url": "https://www.openssl.org/news/secadv/20231106.txt" }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" }, { "url": "https://ubuntu.com/security/notices/USN-6632-1" }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, { "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" } ], "bom-ref": "vuln-6", "ratings": [ { - "severity": "none", - "score": 0.00228, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" } }, { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" } } ], - "created": "2024-01-26T09:15:07Z", - "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", "affects": [ { "ref": "comp-8" } ], - "id": "CVE-2024-0727", + "id": "CVE-2023-5678", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" }, + "cwes": [ + 754 + ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-08T10:15:13Z", + "updated": "2024-05-01T18:15:12Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.4-r5" + "value": "3.1.4-r1" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee" + "url": "https://security.gentoo.org/glsa/202402-08" }, { - "url": "https://www.openssl.org/news/secadv/20231024.txt" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb" }, { - "url": "https://www.debian.org/security/2023/dsa-5532" + "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-406.html" + "url": "https://www.openssl.org/news/secadv/20230719.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-306.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7626" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7625" }, { "url": "https://ubuntu.com/security/notices/USN-6450-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0310" + "url": "https://access.redhat.com/errata/RHSA-2023:7623" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://access.redhat.com/errata/RHSA-2023:7622" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363" + "url": "https://access.redhat.com/errata/RHSA-2024:2264" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0500" + "url": "https://ubuntu.com/security/notices/USN-6435-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6435-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041817" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-003.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2226.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2246.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3446" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0888" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0408" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1415" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1843.html" } ], "bom-ref": "vuln-7", "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446" + } + }, { "severity": "none", - "score": 0.00115, + "score": 0.00215, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3446" } + } + ], + "created": "2023-07-19T12:15:10Z", + "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2023-3446", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446" + }, + "cwes": [ + 1333 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-04T09:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "severity": "high", - "score": 7.5, + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T07:36:55Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.1-r3" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-4603" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4603" + } + } + ], + "created": "2024-05-16T16:15:10Z", + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2024-4603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:36:31Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.5-r0" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00194, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" + } + }, + { + "severity": "medium", + "score": 6.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" } } ], - "created": "2023-10-25T18:17:43Z", - "description": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.", + "created": "2024-01-09T17:15:12Z", + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", "affects": [ { "ref": "comp-8" } ], - "id": "CVE-2023-5363", + "id": "CVE-2023-6129", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.4-r3" + } + ] + }, + { + "advisories": [ + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2539.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068658" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2511" + } + ], + "bom-ref": "vuln-10", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2511" + } + } + ], + "created": "2024-04-08T14:15:07Z", + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2024-2511", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511" }, "analysis": { "state": "exploitable" }, - "updated": "2024-02-01T17:15:08Z", + "updated": "2024-05-03T13:15:21Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -775,144 +1034,192 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T14:06:54Z" + "value": "2024-05-21T01:00:19Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.4-r0" + "value": "3.1.4-r6" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5" + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f" + "url": "https://www.openssl.org/news/secadv/20240125.txt" }, { - "url": "https://security.gentoo.org/glsa/202402-08" + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" }, { - "url": "https://www.openssl.org/news/secadv/20230731.txt" + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" }, { - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5" + "url": "https://ubuntu.com/security/notices/USN-6632-1" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-306.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7626" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7625" + "url": "https://ubuntu.com/security/notices/USN-6709-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:5931" + "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" }, { - "url": "https://ubuntu.com/security/notices/USN-6450-1" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7623" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7622" - }, + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + } + ], + "bom-ref": "vuln-11", + "ratings": [ { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2246.html" + "severity": "none", + "score": 0.00228, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" + } }, { - "url": "https://ubuntu.com/security/notices/USN-6435-2" - }, + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + } + } + ], + "created": "2024-01-26T09:15:07Z", + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6435-1" + "ref": "comp-8" + } + ], + "id": "CVE-2024-0727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.4-r5" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-003.html" + "url": "https://www.openssl.org/news/secadv/20231024.txt" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://www.debian.org/security/2023/dsa-5532" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-406.html" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-3817" + "url": "https://ubuntu.com/security/notices/USN-6450-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3817" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5363" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2205.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1843.html" + "url": "https://access.redhat.com/errata/RHSA-2024:0310" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2226.html" + "url": "https://access.redhat.com/errata/RHSA-2024:0500" } ], - "bom-ref": "vuln-8", + "bom-ref": "vuln-12", "ratings": [ { - "severity": "medium", - "score": 5.3, + "severity": "high", + "score": 7.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" } }, { "severity": "none", - "score": 0.0013, + "score": 0.00115, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5363" } } ], - "created": "2023-07-31T16:15:10Z", - "description": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.", + "created": "2023-10-25T18:17:43Z", + "description": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.", "affects": [ { "ref": "comp-8" } ], - "id": "CVE-2023-3817", + "id": "CVE-2023-5363", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" }, - "cwes": [ - 834 - ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-04T09:15:10Z", + "updated": "2024-02-01T17:15:08Z", "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T13:06:32Z" + }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", - "value": "3.1.2-r0" + "value": "3.1.4-r0" } ] } diff --git a/entrypoint/tests/test_data/scans/alpine:latest.json b/entrypoint/tests/test_data/scans/alpine:latest.json deleted file mode 100644 index 399a6a6..0000000 --- a/entrypoint/tests/test_data/scans/alpine:latest.json +++ /dev/null @@ -1,52 +0,0 @@ -{ - "sbom": { - "messages": [ - { - "purl": "pkg:apk/alpine/zlib@1.3.1-r0?arch=x86_64&distro=3.19.1", - "info_message": "Component scanned: no vulnerabilities found." - }, - { - "purl": "pkg:apk/alpine/apk-tools@2.14.0-r5?arch=x86_64&distro=3.19.1", - "info_message": "Component scanned: no vulnerabilities found." - }, - { - "purl": "pkg:apk/alpine/alpine-baselayout@3.4.3-r2?arch=x86_64&distro=3.19.1", - "info_message": "Component skipped: no rules found." - }, - { - "purl": "pkg:apk/alpine/musl@1.2.4_git20230717-r4?arch=x86_64&distro=3.19.1", - "info_message": "Component scanned: no vulnerabilities found." - }, - { - "purl": "pkg:apk/alpine/openssl@3.1.4-r5?arch=x86_64&distro=3.19.1", - "info_message": "Component scanned: no vulnerabilities found." - }, - { - "purl": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.19.1", - "info_message": "Component skipped: no rules found." - }, - { - "purl": "pkg:apk/alpine/busybox@1.36.1-r15?arch=x86_64&distro=3.19.1", - "info_message": "Component scanned: no vulnerabilities found." - }, - { - "purl": "pkg:apk/alpine/ca-certificates@20230506-r0?arch=x86_64&distro=3.19.1", - "info_message": "Component skipped: no rules found." - }, - { - "purl": "pkg:apk/alpine/pax-utils@1.3.7-r2?arch=x86_64&distro=3.19.1", - "info_message": "Component skipped: no rules found." - }, - { - "purl": "pkg:apk/alpine/libc-dev@0.7.2-r5?arch=x86_64&distro=3.19.1", - "info_message": "Component skipped: no rules found." - } - ], - "vulnerability_count": { - "high": 0, - "critical": 0, - "low": 0, - "medium": 0 - } - } -} diff --git a/entrypoint/tests/test_data/scans/alpine:latest.json.scan b/entrypoint/tests/test_data/scans/alpine:latest.json.scan index e6bff8d..801605e 100644 --- a/entrypoint/tests/test_data/scans/alpine:latest.json.scan +++ b/entrypoint/tests/test_data/scans/alpine:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -21,14 +21,18 @@ }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "0" + "value": "2" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "2" } ], - "timestamp": "2024-03-05T15:15:00.144Z" + "timestamp": "2024-05-22T15:40:53.312Z" }, "components": [ { @@ -45,7 +49,7 @@ "version": "3.4.3-r2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -58,7 +62,7 @@ "version": "2.4-r1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -81,13 +85,7 @@ "name": "busybox", "purl": "pkg:apk/alpine/busybox@1.36.1-r15?arch=x86_64&distro=3.19.1", "type": "application", - "version": "1.36.1-r15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.36.1-r15" }, { "bom-ref": "comp-6", @@ -97,7 +95,7 @@ "version": "20230506-r0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -110,7 +108,7 @@ "version": "0.7.2-r5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -120,13 +118,7 @@ "name": "openssl", "purl": "pkg:apk/alpine/openssl@3.1.4-r5?arch=x86_64&distro=3.19.1", "type": "application", - "version": "3.1.4-r5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "3.1.4-r5" }, { "bom-ref": "comp-9", @@ -149,7 +141,7 @@ "version": "1.3.7-r2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -168,7 +160,241 @@ ] } ], - "serialNumber": "urn:uuid:3fb974ba-9724-4b8c-b019-401ab657eab0", - "bomFormat": "CycloneDX" + "serialNumber": "urn:uuid:5d7083df-d983-49a9-9bef-d637e8c5776c", + "bomFormat": "CycloneDX", + "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15865" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059050" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42363" + } + ], + "bom-ref": "vuln-1", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42363" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42363" + } + } + ], + "created": "2023-11-27T22:15:07Z", + "description": "A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.", + "affects": [ + { + "ref": "comp-5" + } + ], + "id": "CVE-2023-42363", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42363" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-30T05:06:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "1.36.1-r17" + } + ] + }, + { + "advisories": [ + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2539.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068658" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2511" + } + ], + "bom-ref": "vuln-2", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2511" + } + } + ], + "created": "2024-04-08T14:15:07Z", + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2024-2511", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:00:19Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.4-r6" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-4603" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-3", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4603" + } + } + ], + "created": "2024-05-16T16:15:10Z", + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2024-4603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:36:31Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "3.1.5-r0" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.busybox.net/show_bug.cgi?id=15874" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42366" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059053" + } + ], + "bom-ref": "vuln-4", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42366" + } + } + ], + "created": "2023-11-27T23:15:07Z", + "description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", + "affects": [ + { + "ref": "comp-5" + } + ], + "id": "CVE-2023-42366", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42366" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-30T05:08:23Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "1.36.1-r16" + } + ] + } + ] } } diff --git a/entrypoint/tests/test_data/scans/amazonlinux:latest.json.scan b/entrypoint/tests/test_data/scans/amazonlinux:latest.json.scan index 790b6dc..6448852 100644 --- a/entrypoint/tests/test_data/scans/amazonlinux:latest.json.scan +++ b/entrypoint/tests/test_data/scans/amazonlinux:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -21,14 +21,18 @@ }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "0" + "value": "5" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", - "value": "0" + "value": "1" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "11" } ], - "timestamp": "2024-03-05T15:15:01.329Z" + "timestamp": "2024-05-22T15:40:54.491Z" }, "components": [ { @@ -45,7 +49,7 @@ "version": "2024a-1.amzn2023.0.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -55,13 +59,7 @@ "name": "ncurses-base", "purl": "pkg:rpm/amazon/ncurses-base@6.2-4.20200222.amzn2023.0.5?arch=noarch&distro=2023&epoch=0", "type": "application", - "version": "6.2-4.20200222.amzn2023.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "6.2-4.20200222.amzn2023.0.5" }, { "bom-ref": "comp-4", @@ -71,7 +69,7 @@ "version": "6.2-4.20200222.amzn2023.0.5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -81,26 +79,14 @@ "name": "ncurses-libs", "purl": "pkg:rpm/amazon/ncurses-libs@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "6.2-4.20200222.amzn2023.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "6.2-4.20200222.amzn2023.0.5" }, { "bom-ref": "comp-6", "name": "ncurses", "purl": "pkg:rpm/amazon/ncurses@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "6.2-4.20200222.amzn2023.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "6.2-4.20200222.amzn2023.0.5" }, { "bom-ref": "comp-7", @@ -110,7 +96,7 @@ "version": "2.13.7-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -123,7 +109,7 @@ "version": "11-11.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -133,26 +119,14 @@ "name": "glibc-common", "purl": "pkg:rpm/amazon/glibc-common@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "2.34-52.amzn2023.0.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.34-52.amzn2023.0.7" }, { "bom-ref": "comp-10", "name": "glibc", "purl": "pkg:rpm/amazon/glibc@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "2.34-52.amzn2023.0.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.34-52.amzn2023.0.7" }, { "bom-ref": "comp-11", @@ -266,7 +240,7 @@ "version": "0.188-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -279,7 +253,7 @@ "version": "0.188-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -292,7 +266,7 @@ "version": "3.4.4-1.amzn2023.0.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -305,7 +279,7 @@ "version": "8.1-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -318,7 +292,7 @@ "version": "2.5.5-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -328,13 +302,7 @@ "name": "expat", "purl": "pkg:rpm/amazon/expat@2.5.0-1.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "2.5.0-1.amzn2023.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.5.0-1.amzn2023.0.3" }, { "bom-ref": "comp-25", @@ -344,7 +312,7 @@ "version": "2.5.1-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -357,7 +325,7 @@ "version": "2.5.1-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -370,7 +338,7 @@ "version": "0.1.18-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -383,7 +351,7 @@ "version": "1.10.2-1.amzn2023.0.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -396,7 +364,7 @@ "version": "0.8.2-4.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -409,7 +377,7 @@ "version": "0.3.2-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -435,7 +403,7 @@ "version": "1.6-6.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -448,7 +416,7 @@ "version": "1.15.1-6.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -461,7 +429,7 @@ "version": "1.15-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -474,7 +442,7 @@ "version": "1.15-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -487,7 +455,7 @@ "version": "0.24.1-2.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -500,7 +468,7 @@ "version": "0.24.1-2.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -539,7 +507,7 @@ "version": "0.2.5-5.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -552,7 +520,7 @@ "version": "2.3.2-1.amzn2023.0.5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -565,7 +533,7 @@ "version": "0.188-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -578,7 +546,7 @@ "version": "0.188-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -591,7 +559,7 @@ "version": "2.15.2-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -604,7 +572,7 @@ "version": "2.15.2-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -630,7 +598,7 @@ "version": "10.40-1.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -643,7 +611,7 @@ "version": "3.4-5.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -656,7 +624,7 @@ "version": "4.8-7.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -718,26 +686,14 @@ "name": "libcurl-minimal", "purl": "pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "8.5.0-1.amzn2023.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "8.5.0-1.amzn2023.0.1" }, { "bom-ref": "comp-55", "name": "curl", "purl": "pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "8.5.0-1.amzn2023.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "8.5.0-1.amzn2023.0.1" }, { "bom-ref": "comp-56", @@ -747,7 +703,7 @@ "version": "1.14.2-1.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -757,26 +713,14 @@ "name": "rpm-libs", "purl": "pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "4.16.1.3-12.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.16.1.3-12.amzn2023.0.6" }, { "bom-ref": "comp-58", "name": "rpm", "purl": "pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "4.16.1.3-12.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.16.1.3-12.amzn2023.0.6" }, { "bom-ref": "comp-59", @@ -799,7 +743,7 @@ "version": "0.67.0-1.amzn2023.0.5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -809,13 +753,7 @@ "name": "rpm-sign-libs", "purl": "pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "4.16.1.3-12.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.16.1.3-12.amzn2023.0.6" }, { "bom-ref": "comp-62", @@ -838,7 +776,7 @@ "version": "59.6.0-2.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -848,13 +786,7 @@ "name": "python3-libs", "purl": "pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "3.9.16-1.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "3.9.16-1.amzn2023.0.6" }, { "bom-ref": "comp-65", @@ -864,7 +796,7 @@ "version": "3.9.16-1.amzn2023.0.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -877,7 +809,7 @@ "version": "0.67.0-1.amzn2023.0.5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -887,13 +819,7 @@ "name": "python3-rpm", "purl": "pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "4.16.1.3-12.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.16.1.3-12.amzn2023.0.6" }, { "bom-ref": "comp-68", @@ -903,7 +829,7 @@ "version": "4.12.0-2.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -916,7 +842,7 @@ "version": "4.12.0-2.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -929,7 +855,7 @@ "version": "4.12.0-2.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -968,7 +894,7 @@ "version": "20220428-1.gitdfb10ea.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -981,7 +907,7 @@ "version": "2023.3.20240219-0.amzn2023", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -994,7 +920,7 @@ "version": "2023.3.20240219-0.amzn2023", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1007,7 +933,7 @@ "version": "3.14-5.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1030,13 +956,7 @@ "name": "glibc-minimal-langpack", "purl": "pkg:rpm/amazon/glibc-minimal-langpack@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "2.34-52.amzn2023.0.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.34-52.amzn2023.0.7" }, { "bom-ref": "comp-79", @@ -1059,7 +979,7 @@ "version": "1.0.8-6.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1072,7 +992,7 @@ "version": "1.0.8-6.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1111,7 +1031,7 @@ "version": "1.18-6.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1124,7 +1044,7 @@ "version": "1.42-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1215,7 +1135,7 @@ "version": "2.3.1-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1228,7 +1148,7 @@ "version": "2.3.1-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1241,7 +1161,7 @@ "version": "4.1.0-7.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1267,7 +1187,7 @@ "version": "3.0.6-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1280,7 +1200,7 @@ "version": "3.0.6-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1290,26 +1210,14 @@ "name": "libnghttp2", "purl": "pkg:rpm/amazon/libnghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "1.57.0-1.amzn2023.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.57.0-1.amzn2023.0.1" }, { "bom-ref": "comp-99", "name": "nghttp2", "purl": "pkg:rpm/amazon/nghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "1.57.0-1.amzn2023.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.57.0-1.amzn2023.0.1" }, { "bom-ref": "comp-100", @@ -1371,7 +1279,7 @@ "version": "4.4.33-7.amzn2023", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1397,7 +1305,7 @@ "version": "2.13-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1436,7 +1344,7 @@ "version": "1.19-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1449,7 +1357,7 @@ "version": "1.19-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1462,7 +1370,7 @@ "version": "0.9.10-10.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1475,7 +1383,7 @@ "version": "1.6.3-1.amzn2023.0.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1488,7 +1396,7 @@ "version": "1.6.3-1.amzn2023.0.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1501,7 +1409,7 @@ "version": "0.188-3.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1514,7 +1422,7 @@ "version": "4.12.0-2.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1540,7 +1448,7 @@ "version": "8.32-30.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1553,7 +1461,7 @@ "version": "8.32-30.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1579,7 +1487,7 @@ "version": "3.8-1.amzn2023.0.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1615,13 +1523,7 @@ "name": "krb5-libs", "purl": "pkg:rpm/amazon/krb5-libs@1.21-3.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "1.21-3.amzn2023.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.21-3.amzn2023.0.3" }, { "bom-ref": "comp-124", @@ -1631,7 +1533,7 @@ "version": "1.21-3.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1641,13 +1543,7 @@ "name": "curl-minimal", "purl": "pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "8.5.0-1.amzn2023.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "8.5.0-1.amzn2023.0.1" }, { "bom-ref": "comp-126", @@ -1670,7 +1566,7 @@ "version": "2.13.0-2.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1680,13 +1576,7 @@ "name": "rpm-build-libs", "purl": "pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "4.16.1.3-12.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.16.1.3-12.amzn2023.0.6" }, { "bom-ref": "comp-129", @@ -1709,7 +1599,7 @@ "version": "21.3.1-2.amzn2023.0.7", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1719,13 +1609,7 @@ "name": "python3", "purl": "pkg:rpm/amazon/python3@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0", "type": "application", - "version": "3.9.16-1.amzn2023.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "3.9.16-1.amzn2023.0.6" }, { "bom-ref": "comp-132", @@ -1735,7 +1619,7 @@ "version": "0.67.0-1.amzn2023.0.5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1748,7 +1632,7 @@ "version": "0.1.18-1.amzn2023.0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1761,7 +1645,7 @@ "version": "1.15.1-6.amzn2023.0.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1774,13 +1658,1767 @@ "version": "d832c631-6515c85e", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:2085d711-8582-48c7-8c0b-0a36a3ab76bb", - "bomFormat": "CycloneDX" + "serialNumber": "urn:uuid:cbb2f73a-09ce-4b85-88e9-d767fb5f08fc", + "bomFormat": "CycloneDX", + "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/" + }, + { + "url": "https://hackerone.com/reports/2212193" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5587" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6535-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-46218" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-606.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0428" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6641-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2531.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057646" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0452" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0434" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1601" + } + ], + "bom-ref": "vuln-1", + "references": [ + { + "id": "ALAS2023-2024-606", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-606.html" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00071, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46218" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2023-46218.json" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46218" + } + } + ], + "created": "2023-12-07T01:15:07Z", + "description": "This flaw allows a malicious HTTP server to set \"super cookies\" in curl that\nare then passed back to more origins than what is otherwise allowed or\npossible. This allows a site to set cookies that then would get sent to\ndifferent and unrelated sites and domains.\n\nIt could do this by exploiting a mixed case flaw in curl's function that\nverifies a given cookie domain against the Public Suffix List (PSL). For\nexample a cookie could be set with `domain=co.UK` when the URL used a lower\ncase hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.\n", + "affects": [ + { + "ref": "comp-125" + }, + { + "ref": "comp-54" + }, + { + "ref": "comp-55" + } + ], + "id": "CVE-2023-46218", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46218" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-01-25T14:15:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T13:08:30Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-125", + "value": "0:8.5.0-1.amzn2023.0.2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:8.5.0-1.amzn2023.0.2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:8.5.0-1.amzn2023.0.2" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-45918" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2482.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-554.html" + } + ], + "bom-ref": "vuln-2", + "references": [ + { + "id": "ALAS2023-2024-554", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-554.html" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45918" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2023-45918.json" + } + } + ], + "created": "2024-02-16T22:15:07Z", + "description": "ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c.", + "affects": [ + { + "ref": "comp-6" + }, + { + "ref": "comp-5" + }, + { + "ref": "comp-3" + } + ], + "id": "CVE-2023-45918", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45918" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-15T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-6", + "value": "0:6.2-4.20200222.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "0:6.2-4.20200222.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-3", + "value": "0:6.2-4.20200222.amzn2023.0.6" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2021-35939" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964129" + }, + { + "url": "https://security.gentoo.org/glsa/202210-22" + }, + { + "url": "https://rpm.org/wiki/Releases/4.18.0" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0647" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-573.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-35939" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0463" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0453" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-35939" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0435" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0424" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990543" + } + ], + "bom-ref": "vuln-3", + "references": [ + { + "id": "ALAS2023-2024-573", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-573.html" + } + } + ], + "created": "2022-08-26T16:15:08Z", + "description": "It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "affects": [ + { + "ref": "comp-128" + }, + { + "ref": "comp-58" + }, + { + "ref": "comp-61" + }, + { + "ref": "comp-57" + }, + { + "ref": "comp-67" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35939" + }, + "cwes": [ + 59 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2021-35939.json" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35939" + } + }, + { + "severity": "none", + "score": 0.00075, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35939" + } + } + ], + "id": "CVE-2021-35939", + "updated": "2023-02-04T01:16:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-128", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-58", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-61", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-67", + "value": "0:4.16.1.3-29.amzn2023.0.6" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2402845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-4", + "references": [ + { + "id": "ALAS2023-2024-596", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-2398.json" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-54" + }, + { + "ref": "comp-55" + }, + { + "ref": "comp-125" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:8.5.0-1.amzn2023.0.4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:8.5.0-1.amzn2023.0.4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-125", + "value": "0:8.5.0-1.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-5", + "references": [ + { + "id": "ALAS2023-2024-589", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-10" + }, + { + "ref": "comp-9" + }, + { + "ref": "comp-78" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + }, + { + "severity": "high", + "score": 8.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-2961.json" + } + } + ], + "id": "CVE-2024-2961", + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-10", + "value": "0:2.34-52.amzn2023.0.10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-9", + "value": "0:2.34-52.amzn2023.0.10" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-78", + "value": "0:2.34-52.amzn2023.0.10" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965" + }, + { + "url": "https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-586.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26462" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26462" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-26462.json" + } + } + ], + "created": "2024-02-29T01:44:18Z", + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.", + "affects": [ + { + "ref": "comp-123" + } + ], + "id": "CVE-2024-26462", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26462" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T15:09:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-123", + "value": "0:1.21-3.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965" + }, + { + "url": "https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-586.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26461" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2512.html" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26461" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-26461.json" + } + } + ], + "created": "2024-02-29T01:44:18Z", + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.", + "affects": [ + { + "ref": "comp-123" + } + ], + "id": "CVE-2024-26461", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26461" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T15:09:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-123", + "value": "0:1.21-3.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2021-35938" + }, + { + "url": "https://rpm.org/wiki/Releases/4.18.0" + }, + { + "url": "https://security.gentoo.org/glsa/202210-22" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964114" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1157880" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0647" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-573.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0463" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-35938" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0453" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0435" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0424" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00075, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35938" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2021-35938.json" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938" + } + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "affects": [ + { + "ref": "comp-128" + }, + { + "ref": "comp-58" + }, + { + "ref": "comp-61" + }, + { + "ref": "comp-57" + }, + { + "ref": "comp-67" + } + ], + "id": "CVE-2021-35938", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35938" + }, + "cwes": [ + 59 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-11-29T18:06:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-128", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-58", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-61", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-67", + "value": "0:4.16.1.3-29.amzn2023.0.6" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2384833" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-2004.json" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-54" + }, + { + "ref": "comp-55" + }, + { + "ref": "comp-125" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:8.5.0-1.amzn2023.0.4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:8.5.0-1.amzn2023.0.4" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-125", + "value": "0:8.5.0-1.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://hackerone.com/reports/2298922" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-581.html" + } + ], + "bom-ref": "vuln-10", + "references": [ + { + "id": "ALAS2023-2024-581", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-581.html" + } + } + ], + "created": "2024-02-03T14:15:50Z", + "description": "curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.", + "affects": [ + { + "ref": "comp-55" + }, + { + "ref": "comp-125" + }, + { + "ref": "comp-54" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0853" + }, + "cwes": [ + 295 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0853" + } + }, + { + "severity": "none", + "score": 0.00058, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0853" + } + }, + { + "severity": "low", + "score": 3.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-0853.json" + } + } + ], + "id": "CVE-2024-0853", + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T20:41:40Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:8.5.0-1.amzn2023.0.3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-125", + "value": "0:8.5.0-1.amzn2023.0.3" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:8.5.0-1.amzn2023.0.3" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065868" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-576.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1530" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6694-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28757" + } + ], + "bom-ref": "vuln-11", + "references": [ + { + "id": "ALAS2023-2024-576", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-576.html" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28757" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-28757.json" + } + } + ], + "created": "2024-03-10T05:15:06Z", + "description": "libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-28757", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28757" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T19:15:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T01:55:59Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:2.5.0-1.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1936.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6597" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070135" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-616.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-617.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2541.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + } + ], + "bom-ref": "vuln-12", + "references": [ + { + "id": "ALAS2023-2024-616", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-616.html" + } + } + ], + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2023-6597.json" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6597" + } + } + ], + "created": "2024-03-19T16:15:08Z", + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "affects": [ + { + "ref": "comp-64" + }, + { + "ref": "comp-131" + } + ], + "id": "CVE-2023-6597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-64", + "value": "0:3.9.16-1.amzn2023.0.8" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:3.9.16-1.amzn2023.0.8" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" + } + ], + "bom-ref": "vuln-13", + "references": [ + { + "id": "ALAS2023-2024-592", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + } + } + ], + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "affects": [ + { + "ref": "comp-99" + }, + { + "ref": "comp-98" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-28182.json" + } + } + ], + "id": "CVE-2024-28182", + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:1.59.0-3.amzn2023.0.1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-98", + "value": "0:1.59.0-3.amzn2023.0.1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064965" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26458" + }, + { + "url": "https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-586.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2512.html" + } + ], + "bom-ref": "vuln-14", + "references": [ + { + "id": "ALAS2023-2024-586", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-586.html" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26458" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-26458.json" + } + } + ], + "created": "2024-02-29T01:44:18Z", + "description": "Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.", + "affects": [ + { + "ref": "comp-123" + } + ], + "id": "CVE-2024-26458", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26458" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T15:09:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-123", + "value": "0:1.21-3.amzn2023.0.4" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2021-35937" + }, + { + "url": "https://rpm.org/wiki/Releases/4.18.0" + }, + { + "url": "https://security.gentoo.org/glsa/202210-22" + }, + { + "url": "https://www.usenix.org/legacy/event/sec05/tech/full_papers/borisov/borisov.pdf" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1964125" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-35937" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0647" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-573.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-35937" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0463" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0453" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0435" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0424" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990543" + } + ], + "bom-ref": "vuln-15", + "ratings": [ + { + "severity": "none", + "score": 0.00086, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-35937" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2021-35937.json" + } + }, + { + "severity": "medium", + "score": 6.4, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35937" + } + } + ], + "created": "2022-08-25T20:15:09Z", + "description": "A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "affects": [ + { + "ref": "comp-128" + }, + { + "ref": "comp-58" + }, + { + "ref": "comp-61" + }, + { + "ref": "comp-57" + }, + { + "ref": "comp-67" + } + ], + "id": "CVE-2021-35937", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35937" + }, + "cwes": [ + 367, + 59 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T03:36:39Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-128", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-58", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-61", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-57", + "value": "0:4.16.1.3-29.amzn2023.0.6" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-67", + "value": "0:4.16.1.3-29.amzn2023.0.6" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-588.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2515.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-605.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0450" + } + ], + "bom-ref": "vuln-16", + "references": [ + { + "id": "ALAS2023-2024-605", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-605.html" + } + } + ], + "created": "2024-03-19T16:15:09Z", + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "affects": [ + { + "ref": "comp-131" + }, + { + "ref": "comp-64" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450" + }, + "cwes": [ + 405 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "medium", + "score": 6.2, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "Amazon Linux", + "url": "https://alas.aws.amazon.com/cve/json/v1/CVE-2024-0450.json" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0450" + } + } + ], + "id": "CVE-2024-0450", + "updated": "2024-05-07T22:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:3.9.16-1.amzn2023.0.7" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-64", + "value": "0:3.9.16-1.amzn2023.0.7" + } + ] + }, + { + "bom-ref": "vuln-17", + "ratings": [ + { + "severity": "low", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-02-29T18:49:00Z", + "description": "None Provided", + "affects": [ + { + "ref": "comp-125" + }, + { + "ref": "comp-54" + }, + { + "ref": "comp-55" + } + ], + "id": "ALAS2023-2024-558", + "source": { + "name": "ALAS2023", + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-558.html" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-05T12:00:00Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-125", + "value": "0:8.5.0-1.amzn2023.0.2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-54", + "value": "0:8.5.0-1.amzn2023.0.2" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-55", + "value": "0:8.5.0-1.amzn2023.0.2" + } + ] + } + ] } } diff --git a/entrypoint/tests/test_data/scans/debian:latest.json.scan b/entrypoint/tests/test_data/scans/debian:latest.json.scan index 50fe0ca..15f5e27 100644 --- a/entrypoint/tests/test_data/scans/debian:latest.json.scan +++ b/entrypoint/tests/test_data/scans/debian:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "7" } ], - "timestamp": "2024-03-05T15:15:02.609Z" + "timestamp": "2024-05-22T15:40:55.792Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -75,7 +79,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -88,7 +92,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -116,7 +120,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -144,7 +148,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -172,7 +176,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -185,7 +189,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -200,7 +204,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -241,7 +245,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -254,7 +258,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -282,7 +286,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -295,7 +299,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -308,7 +312,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -334,7 +338,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -349,7 +353,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -377,7 +381,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -390,7 +394,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -405,7 +409,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -433,7 +437,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -446,7 +450,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -474,7 +478,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -502,7 +506,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -530,7 +534,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -543,7 +547,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -556,7 +560,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -571,7 +575,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -599,7 +603,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -625,7 +629,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -640,7 +644,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -653,7 +657,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -666,7 +670,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -679,7 +683,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -707,7 +711,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -733,7 +737,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -746,7 +750,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -761,7 +765,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -789,7 +793,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -802,7 +806,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -817,7 +821,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -869,7 +873,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -910,7 +914,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -923,7 +927,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -933,13 +937,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -951,7 +949,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -979,7 +977,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -992,7 +990,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1018,7 +1016,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1033,7 +1031,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1046,7 +1044,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1061,7 +1059,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1102,7 +1100,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1115,7 +1113,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1128,7 +1126,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1148,7 +1146,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1161,7 +1159,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1176,7 +1174,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1189,7 +1187,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1204,7 +1202,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1230,7 +1228,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1245,7 +1243,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1258,7 +1256,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1271,7 +1269,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1284,7 +1282,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1297,7 +1295,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1310,7 +1308,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1323,7 +1321,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1333,13 +1331,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -1351,7 +1343,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1379,7 +1371,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1407,7 +1399,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1420,7 +1412,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1433,7 +1425,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1446,7 +1438,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1474,7 +1466,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1487,7 +1479,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1500,7 +1492,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1513,7 +1505,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1528,7 +1520,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1541,7 +1533,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1589,7 +1581,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1602,7 +1594,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1615,7 +1607,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1630,7 +1622,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1643,7 +1635,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1671,7 +1663,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1684,7 +1676,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1697,7 +1689,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1712,7 +1704,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1731,7 +1723,7 @@ ] } ], - "serialNumber": "urn:uuid:a7644576-f444-442a-9040-390501f53586", + "serialNumber": "urn:uuid:808af711-3a91-4645-a47d-6548b460baeb", "bomFormat": "CycloneDX", "vulnerabilities": [ { @@ -1746,13 +1738,13 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://kb.isc.org/docs/cve-2023-50868" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://datatracker.ietf.org/doc/html/rfc5155" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" @@ -1763,9 +1755,6 @@ { "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, - { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, { "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, @@ -1775,11 +1764,14 @@ { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" @@ -1788,34 +1780,37 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://ubuntu.com/security/notices/USN-6657-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://ubuntu.com/security/notices/USN-6657-2" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { "url": "https://ubuntu.com/security/notices/USN-6642-1" @@ -1824,72 +1819,119 @@ "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" }, { "url": "https://ubuntu.com/security/notices/USN-6633-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://access.redhat.com/errata/RHSA-2024:2720" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], "bom-ref": "vuln-1", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } - }, { "severity": "none", - "score": 0.0366, + "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } } ], "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", "affects": [ { "ref": "comp-111" } ], - "id": "CVE-2023-50387", + "id": "CVE-2023-50868", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" }, - "cwes": [ - 770 - ], "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -1897,208 +1939,729 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "value": "2024-05-20T06:17:55Z" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://ubuntu.com/security/notices/USN-6762-1" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://ubuntu.com/security/notices/USN-6737-1" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://access.redhat.com/errata/RHSA-2024:2722" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" - }, + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" - }, + "ref": "comp-65" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-65", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-3", "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-111" + "ref": "comp-65" } ], - "id": "CVE-2023-50868", + "id": "CVE-2024-33602", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" }, + "cwes": [ + 466 + ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-65", + "value": "0:2.36-9+deb12u7" } ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-4", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", "affects": [ { - "ref": "comp-79" + "ref": "comp-65" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-33599", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" }, "cwes": [ - 693 + 121 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-65", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-90" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-90", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-79" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-111" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-65" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-65", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-65" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-65", + "value": "0:2.36-9+deb12u7" } ] } diff --git a/entrypoint/tests/test_data/scans/debian:stable-20240130.json.scan b/entrypoint/tests/test_data/scans/debian:stable-20240130.json.scan index b5f6d47..a4dae48 100644 --- a/entrypoint/tests/test_data/scans/debian:stable-20240130.json.scan +++ b/entrypoint/tests/test_data/scans/debian:stable-20240130.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "8" } ], - "timestamp": "2024-03-05T15:15:03.894Z" + "timestamp": "2024-05-22T15:40:57.080Z" }, "components": [ { @@ -60,7 +64,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -99,7 +103,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -114,7 +118,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -140,7 +144,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -153,7 +157,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -168,7 +172,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -181,7 +185,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -209,7 +213,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -222,7 +226,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -232,13 +236,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -250,7 +248,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -278,7 +276,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -306,7 +304,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -334,7 +332,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -362,7 +360,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -375,7 +373,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -390,7 +388,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -418,7 +416,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -472,7 +470,7 @@ "version": "3.7.9-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -518,7 +516,7 @@ "version": "2023c-5%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -533,7 +531,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -546,7 +544,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -559,7 +557,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -572,7 +570,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -585,7 +583,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -598,7 +596,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -611,7 +609,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -621,13 +619,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -639,7 +631,7 @@ "version": "252.19-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -652,7 +644,7 @@ "version": "252.19-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -672,7 +664,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -687,7 +679,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -700,7 +692,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -715,7 +707,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -728,7 +720,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -741,7 +733,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -769,7 +761,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -797,7 +789,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -825,7 +817,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -838,7 +830,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -866,7 +858,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -879,7 +871,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -892,7 +884,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -907,7 +899,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -920,7 +912,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -935,7 +927,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -963,7 +955,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -991,7 +983,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1004,7 +996,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1019,7 +1011,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1047,7 +1039,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1073,7 +1065,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1086,7 +1078,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1101,7 +1093,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1114,7 +1106,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1127,7 +1119,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1140,7 +1132,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1181,7 +1173,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1209,7 +1201,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1222,7 +1214,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1235,7 +1227,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1248,7 +1240,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1274,7 +1266,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1287,7 +1279,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1302,7 +1294,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1330,7 +1322,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1343,7 +1335,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1356,7 +1348,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1384,7 +1376,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1412,7 +1404,7 @@ "version": "35", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1425,7 +1417,7 @@ "version": "35", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1438,7 +1430,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1453,7 +1445,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1466,7 +1458,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1494,7 +1486,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1522,7 +1514,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1535,7 +1527,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1548,7 +1540,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1563,7 +1555,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1576,7 +1568,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1589,7 +1581,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1611,7 +1603,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1644,7 +1636,7 @@ "version": "12.4%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1659,7 +1651,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1672,7 +1664,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1700,7 +1692,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1713,15 +1705,83 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:1bc9f341-ce70-41eb-bdbe-f831b0eb9ebd", + "serialNumber": "urn:uuid:b379d22a-c41a-4a21-8773-477574d7fc61", "bomFormat": "CycloneDX", "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" + }, + { + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-1", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-38" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-38", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, { "advisories": [ { @@ -1734,13 +1794,13 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" @@ -1751,6 +1811,9 @@ { "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, { "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, @@ -1760,14 +1823,11 @@ { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" - }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" @@ -1776,166 +1836,198 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" }, { "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" - } - ], - "bom-ref": "vuln-1", - "ratings": [ + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, { - "severity": "none", - "score": 0.00046, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", - "affects": [ + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, { - "ref": "comp-46" - } - ], - "id": "CVE-2023-50868", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" - }, - "analysis": { - "state": "exploitable" - }, - "updated": "2024-03-04T03:15:06Z", - "properties": [ + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" - } - ] - }, - { - "advisories": [ + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" }, { - "url": "https://savannah.gnu.org/patch/?10307" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { - "url": "https://savannah.gnu.org/bugs/?62387" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48303" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1994.html" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://ubuntu.com/security/notices/USN-5900-2" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" }, { - "url": "https://ubuntu.com/security/notices/USN-5900-1" + "url": "https://ubuntu.com/security/notices/USN-6642-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:0842" + "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-153.html" + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1704.html" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:5610" + "url": "https://access.redhat.com/errata/RHSA-2024:2696" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://access.redhat.com/errata/RHSA-2024:1522" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:0959" + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" } ], "bom-ref": "vuln-2", "ratings": [ { - "severity": "medium", - "score": 5.5, + "severity": "high", + "score": 7.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" } }, { "severity": "none", - "score": 0.00049, + "score": 0.0366, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" } } ], - "created": "2023-01-30T04:15:08Z", - "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "affects": [ { - "ref": "comp-120" + "ref": "comp-46" } ], - "id": "CVE-2022-48303", + "id": "CVE-2023-50387", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" }, "cwes": [ - 125 + 770 ], "analysis": { "state": "exploitable" }, - "updated": "2023-05-30T17:16:57Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -1943,92 +2035,237 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T21:04:41Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-120", - "value": "0:1.34+dfsg-1.2+deb12u1" + "value": "2024-05-18T05:37:06Z" } ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-7008" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222672" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059278" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-3", + "ratings": [ { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-509.html" + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-14", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1058079" + }, + { + "url": "https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4" + }, + { + "url": "https://git.savannah.gnu.org/cgit/tar.git/tree/src/xheader.c?h=release_1_34" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-39804" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-475.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6543-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7008" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2390.html" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-4", "ratings": [ { - "severity": "medium", - "score": 5.9, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39804" } + } + ], + "created": "2024-03-27T04:15:08Z", + "description": "In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.", + "affects": [ + { + "ref": "comp-120" + } + ], + "id": "CVE-2023-39804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-120", + "value": "0:1.34+dfsg-1.2+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X5VQYCO52Z7GAVCLRYUITN7KXHLRZQS4/" + }, + { + "url": "https://savannah.gnu.org/patch/?10307" }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CRY7VEL4AIG3GLIEVCTOXRZNSVYDYYUD/" + }, + { + "url": "https://savannah.gnu.org/bugs/?62387" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1994.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5900-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5900-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0842" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-153.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1704.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5610" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48303" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0959" + } + ], + "bom-ref": "vuln-5", + "ratings": [ { "severity": "none", - "score": 0.00063, + "score": 0.00049, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48303" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" } } ], - "created": "2023-12-23T13:15:07Z", - "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "created": "2023-01-30T04:15:08Z", + "description": "GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.", "affects": [ { - "ref": "comp-46" + "ref": "comp-120" } ], - "id": "CVE-2023-7008", + "id": "CVE-2022-48303", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48303" }, "cwes": [ - 300 + 125 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-01-27T03:15:07Z", + "updated": "2023-05-30T17:16:57Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-46", - "value": "0:252.21-1~deb12u1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-10T12:52:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-120", + "value": "0:1.34+dfsg-1.2+deb12u1" } ] }, { "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:1082" + }, { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258544" }, @@ -2051,75 +2288,268 @@ "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0567" + "url": "https://ubuntu.com/security/notices/USN-6593-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061045" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0567" + }, + { + "url": "https://gnutls.org/security-new.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-521.html" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00082, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0567" + } + }, + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567" + } + } + ], + "created": "2024-01-16T14:15:48Z", + "description": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.", + "affects": [ + { + "ref": "comp-33" + } + ], + "id": "CVE-2024-0567", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567" + }, + "cwes": [ + 347 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-05T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-33", + "value": "0:3.7.9-2+deb12u2" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-14", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:2463" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-7008" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GMDEG5PKONWNHOEYSUDRT6JEOISRMN2/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222261" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222672" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QHNBXGKJWISJETTTDTZKTBFIBJUOSLKL/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059278" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-509.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-7008" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00084, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-7008" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008" + } + } + ], + "created": "2023-12-23T13:15:07Z", + "description": "A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.", + "affects": [ + { + "ref": "comp-46" + } + ], + "id": "CVE-2023-7008", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7008" + }, + "cwes": [ + 300 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-46", + "value": "0:252.21-1~deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://ubuntu.com/security/notices/USN-6593-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061045" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://gnutls.org/security-new.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-521.html" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-4", + "bom-ref": "vuln-9", "ratings": [ { "severity": "none", - "score": 0.00089, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" } } ], - "created": "2024-01-16T14:15:48Z", - "description": "A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", "affects": [ { - "ref": "comp-33" + "ref": "comp-14" } ], - "id": "CVE-2024-0567", + "id": "CVE-2024-33599", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0567" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" }, "cwes": [ - 347 + 121 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-09T03:15:09Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T14:06:54Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-33", - "value": "0:3.7.9-2+deb12u2" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-14", + "value": "0:2.36-9+deb12u7" } ] }, @@ -2128,9 +2558,21 @@ { "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258412" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1082" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0553" + }, + { + "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1108" + }, { "url": "https://access.redhat.com/errata/RHSA-2024:0627" }, @@ -2140,9 +2582,6 @@ { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/" }, - { - "url": "https://access.redhat.com/security/cve/CVE-2024-0553" - }, { "url": "https://access.redhat.com/errata/RHSA-2024:0796" }, @@ -2150,10 +2589,10 @@ "url": "https://access.redhat.com/errata/RHSA-2024:0533" }, { - "url": "https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html" + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-548.html" }, { "url": "https://ubuntu.com/security/notices/USN-6593-1" @@ -2162,13 +2601,13 @@ "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061046" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0553" + "url": "https://gnutls.org/security-new.html" }, { - "url": "https://gnutls.org/security-new.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0553" } ], - "bom-ref": "vuln-5", + "bom-ref": "vuln-10", "ratings": [ { "severity": "high", @@ -2182,12 +2621,12 @@ }, { "severity": "none", - "score": 0.0068, + "score": 0.00823, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0553" } } ], @@ -2209,7 +2648,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-02-26T16:27:51Z", + "updated": "2024-03-25T18:15:08Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2217,7 +2656,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-04T02:06:50Z" + "value": "2024-05-18T05:37:06Z" }, { "name": "amazon:inspector:sbom_scanner:fixed_version:comp-33", @@ -2225,6 +2664,63 @@ } ] }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-14", + "value": "0:2.36-9+deb12u7" + } + ] + }, { "advisories": [ { @@ -2237,13 +2733,13 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://kb.isc.org/docs/cve-2023-50868" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://datatracker.ietf.org/doc/html/rfc5155" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" @@ -2254,9 +2750,6 @@ { "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, - { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, { "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, @@ -2266,11 +2759,14 @@ { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" @@ -2279,34 +2775,37 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://ubuntu.com/security/notices/USN-6657-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://ubuntu.com/security/notices/USN-6657-2" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { "url": "https://ubuntu.com/security/notices/USN-6642-1" @@ -2315,72 +2814,210 @@ "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" }, { "url": "https://ubuntu.com/security/notices/USN-6633-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://access.redhat.com/errata/RHSA-2024:2720" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], - "bom-ref": "vuln-6", + "bom-ref": "vuln-12", "ratings": [ { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-46" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-13", + "ratings": [ { "severity": "none", - "score": 0.0366, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", "affects": [ { - "ref": "comp-46" + "ref": "comp-14" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-2961", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" }, "cwes": [ - 770 + 787 ], "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-04T01:15:06Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2388,7 +3025,11 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-14", + "value": "0:2.36-9+deb12u6" } ] }, @@ -2408,12 +3049,9 @@ }, { "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" } ], - "bom-ref": "vuln-7", + "bom-ref": "vuln-14", "ratings": [ { "severity": "medium", @@ -2429,10 +3067,10 @@ "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" } } ], @@ -2462,7 +3100,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-18T04:18:41Z" } ] } diff --git a/entrypoint/tests/test_data/scans/fedora:latest.json.scan b/entrypoint/tests/test_data/scans/fedora:latest.json.scan index b909a0a..08e8e19 100644 --- a/entrypoint/tests/test_data/scans/fedora:latest.json.scan +++ b/entrypoint/tests/test_data/scans/fedora:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -21,14 +21,18 @@ }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "0" + "value": "1" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", - "value": "0" + "value": "1" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "5" } ], - "timestamp": "2024-03-05T15:15:05.258Z" + "timestamp": "2024-05-22T15:40:58.445Z" }, "components": [ { @@ -45,7 +49,7 @@ "version": "13.2.1-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -58,7 +62,7 @@ "version": "13.2.1-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -71,7 +75,7 @@ "version": "20231204-1.git1e3a2e4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -84,7 +88,7 @@ "version": "2024a-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -97,7 +101,7 @@ "version": "39-34", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -110,7 +114,7 @@ "version": "39-34", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -123,7 +127,7 @@ "version": "39-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -136,7 +140,7 @@ "version": "39-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -149,7 +153,7 @@ "version": "39-34", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -162,7 +166,7 @@ "version": "39-34", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -175,7 +179,7 @@ "version": "2.14.4-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -188,7 +192,7 @@ "version": "3.18-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -201,7 +205,7 @@ "version": "11-18.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -214,7 +218,7 @@ "version": "9.1.113-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -227,7 +231,7 @@ "version": "9.1.113-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -240,7 +244,7 @@ "version": "20240107-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -253,7 +257,7 @@ "version": "20240107-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -266,7 +270,7 @@ "version": "0.10.6-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -279,7 +283,7 @@ "version": "0.10.6-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -318,7 +322,7 @@ "version": "10.42-1.fc39.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -331,7 +335,7 @@ "version": "10.42-1.fc39.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -344,7 +348,7 @@ "version": "6.4-7.20230520.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -357,7 +361,7 @@ "version": "6.4-7.20230520.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -370,7 +374,7 @@ "version": "6.4-7.20230520.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -383,7 +387,7 @@ "version": "6.4-7.20230520.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -396,7 +400,7 @@ "version": "5.2.26-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -406,39 +410,21 @@ "name": "glibc-common", "purl": "pkg:rpm/fedora/glibc-common@2.38-16.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "2.38-16.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38-16.fc39" }, { "bom-ref": "comp-31", "name": "glibc", "purl": "pkg:rpm/fedora/glibc@2.38-16.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "2.38-16.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38-16.fc39" }, { "bom-ref": "comp-32", "name": "glibc-minimal-langpack", "purl": "pkg:rpm/fedora/glibc-minimal-langpack@2.38-16.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "2.38-16.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38-16.fc39" }, { "bom-ref": "comp-33", @@ -448,7 +434,7 @@ "version": "1.2.13-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -461,7 +447,7 @@ "version": "1.0.8-16.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -474,7 +460,7 @@ "version": "1.0.8-16.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -487,7 +473,7 @@ "version": "1.5.5-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -500,7 +486,7 @@ "version": "1.5.5-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -513,7 +499,7 @@ "version": "5.4.4-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -526,7 +512,7 @@ "version": "5.4.4-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -539,7 +525,7 @@ "version": "6.2.1-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -552,7 +538,7 @@ "version": "4.4.36-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -565,7 +551,7 @@ "version": "1.19-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -578,7 +564,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -591,7 +577,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -604,7 +590,7 @@ "version": "2.10.4-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -617,7 +603,7 @@ "version": "3.42.0-7.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -630,7 +616,7 @@ "version": "3.42.0-7.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -643,7 +629,7 @@ "version": "1.47-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -656,7 +642,7 @@ "version": "2.48-9.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -669,7 +655,7 @@ "version": "2.5.1-8.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -682,7 +668,7 @@ "version": "2.5.1-8.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -695,7 +681,7 @@ "version": "2.3.1-9.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -708,7 +694,7 @@ "version": "2.3.1-9.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -721,7 +707,7 @@ "version": "0.5.2-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -734,7 +720,7 @@ "version": "3.4.4-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -747,7 +733,7 @@ "version": "4.19.0-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -760,7 +746,7 @@ "version": "0.25.3-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -773,7 +759,7 @@ "version": "1.1-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -786,7 +772,7 @@ "version": "2.3.7-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -799,7 +785,7 @@ "version": "10.42-1.fc39.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -812,7 +798,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -825,7 +811,7 @@ "version": "13.2.1-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -838,7 +824,7 @@ "version": "8.2-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -851,7 +837,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -864,7 +850,7 @@ "version": "0.190-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -877,7 +863,7 @@ "version": "0.190-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -890,7 +876,7 @@ "version": "1.23-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -903,7 +889,7 @@ "version": "1.23-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -916,7 +902,7 @@ "version": "0.17-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -929,7 +915,7 @@ "version": "1.6.1-7.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -942,7 +928,7 @@ "version": "1.6.1-7.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -955,7 +941,7 @@ "version": "1.47.0-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -968,7 +954,7 @@ "version": "1.47.0-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -981,7 +967,7 @@ "version": "3.5-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -994,7 +980,7 @@ "version": "3.5-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1007,7 +993,7 @@ "version": "4.8-14.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1020,7 +1006,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1033,7 +1019,7 @@ "version": "5.4.6-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1046,7 +1032,7 @@ "version": "5.4.6-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1059,7 +1045,7 @@ "version": "1.9.4-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1072,7 +1058,7 @@ "version": "1.9.4-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1086,7 +1072,7 @@ "properties": [ { "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." + "value": "Component skipped: no rules found." } ] }, @@ -1098,7 +1084,7 @@ "version": "13.2.1-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1111,7 +1097,7 @@ "version": "0.98.1-9.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1124,7 +1110,7 @@ "version": "0.1.20-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1137,7 +1123,7 @@ "version": "254.9-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1150,7 +1136,7 @@ "version": "254.9-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1163,7 +1149,7 @@ "version": "4.9.0-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1176,7 +1162,7 @@ "version": "2.1.28-11.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1189,7 +1175,7 @@ "version": "2.1.28-11.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1202,7 +1188,7 @@ "version": "3.11-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1215,7 +1201,7 @@ "version": "0.21.2-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1228,7 +1214,7 @@ "version": "2.5.6-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1241,7 +1227,7 @@ "version": "1.10.2-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1254,7 +1240,7 @@ "version": "1.6.4-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1267,7 +1253,7 @@ "version": "4.2.0-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1280,7 +1266,7 @@ "version": "3.9.1-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1293,7 +1279,7 @@ "version": "5.44-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1306,7 +1292,7 @@ "version": "5.44-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1319,7 +1305,7 @@ "version": "1.1.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1332,7 +1318,7 @@ "version": "1.1.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1345,7 +1331,7 @@ "version": "0.8.3-8.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1358,7 +1344,7 @@ "version": "3.1.2-8.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1371,7 +1357,7 @@ "version": "3.1.2-8.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1384,7 +1370,7 @@ "version": "1.5.3-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1397,7 +1383,7 @@ "version": "1.5.3-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1410,7 +1396,7 @@ "version": "3.5-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1423,7 +1409,7 @@ "version": "4.14.0-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1436,7 +1422,7 @@ "version": "5.3.28-56.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1449,7 +1435,7 @@ "version": "2.14-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1462,7 +1448,7 @@ "version": "5.2.2-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1475,7 +1461,7 @@ "version": "0.3.2-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1488,7 +1474,7 @@ "version": "0.2.5-12.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1501,7 +1487,7 @@ "version": "2.5.1-7.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1514,7 +1500,7 @@ "version": "1.6-14.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1527,7 +1513,7 @@ "version": "1.26-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1540,7 +1526,7 @@ "version": "1.26-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1553,7 +1539,7 @@ "version": "0.25.3-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1566,7 +1552,7 @@ "version": "3.1.1-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1579,7 +1565,7 @@ "version": "3.1.1-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1592,7 +1578,7 @@ "version": "2023.2.60_v7.0.306-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1605,7 +1591,7 @@ "version": "1.21.2-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1618,7 +1604,7 @@ "version": "1.21.2-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1631,7 +1617,7 @@ "version": "1.3.4-0.rc2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1644,7 +1630,7 @@ "version": "2.0.0-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1654,13 +1640,7 @@ "name": "tpm2-tss", "purl": "pkg:rpm/fedora/tpm2-tss@4.0.1-6.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "4.0.1-6.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "4.0.1-6.fc39" }, { "bom-ref": "comp-127", @@ -1670,7 +1650,7 @@ "version": "1.4.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1683,7 +1663,7 @@ "version": "1.4.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1697,7 +1677,7 @@ "properties": [ { "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." + "value": "Component skipped: no rules found." } ] }, @@ -1706,13 +1686,7 @@ "name": "glib2", "purl": "pkg:rpm/fedora/glib2@2.78.3-1.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "2.78.3-1.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "2.78.3-1.fc39" }, { "bom-ref": "comp-131", @@ -1722,7 +1696,7 @@ "version": "1.5-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1735,7 +1709,7 @@ "version": "0.10.6-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1745,13 +1719,7 @@ "name": "python-pip-wheel", "purl": "pkg:rpm/fedora/python-pip-wheel@23.2.1-1.fc39?arch=noarch&distro=39&epoch=0", "type": "application", - "version": "23.2.1-1.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] + "version": "23.2.1-1.fc39" }, { "bom-ref": "comp-134", @@ -1761,7 +1729,7 @@ "version": "23.2.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1774,7 +1742,7 @@ "version": "3.12.1-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1787,7 +1755,7 @@ "version": "3.12.1-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1800,7 +1768,7 @@ "version": "3.12.1-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1813,7 +1781,7 @@ "version": "0.1.20-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1826,7 +1794,7 @@ "version": "1.4.3-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1839,7 +1807,7 @@ "version": "1.4.3-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1852,7 +1820,7 @@ "version": "1.12-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1865,7 +1833,7 @@ "version": "2.9.11-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1878,7 +1846,7 @@ "version": "1.4.5-6.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1891,7 +1859,7 @@ "version": "3.7.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1904,7 +1872,7 @@ "version": "2.1.12-9.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1917,7 +1885,7 @@ "version": "2.6.6-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1930,7 +1898,7 @@ "version": "2.4.3-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1943,7 +1911,7 @@ "version": "1.4-10.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1956,7 +1924,7 @@ "version": "1.4-10.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1982,7 +1950,7 @@ "version": "1.6.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1995,7 +1963,7 @@ "version": "4.19.1.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2008,7 +1976,7 @@ "version": "4.19.1.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2021,7 +1989,7 @@ "version": "2.15.0-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2034,7 +2002,7 @@ "version": "0.7.28-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2047,7 +2015,7 @@ "version": "4.19.1.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2057,52 +2025,28 @@ "name": "libnghttp2", "purl": "pkg:rpm/fedora/libnghttp2@1.55.1-4.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "1.55.1-4.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.55.1-4.fc39" }, { "bom-ref": "comp-158", "name": "nghttp2", "purl": "pkg:rpm/fedora/nghttp2@1.55.1-4.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "1.55.1-4.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.55.1-4.fc39" }, { "bom-ref": "comp-159", "name": "libcurl", "purl": "pkg:rpm/fedora/libcurl@8.2.1-4.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "8.2.1-4.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "8.2.1-4.fc39" }, { "bom-ref": "comp-160", "name": "curl", "purl": "pkg:rpm/fedora/curl@8.2.1-4.fc39?arch=x86_64&distro=39&epoch=0", "type": "application", - "version": "8.2.1-4.fc39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "8.2.1-4.fc39" }, { "bom-ref": "comp-161", @@ -2112,7 +2056,7 @@ "version": "1.17.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2125,7 +2069,7 @@ "version": "0.72.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2138,7 +2082,7 @@ "version": "0.72.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2151,7 +2095,7 @@ "version": "0.72.0-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2164,7 +2108,7 @@ "version": "0.190-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2177,7 +2121,7 @@ "version": "0.190-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2190,7 +2134,7 @@ "version": "0.190-4.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2203,7 +2147,7 @@ "version": "4.19.1.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2216,7 +2160,7 @@ "version": "4.19.1.1-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2229,7 +2173,7 @@ "version": "2.17.11-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2242,7 +2186,7 @@ "version": "2.17.11-3.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2255,7 +2199,7 @@ "version": "4.18.2-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2268,7 +2212,7 @@ "version": "4.18.2-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2281,7 +2225,7 @@ "version": "4.18.2-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2294,7 +2238,7 @@ "version": "4.18.2-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2320,7 +2264,7 @@ "version": "2.39.3-5.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2333,7 +2277,7 @@ "version": "1.35-2.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2346,7 +2290,7 @@ "version": "9.1.113-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2359,7 +2303,7 @@ "version": "9.1.113-1.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2372,7 +2316,7 @@ "version": "8.1-34.fc39", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2385,13 +2329,623 @@ "version": "18b8e74c-62f2920f", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:707f01fc-88f7-4ddb-ae75-c6bfa38ce7d6", - "bomFormat": "CycloneDX" + "serialNumber": "urn:uuid:fbaaf90f-c71d-4a63-b757-71091c002053", + "bomFormat": "CycloneDX", + "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2384833" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" + } + ], + "bom-ref": "vuln-1", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-160" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "0:8.2.1-5.fc39" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "0:8.2.1-5.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3268" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-34397" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6768-1" + }, + { + "url": "https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/1" + } + ], + "bom-ref": "vuln-2", + "references": [ + { + "id": "FEDORA-2024-fd2569c4e9", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-fd2569c4e9" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34397" + } + } + ], + "created": "2024-05-07T18:15:08Z", + "description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", + "affects": [ + { + "ref": "comp-130" + } + ], + "id": "CVE-2024-34397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T20:07:58Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-130", + "value": "0:2.78.6-1.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YBSB3SUPQ3VIFYUMHPO3MEQI4BJAXKCZ/" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFC2SPFG5FLCZBYY2K3T5MFW2D22NG6E/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-442.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2349.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5752" + } + ], + "bom-ref": "vuln-3", + "references": [ + { + "id": "FEDORA-2024-b72bc39c00", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-b72bc39c00" + } + } + ], + "created": "2023-10-25T18:17:44Z", + "description": "When installing a package from a Mercurial VCS URL (ie \"pip install \nhg+...\") with pip prior to v23.3, the specified Mercurial revision could\n be used to inject arbitrary configuration options to the \"hg clone\" \ncall (ie \"--config\"). Controlling the Mercurial configuration can modify\n how and which repository is installed. This vulnerability does not \naffect users who aren't installing from Mercurial.\n", + "affects": [ + { + "ref": "comp-133" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752" + }, + "cwes": [ + 77 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5752" + } + }, + { + "severity": "low", + "score": 3.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5752" + } + } + ], + "id": "CVE-2023-5752", + "updated": "2024-05-03T03:16:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-133", + "value": "0:23.2.1-2.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2402845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-4", + "references": [ + { + "id": "FEDORA-2024-6dab59bd47", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-6dab59bd47" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-160" + }, + { + "ref": "comp-159" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-160", + "value": "0:8.2.1-5.fc39" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-159", + "value": "0:8.2.1-5.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" + } + ], + "bom-ref": "vuln-5", + "references": [ + { + "id": "FEDORA-2024-a00de83de9", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-a00de83de9" + } + } + ], + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "affects": [ + { + "ref": "comp-157" + }, + { + "ref": "comp-158" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" + } + } + ], + "id": "CVE-2024-28182", + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-157", + "value": "0:1.55.1-5.fc39" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-158", + "value": "0:1.55.1-5.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-6", + "references": [ + { + "id": "FEDORA-2024-9be1b94714", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-9be1b94714" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-30" + }, + { + "ref": "comp-31" + }, + { + "ref": "comp-32" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "id": "CVE-2024-2961", + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-30", + "value": "0:2.38-18.fc39" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-31", + "value": "0:2.38-18.fc39" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-32", + "value": "0:2.38-18.fc39" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271763" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2277437" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "medium", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-04-28T20:15:43Z", + "description": "tpm2-tss:\n\n Fixed CVE-2024-29040\n\ntpm2-tools:\n\n Fixed CVE-2024-29038\n Fixed CVE-2024-29039\nCopyright (C) 2024 Red Hat, Inc. and others.", + "affects": [ + { + "ref": "comp-126" + } + ], + "id": "FEDORA-2024-4512dc54af", + "source": { + "name": "FEDORA", + "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-4512dc54af" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T03:27:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-126", + "value": "0:4.0.2-1.fc39" + } + ] + } + ] } } diff --git a/entrypoint/tests/test_data/scans/golang:latest.json.scan b/entrypoint/tests/test_data/scans/golang:latest.json.scan index f80ec03..2b964d6 100644 --- a/entrypoint/tests/test_data/scans/golang:latest.json.scan +++ b/entrypoint/tests/test_data/scans/golang:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -17,18 +17,22 @@ }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", - "value": "13" + "value": "22" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "41" + "value": "59" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "631" } ], - "timestamp": "2024-03-05T15:15:06.645Z" + "timestamp": "2024-05-22T15:40:59.912Z" }, "components": [ { @@ -60,7 +64,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -86,7 +90,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -99,7 +103,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -125,7 +129,7 @@ "version": "20230311", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -140,7 +144,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -168,7 +172,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -196,7 +200,7 @@ "version": "1.3.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -209,7 +213,7 @@ "version": "1.3.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -224,7 +228,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -237,7 +241,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -250,7 +254,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -263,7 +267,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -291,7 +295,7 @@ "version": "2.4%2B20151223.gitfa8646d.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -319,7 +323,7 @@ "version": "1.10.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -347,7 +351,7 @@ "version": "6.1.76-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -369,7 +373,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -382,7 +386,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -395,7 +399,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -408,7 +412,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -436,7 +440,7 @@ "version": "4.0.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -464,7 +468,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -477,7 +481,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -490,7 +494,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -503,7 +507,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -516,7 +520,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -529,7 +533,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -542,7 +546,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -552,13 +556,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -570,7 +568,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -583,7 +581,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -596,7 +594,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -606,13 +604,7 @@ "name": "python3.11", "purl": "pkg:deb/debian/python3.11@3.11.2-6?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "3.11.2-6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "3.11.2-6" }, { "components": [ @@ -624,7 +616,7 @@ "version": "9.2p1-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -650,7 +642,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -663,7 +655,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -691,7 +683,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -704,7 +696,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -743,7 +735,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -756,7 +748,7 @@ "version": "10.0.0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -771,7 +763,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -784,7 +776,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -799,7 +791,7 @@ "version": "6.3.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -827,7 +819,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -840,7 +832,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -855,7 +847,7 @@ "version": "2.5.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -865,7 +857,13 @@ "name": "expat", "purl": "pkg:deb/debian/expat@2.5.0-1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.5.0-1" + "version": "2.5.0-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] }, { "components": [ @@ -877,7 +875,7 @@ "version": "0.25-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -890,7 +888,7 @@ "version": "0.25-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -905,7 +903,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -933,7 +931,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -961,7 +959,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -989,7 +987,7 @@ "version": "4.3-4.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1002,7 +1000,7 @@ "version": "4.3-4.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1017,7 +1015,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1030,7 +1028,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1045,7 +1043,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1071,7 +1069,7 @@ "version": "1.4.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1097,7 +1095,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1110,7 +1108,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1125,7 +1123,7 @@ "version": "0.11.7-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1153,7 +1151,7 @@ "version": "4.2.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1179,7 +1177,7 @@ "version": "3.0043%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1194,7 +1192,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1207,7 +1205,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1217,13 +1215,7 @@ "name": "curl", "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "7.88.1-10%2Bdeb12u5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "7.88.1-10%2Bdeb12u5" }, { "components": [ @@ -1235,7 +1227,7 @@ "version": "1.6.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1263,7 +1255,7 @@ "version": "2.14-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1291,7 +1283,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1319,7 +1311,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1347,7 +1339,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1375,7 +1367,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1388,7 +1380,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1416,7 +1408,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1429,7 +1421,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1442,7 +1434,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1470,7 +1462,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1483,7 +1475,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1496,7 +1488,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1524,7 +1516,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1552,7 +1544,7 @@ "version": "2.39.2-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1562,13 +1554,7 @@ "name": "git", "purl": "pkg:deb/debian/git@2.39.2-1.1?arch=amd64&distro=bookworm&epoch=1", "type": "application", - "version": "2.39.2-1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.39.2-1.1" }, { "components": [ @@ -1580,7 +1566,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1593,7 +1579,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1619,7 +1605,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1634,7 +1620,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1647,7 +1633,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1675,7 +1661,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1703,7 +1689,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1716,7 +1702,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1729,7 +1715,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1757,7 +1743,7 @@ "version": "1.3.9-11", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1783,7 +1769,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1798,7 +1784,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1811,7 +1797,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1824,7 +1810,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1837,7 +1823,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1847,13 +1833,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -1865,7 +1845,7 @@ "version": "0.8.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1878,7 +1858,7 @@ "version": "0.8.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1893,7 +1873,7 @@ "version": "1.52.0-1%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1903,13 +1883,7 @@ "name": "nghttp2", "purl": "pkg:deb/debian/nghttp2@1.52.0-1%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "1.52.0-1%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.52.0-1%2Bdeb12u1" }, { "components": [ @@ -1921,7 +1895,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1934,7 +1908,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1947,7 +1921,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1975,7 +1949,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1988,7 +1962,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2001,7 +1975,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2016,7 +1990,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2029,7 +2003,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2049,7 +2023,7 @@ "version": "6.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2062,7 +2036,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2077,7 +2051,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2090,7 +2064,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2103,7 +2077,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2116,7 +2090,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2129,7 +2103,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2142,7 +2116,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2170,7 +2144,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2183,7 +2157,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2211,7 +2185,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2239,7 +2213,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2252,7 +2226,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2265,7 +2239,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2278,7 +2252,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2293,7 +2267,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2306,7 +2280,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2319,7 +2293,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2334,7 +2308,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2347,7 +2321,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2362,7 +2336,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2375,7 +2349,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2388,7 +2362,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2401,7 +2375,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2429,7 +2403,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2442,7 +2416,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2457,7 +2431,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2485,7 +2459,7 @@ "version": "1.14.2-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2526,7 +2500,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2539,7 +2513,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2554,7 +2528,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2567,7 +2541,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2595,7 +2569,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2621,7 +2595,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2647,7 +2621,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2662,7 +2636,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2675,7 +2649,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2703,7 +2677,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2716,7 +2690,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2731,7 +2705,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2744,7 +2718,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2757,7 +2731,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2770,7 +2744,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2783,7 +2757,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2796,7 +2770,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2809,7 +2783,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2822,7 +2796,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2835,7 +2809,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2848,7 +2822,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2861,7 +2835,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2889,7 +2863,7 @@ "version": "1.12.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2902,7 +2876,7 @@ "version": "1.12.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2917,7 +2891,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2930,7 +2904,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2943,7 +2917,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2958,7 +2932,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2971,7 +2945,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2986,7 +2960,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3012,7 +2986,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3027,7 +3001,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3055,7 +3029,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3083,7 +3057,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3096,7 +3070,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3111,7 +3085,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3124,7 +3098,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3152,7 +3126,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3165,7 +3139,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3178,7 +3152,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3206,7 +3180,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3228,7 +3202,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3241,7 +3215,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3256,7 +3230,7 @@ "version": "2.8.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3269,7 +3243,7 @@ "version": "2.8.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3284,7 +3258,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3297,7 +3271,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3312,7 +3286,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3340,7 +3314,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3368,7 +3342,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3394,7 +3368,7 @@ "version": "0.17029-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3409,7 +3383,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3422,7 +3396,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3435,7 +3409,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3448,7 +3422,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3463,7 +3437,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3476,7 +3450,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3489,7 +3463,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3502,7 +3476,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3515,7 +3489,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3528,7 +3502,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3541,7 +3515,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3554,7 +3528,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3567,7 +3541,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3580,7 +3554,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3593,7 +3567,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3606,7 +3580,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3619,7 +3593,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3632,7 +3606,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3645,7 +3619,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3658,7 +3632,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3680,7 +3654,7 @@ "version": "1.7.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3708,7 +3682,7 @@ "version": "3.1-20221030-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3721,7 +3695,7 @@ "version": "3.1-20221030-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3736,7 +3710,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3749,7 +3723,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3762,7 +3736,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3792,7 +3766,7 @@ "value": "/usr/local/go/src/crypto/internal/bigmod/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3809,7 +3783,7 @@ "value": "/usr/local/go/src/crypto/internal/bigmod/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3839,7 +3813,7 @@ "value": "/usr/local/go/src/crypto/internal/bigmod/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3856,7 +3830,7 @@ "value": "/usr/local/go/src/crypto/internal/bigmod/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3873,7 +3847,7 @@ "value": "/usr/local/go/src/crypto/internal/edwards25519/field/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3890,7 +3864,7 @@ "value": "/usr/local/go/src/crypto/internal/edwards25519/field/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3920,7 +3894,7 @@ "value": "/usr/local/go/src/crypto/internal/edwards25519/field/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3937,7 +3911,7 @@ "value": "/usr/local/go/src/crypto/internal/edwards25519/field/_asm/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3954,7 +3928,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3971,7 +3945,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3988,7 +3962,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4005,7 +3979,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4039,7 +4013,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4056,7 +4030,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4073,7 +4047,7 @@ "value": "/usr/local/go/src/cmd/go.mod" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4101,10 +4075,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/go/src/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -4352,124 +4322,79 @@ ] } ], - "serialNumber": "urn:uuid:78b04257-73d3-4c94-b767-90e25c2b1010", + "serialNumber": "urn:uuid:d12f3ecf-73fb-4620-8692-6a6dd9e59781", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-3397" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-043.html" - }, - { - "url": "https://alas.aws.amazon.com/ALAS-2023-1883.html" + "url": "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2340.html" + "url": "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3397" + "url": "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede" }, { - "url": "https://lore.kernel.org/lkml/20230515095956.17898-1-zyytlz.wz@163.com/" + "url": "https://git.kernel.org/linus/315552310c7de92baea4e570967066569937a843(6.8-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2023-056.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52596" } ], "bom-ref": "vuln-1", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52596" } } ], - "created": "2023-11-01T20:15:08Z", - "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-3397", + "id": "CVE-2023-52596", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596" }, - "cwes": [ - 416, - 362 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-09T15:09:04Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] + "updated": "2024-03-06T15:18:08Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/0430bfcd46657d9116a26cd377f112cbc40826a4" - }, - { - "url": "https://git.kernel.org/stable/c/14ef61594a5a286ae0d493b8acbf9eac46fd04c4" - }, - { - "url": "https://git.kernel.org/stable/c/486218c11e8d1c8f515a3bdd70d62203609d4b6b" - }, - { - "url": "https://git.kernel.org/stable/c/7104ba0f1958adb250319e68a15eff89ec4fd36d" - }, - { - "url": "https://git.kernel.org/stable/c/396e17af6761b3cc9e6e4ca94b4de7f642bfece1" + "url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e" }, { - "url": "https://git.kernel.org/stable/c/be3b82e4871ba00e9b5d0ede92d396d579d7b3b3" + "url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374" }, { - "url": "https://git.kernel.org/stable/c/8cc889b9dea0579726be9520fcc766077890b462" + "url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5" }, { - "url": "https://git.kernel.org/stable/c/8398d8d735ee93a04fb9e9f490e8cacd737e3bf5" + "url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" }, { - "url": "https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d(6.8-rc3)" + "url": "https://git.kernel.org/linus/99485c4c026f024e7cb82da84c7951dbe3deb584(6.9-rc3)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26600" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35875" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" @@ -4479,244 +4404,268 @@ "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35875" } } ], - "created": "2024-02-26T16:27:59Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26600", + "id": "CVE-2024-35875", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35875" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053" + "url": "https://git.kernel.org/stable/c/fd244524c2cf07b5f4c3fe8abd6a99225c76544b" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/7d420eaaa18ec8e2bb4eeab8c65c00492ef6f416" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/2b1b14d9fc94b8feae20808684c8af28ec80f45b" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6535" + "url": "https://git.kernel.org/stable/c/75abfd61392b1db391bde6d738a30d685b843286" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/52982edfcefd475cc34af663d5c47c0cddaa5739" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://git.kernel.org/stable/c/542c8b3c774a480bfd0804291a12f6f2391b0cd1" }, { - "url": "https://lore.kernel.org/linux-nvme/89a927a6-2baf-434a-b1d5-50fb99beca73@grimberg.me/T/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27034" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6535" + "url": "https://git.kernel.org/linus/fd244524c2cf07b5f4c3fe8abd6a99225c76544b(6.9-rc1)" } ], "bom-ref": "vuln-3", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535" - } - }, { "severity": "none", - "score": 0.00144, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27034" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover normal cluster write with cp_rwsem\n\nWhen we overwrite compressed cluster w/ normal cluster, we should\nnot unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data\nwill be corrupted if partial blocks were persisted before CP & SPOR,\ndue to cluster metadata wasn't updated atomically.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6535", + "id": "CVE-2024-27034", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27034" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:09Z" + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac" + }, + { + "url": "https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee" + }, + { + "url": "https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312" + }, + { + "url": "https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31082" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26992" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee(6.9-rc5)" } ], "bom-ref": "vuln-4", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26992" } } ], - "created": "2023-04-24T06:15:07Z", - "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel.", + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/pmu: Disable support for adaptive PEBS\n\nDrop support for virtualizing adaptive PEBS, as KVM's implementation is\narchitecturally broken without an obvious/easy path forward, and because\nexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak\nhost kernel addresses to the guest.\n\nBug #1 is that KVM doesn't account for the upper 32 bits of\nIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g\nfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()\nstores local variables as u8s and truncates the upper bits too, etc.\n\nBug #2 is that, because KVM _always_ sets precise_ip to a non-zero value\nfor PEBS events, perf will _always_ generate an adaptive record, even if\nthe guest requested a basic record. Note, KVM will also enable adaptive\nPEBS in individual *counter*, even if adaptive PEBS isn't exposed to the\nguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,\ni.e. the guest will only ever see Basic records.\n\nBug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper\nbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and\nintel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE\neither. I.e. perf _always_ enables ADAPTIVE counters, regardless of what\nKVM requests.\n\nBug #4 is that adaptive PEBS *might* effectively bypass event filters set\nby the host, as \"Updated Memory Access Info Group\" records information\nthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.\n\nBug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least\nzeros) when entering a vCPU with adaptive PEBS, which allows the guest\nto read host LBRs, i.e. host RIPs/addresses, by enabling \"LBR Entries\"\nrecords.\n\nDisable adaptive PEBS support as an immediate fix due to the severity of\nthe LBR leak in particular, and because fixing all of the bugs will be\nnon-trivial, e.g. not suitable for backporting to stable kernels.\n\nNote! This will break live migration, but trying to make KVM play nice\nwith live migration would be quite complicated, wouldn't be guaranteed to\nwork (i.e. KVM might still kill/confuse the guest), and it's not clear\nthat there are any publicly available VMMs that support adaptive PEBS,\nlet alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't\nsupport PEBS in any capacity.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-31082", + "id": "CVE-2024-26992", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26992" }, - "cwes": [ - 763 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:14:12Z", + "updated": "2024-05-13T08:15:11Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" + "url": "https://git.kernel.org/stable/c/a16fbb80064634b254520a46395e36b87ca4731e" }, { - "url": "https://lore.kernel.org/all/20240124063702.5642-1-richard@nod.at/" + "url": "https://git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99" }, { - "url": "https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/" + "url": "https://git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62" + }, + { + "url": "https://git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20aa1c969c" + }, + { + "url": "https://git.kernel.org/stable/c/f98364e926626c678fb4b9004b75cacf92ff0662" + }, + { + "url": "https://git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa" + }, + { + "url": "https://git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4" + }, + { + "url": "https://git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65" + }, + { + "url": "https://git.kernel.org/linus/f98364e926626c678fb4b9004b75cacf92ff0662(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26898" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25739" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], "bom-ref": "vuln-5", "ratings": [ { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26898" } }, { - "severity": "none", - "score": 0.00043, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\n\nThis patch is against CVE-2023-6270. The description of cve is:\n\n A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n `struct net_device`, and a use-after-free can be triggered by racing\n between the free on the struct and the access through the `skbtxq`\n global queue. This could lead to a denial of service condition or\n potential code execution.\n\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\n\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-25739", + "id": "CVE-2024-26898", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898" }, "cwes": [ - 754 + 416 ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:13:34Z" + "updated": "2024-04-29T19:31:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25741" + "url": "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637" }, { - "url": "https://lore.kernel.org/all/CALGdzurBnMztPW1Q8mujfYaopVQ8MkSUXUvnAqJcLGu5ROSU4Q@mail.gmail.com/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27012" + }, + { + "url": "https://git.kernel.org/linus/e79b47a8615d42c68aaeb68971593333667382ed(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], "bom-ref": "vuln-6", @@ -4725,43 +4674,61 @@ "severity": "none", "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27012" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-25741", + "id": "CVE-2024-27012", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-12T14:20:03Z" + "updated": "2024-05-13T08:15:12Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + "url": "https://git.kernel.org/stable/c/43547d8699439a67b78d6bb39015113f7aa360fd" }, { - "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + "url": "https://git.kernel.org/stable/c/5ac337138272d26d6d3d4f71bc5b1a87adf8b24d" }, { - "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + "url": "https://git.kernel.org/stable/c/0a30016e892bccabea30af218782c4b6ce0970af" + }, + { + "url": "https://git.kernel.org/stable/c/4ccad39009e7bd8a03d60a97c87b0327ae812880" + }, + { + "url": "https://git.kernel.org/stable/c/85f34d352f4b79afd63dd13634b23dafe6b570f9" + }, + { + "url": "https://git.kernel.org/stable/c/1f60795dcafc97c45984240d442cdc151f825977" + }, + { + "url": "https://git.kernel.org/stable/c/f3315a6edaec12b461031eab8c98c78111a41f95" + }, + { + "url": "https://git.kernel.org/stable/c/7782e5e7047cae6b9255ee727c99fc73d77cf773" + }, + { + "url": "https://git.kernel.org/linus/43547d8699439a67b78d6bb39015113f7aa360fd(6.8)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26595" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27424" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" @@ -4771,1596 +4738,44514 @@ "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27424" } } ], - "created": "2024-02-23T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_busy_delay\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26595", + "id": "CVE-2024-27424", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27424" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T16:14:43Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/20231222162310.6461-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7" + }, + { + "url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0" + }, + { + "url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9" + }, + { + "url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003" + }, + { + "url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb" + }, + { + "url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8" + }, + { + "url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://git.kernel.org/linus/60c0c230c6f046da536d3df8b39a20b9a9fd6af0(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26581" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24857" + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" } ], "bom-ref": "vuln-8", "ratings": [ { - "severity": "medium", - "score": 6.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26581" } }, { - "severity": "none", - "score": 0.00045, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "created": "2024-02-20T13:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24857", + "id": "CVE-2024-26581", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" }, - "cwes": [ - 190, - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:50Z" + "updated": "2024-04-19T17:41:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/" + "url": "https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec" + }, + { + "url": "https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af" + }, + { + "url": "https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069" + }, + { + "url": "https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376" + }, + { + "url": "https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/" + "url": "https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95" }, { - "url": "https://cwe.mitre.org/data/definitions/776.html" + "url": "https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-524.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26835" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52426" + "url": "https://git.kernel.org/linus/bccebf64701735533c8db37773eeacc6566cc8ec(6.8-rc6)" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063240" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], "bom-ref": "vuln-9", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" - } - }, { "severity": "none", - "score": 0.00051, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26835" } } ], - "created": "2024-02-04T20:15:46Z", - "description": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: set dormant flag on hook register failure\n\nWe need to set the dormant flag again if we fail to register\nthe hooks.\n\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\n\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core.", "affects": [ { - "ref": "comp-62" + "ref": "comp-24" } ], - "id": "CVE-2023-52426", + "id": "CVE-2024-26835", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26835" }, - "cwes": [ - 776 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:27:48Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24859" + "url": "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759" }, { - "url": "https://lore.kernel.org/all/20231222162931.6553-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27057" + }, + { + "url": "https://git.kernel.org/linus/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], "bom-ref": "vuln-10", "ratings": [ { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27057" } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27057", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27057" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587" + }, + { + "url": "https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696" + }, + { + "url": "https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9" + }, + { + "url": "https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd" + }, + { + "url": "https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954" + }, + { + "url": "https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5" + }, + { + "url": "https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f" + }, + { + "url": "https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d" + }, + { + "url": "https://git.kernel.org/linus/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26779" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26779" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta->uploaded check and re-check fast xmit after inserting a sta.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26779", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26779" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551" + }, + { + "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + }, + { + "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902" + }, + { + "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06" + }, + { + "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71" + }, + { + "url": "https://git.kernel.org/linus/910c57dfa4d113aae6571c2a8b9ae8c430975902(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35804" + } + ], + "bom-ref": "vuln-12", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35804" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1" + }, + { + "url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84" + }, + { + "url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee" + }, + { + "url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c" + }, + { + "url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7" + }, + { + "url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320" + }, + { + "url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889" + }, + { + "url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26935" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f23a4d6e07570826fe95023ca1aa96a011fa9f84(6.9-rc2)" + } + ], + "bom-ref": "vuln-13", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26935" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26935", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26935" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + }, + { + "url": "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52625" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa(6.8-rc1)" + } + ], + "bom-ref": "vuln-14", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52625" + } + } + ], + "created": "2024-03-26T18:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52625", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1" + }, + { + "url": "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f" + }, + { + "url": "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + }, + { + "url": "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35861" + }, + { + "url": "https://git.kernel.org/linus/e0e50401cc3921c9eaf1b0e667db174519ea939f(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-15", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35861" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77" + }, + { + "url": "https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8" + }, + { + "url": "https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d" + }, + { + "url": "https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a" + }, + { + "url": "https://git.kernel.org/linus/219eee9c0d16f1b754a8b85275854ab17df0850a(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35941" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-16", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35941" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: add overflow debug check to pull/push helpers\n\nsyzbot managed to trigger following splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50\nRead of size 1 at addr ffff888208a4000e by task a.out/2313\n[..]\n __skb_flow_dissect+0x4a3b/0x5e50\n __skb_get_hash+0xb4/0x400\n ip_tunnel_xmit+0x77e/0x26f0\n ipip_tunnel_xmit+0x298/0x410\n ..\n\nAnalysis shows that the skb has a valid ->head, but bogus ->data\npointer.\n\nskb->data gets its bogus value via the neigh layer, which does:\n\n1556 __skb_pull(skb, skb_network_offset(skb));\n\n... and the skb was already dodgy at this point:\n\nskb_network_offset(skb) returns a negative value due to an\nearlier overflow of skb->network_header (u16). __skb_pull thus\n\"adjusts\" skb->data by a huge offset, pointing outside skb->head\narea.\n\nAllow debug builds to splat when we try to pull/push more than\nINT_MAX bytes.\n\nAfter this, the syzkaller reproducer yields a more precise splat\nbefore the flow dissector attempts to read off skb->data memory:\n\nWARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400\n ip_finish_output2+0xb25/0xed0\n iptunnel_xmit+0x4ff/0x870\n ipgre_xmit+0x78e/0xbb0", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35941", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35941" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140" + }, + { + "url": "https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276" + }, + { + "url": "https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668" + }, + { + "url": "https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d" + }, + { + "url": "https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26676" + }, + { + "url": "https://git.kernel.org/linus/1279f9d9dec2d7462823a18c29ad61359e0a007d(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-17", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26676" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.\n\nsyzbot reported a warning [0] in __unix_gc() with a repro, which\ncreates a socketpair and sends one socket's fd to itself using the\npeer.\n\n socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0\n sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"\\360\", iov_len=1}],\n msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,\n cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],\n msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1\n\nThis forms a self-cyclic reference that GC should finally untangle\nbut does not due to lack of MSG_OOB handling, resulting in memory\nleak.\n\nRecently, commit 11498715f266 (\"af_unix: Remove io_uring code for\nGC.\") removed io_uring's dead code in GC and revealed the problem.\n\nThe code was executed at the final stage of GC and unconditionally\nmoved all GC candidates from gc_candidates to gc_inflight_list.\nThat papered over the reported problem by always making the following\nWARN_ON_ONCE(!list_empty(&gc_candidates)) false.\n\nThe problem has been there since commit 2aab4b969002 (\"af_unix: fix\nstruct pid leaks in OOB support\") added full scm support for MSG_OOB\nwhile fixing another bug.\n\nTo fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb\nif the socket still exists in gc_candidates after purging collected skb.\n\nThen, we need to set NULL to oob_skb before calling kfree_skb() because\nit calls last fput() and triggers unix_release_sock(), where we call\nduplicate kfree_skb(u->oob_skb) if not NULL.\n\nNote that the leaked socket remained being linked to a global list, so\nkmemleak also could not detect it. We need to check /proc/net/protocol\nto notice the unfreed socket.\n\n[0]:\nWARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nModules linked in:\nCPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nCode: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8\nRSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e\nRDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30\nRBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66\nR10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000\nR13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n process_one_work+0x889/0x15e0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787\n kthread+0x2c6/0x3b0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26676", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26676" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc" + }, + { + "url": "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b" + }, + { + "url": "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3" + }, + { + "url": "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + }, + { + "url": "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3" + }, + { + "url": "https://git.kernel.org/linus/b8cfb7c819dd39965136a66fe3a7fde688d976fc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-18", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26896" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26896", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26896" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ad10289f68f45649816cc68eb93f45fd5ec48a15" + }, + { + "url": "https://git.kernel.org/stable/c/03ad5ad53e51abf3a4c7538c1bc67a5982b41dc5" + }, + { + "url": "https://git.kernel.org/stable/c/65e8fbde64520001abf1c8d0e573561b4746ef38" + }, + { + "url": "https://git.kernel.org/stable/c/f89bd27709376d37ff883067193320c58a8c1d5a" + }, + { + "url": "https://git.kernel.org/stable/c/69836d9329f0b4c58faaf3d886a7748ddb5bf718" + }, + { + "url": "https://git.kernel.org/stable/c/15a3fc5c8774c17589dabfe1d642d40685c985af" + }, + { + "url": "https://git.kernel.org/stable/c/360a7d1be8112654f1fb328ed3862be630bca3f4" + }, + { + "url": "https://git.kernel.org/stable/c/da7ece2197101b1469853e6b5e915be1e3896d52" + }, + { + "url": "https://git.kernel.org/stable/c/ef02d8edf738557af2865c5bfb66a03c4e071be7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26880" + }, + { + "url": "https://git.kernel.org/linus/65e8fbde64520001abf1c8d0e573561b4746ef38(6.9-rc1)" + } + ], + "bom-ref": "vuln-19", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26880" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: call the resume method on internal suspend\n\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\n\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\n\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\n\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n \n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n\n---[ end trace 0000000000000000 ]---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26880", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26880" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" + }, + { + "url": "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b" + }, + { + "url": "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73" + }, + { + "url": "https://git.kernel.org/linus/16c4770c75b1223998adbeb7286f9a15c65fba73(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35794" + } + ], + "bom-ref": "vuln-20", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35794" + } + } + ], + "created": "2024-05-17T13:15:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35794", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35794" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa" + }, + { + "url": "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2" + }, + { + "url": "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75" + }, + { + "url": "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee" + }, + { + "url": "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d" + }, + { + "url": "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d" + }, + { + "url": "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284" + }, + { + "url": "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26922" + }, + { + "url": "https://git.kernel.org/linus/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-21", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26922" + } + } + ], + "created": "2024-04-23T13:15:46Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26922", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24857" + }, + { + "url": "https://lore.kernel.org/all/20231222162310.6461-1-2045gemini@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-22", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24857" + } + }, + { + "severity": "medium", + "score": 6.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-24857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + }, + "cwes": [ + 190, + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367" + }, + { + "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + }, + { + "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65" + }, + { + "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6" + }, + { + "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35826" + }, + { + "url": "https://git.kernel.org/linus/38b43539d64b2fa020b3b9a752a986769f87f7a6(6.9-rc1)" + } + ], + "bom-ref": "vuln-23", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35826" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35826", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35826" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-21823" + } + ], + "bom-ref": "vuln-24", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21823" + } + } + ], + "created": "2024-05-16T21:16:03Z", + "description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-21823", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21823" + }, + "cwes": [ + 1264 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:36:05Z" + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24864" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-25", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24864" + } + } + ], + "created": "2024-02-05T08:15:45Z", + "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-24864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:22Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3" + }, + { + "url": "https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787" + }, + { + "url": "https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d" + }, + { + "url": "https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60" + }, + { + "url": "https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26750" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-26", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26750" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26750", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26750" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fa3f3ab5c399852d32a0c3cbb8c55882f7e2c61f" + }, + { + "url": "https://git.kernel.org/stable/c/34a164d2448264b62af82bc0af3d2c83d12d38ac" + }, + { + "url": "https://git.kernel.org/stable/c/e799299aafed417cc1f32adccb2a0e5268b3f6d5" + }, + { + "url": "https://git.kernel.org/stable/c/f716a68234242f95305dffb5c9426caa64b316b0" + }, + { + "url": "https://git.kernel.org/stable/c/f84f7709486d8a578ab4b7d2a556d1b1a59cfc97" + }, + { + "url": "https://git.kernel.org/stable/c/d28fa5f0e6c1554e2829f73a6a276c9a49689d04" + }, + { + "url": "https://git.kernel.org/stable/c/84b8486e9cedc93875f251ba31abcf73bd586a3a" + }, + { + "url": "https://git.kernel.org/stable/c/42e71408e2c138be9ccce60920bd6cf094ba1e32" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27426" + }, + { + "url": "https://git.kernel.org/linus/e799299aafed417cc1f32adccb2a0e5268b3f6d5(6.8)" + } + ], + "bom-ref": "vuln-27", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27426" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_maximum_tries\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27426", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27426" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + }, + { + "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956" + }, + { + "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6" + }, + { + "url": "https://git.kernel.org/linus/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26844" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-28", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26844" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26844", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26844" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895" + }, + { + "url": "https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c" + }, + { + "url": "https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d" + }, + { + "url": "https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1" + }, + { + "url": "https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81" + }, + { + "url": "https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9" + }, + { + "url": "https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23" + }, + { + "url": "https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26825" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://git.kernel.org/linus/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-29", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26825" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\n\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\n\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26825", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397" + }, + { + "url": "https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4" + }, + { + "url": "https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8" + }, + { + "url": "https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30" + }, + { + "url": "https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd" + }, + { + "url": "https://git.kernel.org/linus/710c69dbaccdac312e32931abcb8499c1525d397(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26769" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-30", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26769" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26769", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26769" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + }, + { + "url": "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c" + }, + { + "url": "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-31", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52829", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52829" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad" + }, + { + "url": "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3" + }, + { + "url": "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588" + }, + { + "url": "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa" + }, + { + "url": "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540" + }, + { + "url": "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb" + }, + { + "url": "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421" + }, + { + "url": "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27013" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f8bbc07ac535593139c875ffa19af924b1084540(6.9-rc5)" + } + ], + "bom-ref": "vuln-32", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27013" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27013", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef" + }, + { + "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85" + }, + { + "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4" + }, + { + "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be" + }, + { + "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c" + }, + { + "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26787" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-33", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26787" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26787", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26787" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/all/20231222162931.6553-1-2045gemini@gmail.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24859" + } + ], + "bom-ref": "vuln-34", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + } + }, + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24859" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-24859", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:05Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818" + }, + { + "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + }, + { + "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96" + }, + { + "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8" + }, + { + "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d" + }, + { + "url": "https://git.kernel.org/linus/de105068fead55ed5c07ade75e9c8e7f86a00d1d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27435" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-35", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27435" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27435", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27435" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb1cd176e0b431644653a7fa8691a1aaf7be98da" + }, + { + "url": "https://git.kernel.org/stable/c/21162ad2de7446438cbd6224b3794a375bcb24df" + }, + { + "url": "https://git.kernel.org/stable/c/5245a6da27ef79f8dba98dad5542ebe56d311837" + }, + { + "url": "https://git.kernel.org/stable/c/e21e1c45e1fe2e31732f40256b49c04e76a17cee" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35923" + }, + { + "url": "https://git.kernel.org/linus/e21e1c45e1fe2e31732f40256b49c04e76a17cee(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-36", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35923" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: clear opcode specific data for an early failure\n\nIf failure happens before the opcode prep handler is called, ensure that\nwe clear the opcode specific area of the request, which holds data\nspecific to that request type. This prevents errors where opcode\nhandlers either don't get to clear per-request private data since prep\nisn't even called.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35923", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35923" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/562b7245131f6e9f1d280c8b5a8750f03edfc05c" + }, + { + "url": "https://git.kernel.org/stable/c/c760089aa98289b4b88a7ff5a62dd92845adf223" + }, + { + "url": "https://git.kernel.org/stable/c/cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05" + }, + { + "url": "https://git.kernel.org/stable/c/65acf6e0501ac8880a4f73980d01b5d27648b956" + }, + { + "url": "https://git.kernel.org/stable/c/97dab36e57c64106e1c8ebd66cbf0d2d1e52d6b7" + }, + { + "url": "https://git.kernel.org/stable/c/89242d9584c342cb83311b598d9e6b82572eadf8" + }, + { + "url": "https://git.kernel.org/linus/65acf6e0501ac8880a4f73980d01b5d27648b956(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35962" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-37", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35962" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: complete validation of user input\n\nIn my recent commit, I missed that do_replace() handlers\nuse copy_from_sockptr() (which I fixed), followed\nby unsafe copy_from_sockptr_offset() calls.\n\nIn all functions, we can perform the @optlen validation\nbefore even calling xt_alloc_table_info() with the following\ncheck:\n\nif ((u64)optlen < (u64)tmp.size + sizeof(tmp))\n return -EINVAL;", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35962", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35962" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d7d7c6cdea875be3b241d7d39873bb431db7154d" + }, + { + "url": "https://git.kernel.org/stable/c/9adec248bba33b1503252caf8e59d81febfc5ceb" + }, + { + "url": "https://git.kernel.org/stable/c/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd" + }, + { + "url": "https://git.kernel.org/stable/c/97cd43ba824aec764f5ea2790d0c0a318f885167" + }, + { + "url": "https://git.kernel.org/stable/c/0b61a7dc6712b78799b3949997e8a5e94db5c4b0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35818" + }, + { + "url": "https://git.kernel.org/linus/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-38", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35818" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Define the __io_aw() hook as mmiowb()\n\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\n\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\n\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\n\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\n\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\n\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35818", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35818" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d" + }, + { + "url": "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d" + }, + { + "url": "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27" + }, + { + "url": "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + }, + { + "url": "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56" + }, + { + "url": "https://git.kernel.org/linus/6db5dc7b351b9569940cd1cf445e237c42cd6d27(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27015" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-39", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27015" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27015", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" + }, + { + "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + }, + { + "url": "https://git.kernel.org/linus/ad39c08186f8a0f221337985036ba86731d6aafe(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26756" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-40", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26756" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26756", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce" + }, + { + "url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572" + }, + { + "url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039" + }, + { + "url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7" + }, + { + "url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9" + }, + { + "url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525" + }, + { + "url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52" + }, + { + "url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716" + }, + { + "url": "https://git.kernel.org/linus/fff1386cc889d8fb4089d285f883f8cba62d82ce(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26984" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-41", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26984" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26984", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26984" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb55ba8aa7fb7aad54f40fbf4d8dcdfdba0bebf6" + }, + { + "url": "https://git.kernel.org/stable/c/76cb2aa3421fee4fde706dec41b1344bc0a9ad67" + }, + { + "url": "https://git.kernel.org/stable/c/6ab4fd508fad942f1f1ba940492f2735e078e980" + }, + { + "url": "https://git.kernel.org/stable/c/a9c15d6e8aee074fae66c04d114f20b84274fcca" + }, + { + "url": "https://git.kernel.org/stable/c/196b87e5c00ce021e164a5de0f0d04f4116a9160" + }, + { + "url": "https://git.kernel.org/stable/c/7f2649c94264d00df6b6ac27161e9f4372a3450e" + }, + { + "url": "https://git.kernel.org/stable/c/e016e358461b89b231626fcf78c5c38e35c44fd3" + }, + { + "url": "https://git.kernel.org/stable/c/b493ad718b1f0357394d2cdecbf00a44a36fa085" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52583" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/b493ad718b1f0357394d2cdecbf00a44a36fa085(6.8-rc1)" + } + ], + "bom-ref": "vuln-42", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52583" + } + } + ], + "created": "2024-03-06T07:15:06Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix deadlock or deadcode of misusing dget()\n\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\n\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52583", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52583" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9683cb6c2c6c0f45537bf0b8868b5d38fcb63fc7" + }, + { + "url": "https://git.kernel.org/stable/c/df257c435e51651c43b86326d112ddadda76350e" + }, + { + "url": "https://git.kernel.org/stable/c/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139" + }, + { + "url": "https://git.kernel.org/stable/c/4d37f12707ee965d338028732575f0b85f6d9e4f" + }, + { + "url": "https://git.kernel.org/stable/c/2531f907d3e40a6173090f10670ae76d117ab27b" + }, + { + "url": "https://git.kernel.org/stable/c/3443e57654f90c9a843ab6a6040c10709fd033aa" + }, + { + "url": "https://git.kernel.org/stable/c/640dbf688ba955e83e03de84fbdda8e570b7cce4" + }, + { + "url": "https://git.kernel.org/stable/c/fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27065" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139(6.9-rc1)" + } + ], + "bom-ref": "vuln-43", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27065" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not compare internal table flags on updates\n\nRestore skipping transaction if table update does not modify flags.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27065", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27065" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2000016bab499074e6248ea85aeea7dd762355d9" + }, + { + "url": "https://git.kernel.org/stable/c/67b8bcbaed4777871bb0dcc888fb02a614a98ab1" + }, + { + "url": "https://git.kernel.org/stable/c/120f7fa2008e3bd8b7680b4ab5df942decf60fd5" + }, + { + "url": "https://git.kernel.org/stable/c/a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba" + }, + { + "url": "https://git.kernel.org/stable/c/9c9c68d64fd3284f7097ed6ae057c8441f39fcd3" + }, + { + "url": "https://git.kernel.org/stable/c/2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d" + }, + { + "url": "https://git.kernel.org/stable/c/364a66be2abdcd4fd426ffa44d9b8f40aafb3caa" + }, + { + "url": "https://git.kernel.org/stable/c/5278c3eb6bf5896417572b52adb6be9d26e92f65" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/67b8bcbaed4777871bb0dcc888fb02a614a98ab1(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26697" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-44", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26697" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26697", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26697" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369" + }, + { + "url": "https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce" + }, + { + "url": "https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49" + }, + { + "url": "https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e" + }, + { + "url": "https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d" + }, + { + "url": "https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27" + }, + { + "url": "https://git.kernel.org/linus/6e2276203ac9ff10fc76917ec9813c660f627369(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26771" + } + ], + "bom-ref": "vuln-45", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26771" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26771", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26771" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50173882bb187e70e37bac01385b9b114019bee2" + }, + { + "url": "https://git.kernel.org/stable/c/b2186061d6043d6345a97100460363e990af0d46" + }, + { + "url": "https://git.kernel.org/linus/b2186061d6043d6345a97100460363e990af0d46(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35963" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-46", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35963" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35963", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35963" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3" + }, + { + "url": "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d" + }, + { + "url": "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be" + }, + { + "url": "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480" + }, + { + "url": "https://git.kernel.org/linus/d3a9331a6591e9df64791e076f6591f440af51c3(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27400" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-47", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27400" + } + } + ], + "created": "2024-05-14T15:12:29Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27400", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27400" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24" + }, + { + "url": "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6" + }, + { + "url": "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714" + }, + { + "url": "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59" + }, + { + "url": "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802" + }, + { + "url": "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35833" + }, + { + "url": "https://git.kernel.org/linus/3aa58cb51318e329d203857f7a191678e60bb714(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-48", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35833" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35833", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35833" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557" + }, + { + "url": "https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8" + }, + { + "url": "https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e" + }, + { + "url": "https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8" + }, + { + "url": "https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa" + }, + { + "url": "https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482" + }, + { + "url": "https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48" + }, + { + "url": "https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997" + }, + { + "url": "https://git.kernel.org/linus/fdf87a0dc26d0550c60edc911cda42f9afec3557(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26751" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-49", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26751" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26751" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03" + }, + { + "url": "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c" + }, + { + "url": "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f" + }, + { + "url": "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7" + }, + { + "url": "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779" + }, + { + "url": "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b" + }, + { + "url": "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c" + }, + { + "url": "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70" + }, + { + "url": "https://git.kernel.org/linus/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35825" + } + ], + "bom-ref": "vuln-50", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35825" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35825", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35825" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438" + }, + { + "url": "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060" + }, + { + "url": "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda" + }, + { + "url": "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43" + }, + { + "url": "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec" + }, + { + "url": "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5" + }, + { + "url": "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351" + }, + { + "url": "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27437" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-51", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27437" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27437", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://patchwork.kernel.org/project/linux-raid/patch/20240112071017.16313-1-2045gemini@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/linux-raid/20240112071017.16313-1-2045gemini@gmail.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23307" + } + ], + "bom-ref": "vuln-52", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23307" + } + } + ], + "created": "2024-01-25T07:15:09Z", + "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-23307", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-31T20:38:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915" + }, + { + "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536" + }, + { + "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852" + }, + { + "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c" + }, + { + "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" + }, + { + "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670" + }, + { + "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef" + }, + { + "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35973" + }, + { + "url": "https://git.kernel.org/linus/d8a6213d70accb403b82924a1c229e733433a5ef(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-53", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35973" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35973", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35973" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a" + }, + { + "url": "https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21" + }, + { + "url": "https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9" + }, + { + "url": "https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2" + }, + { + "url": "https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c" + }, + { + "url": "https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f" + }, + { + "url": "https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26593" + }, + { + "url": "https://git.kernel.org/linus/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-54", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26593" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + } + } + ], + "created": "2024-02-23T10:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26593", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-19T17:58:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/440f059837418fac1695b65d3ebc6080d33be877" + }, + { + "url": "https://git.kernel.org/stable/c/ad76fd30557d6a106c481e4606a981221ca525f7" + }, + { + "url": "https://git.kernel.org/stable/c/ff28893c96c5e0927a4da10cd24a3522ca663515" + }, + { + "url": "https://git.kernel.org/stable/c/d346b3e5b25c95d504478507eb867cd3818775ab" + }, + { + "url": "https://git.kernel.org/stable/c/cf114d8d4a8d78df272116a745bb43b48cef65f4" + }, + { + "url": "https://git.kernel.org/stable/c/4b09715f1504f1b6e8dff0e9643630610bc05141" + }, + { + "url": "https://git.kernel.org/stable/c/eb9327af3621d26b1d83f767c97a3fe8191a3a65" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27045" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4b09715f1504f1b6e8dff0e9643630610bc05141(6.9-rc1)" + } + ], + "bom-ref": "vuln-55", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27045" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\n\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27045", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27045" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + }, + { + "url": "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc" + }, + { + "url": "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b" + }, + { + "url": "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27014" + }, + { + "url": "https://git.kernel.org/linus/fef965764cf562f28afb997b626fc7c3cec99693(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-56", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27014" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27014", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2384833" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" + } + ], + "bom-ref": "vuln-57", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-87" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37" + }, + { + "url": "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad" + }, + { + "url": "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37" + }, + { + "url": "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86" + }, + { + "url": "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495" + }, + { + "url": "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270" + }, + { + "url": "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026" + }, + { + "url": "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27000" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/54c4ec5f8c471b7c1137a1f769648549c423c026(6.9-rc5)" + } + ], + "bom-ref": "vuln-58", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27000" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27000", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27000" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15" + }, + { + "url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27397" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7395dfacfff65e9938ac0889dafa1ab01e987d15(6.8-rc4)" + } + ], + "bom-ref": "vuln-59", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27397" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04" + }, + { + "url": "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac" + }, + { + "url": "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4" + }, + { + "url": "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d" + }, + { + "url": "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b" + }, + { + "url": "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a" + }, + { + "url": "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26951" + }, + { + "url": "https://git.kernel.org/linus/55b6c738673871c9b0edae05d0c97995c1ff08c4(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-60", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26951" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26951", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe" + }, + { + "url": "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566" + }, + { + "url": "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94" + }, + { + "url": "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f" + }, + { + "url": "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27" + }, + { + "url": "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429" + }, + { + "url": "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d" + }, + { + "url": "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255" + }, + { + "url": "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26969" + }, + { + "url": "https://git.kernel.org/linus/1040ef5ed95d6fd2628bad387d78a61633e09429(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-61", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26969" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26969", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26969" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + }, + { + "url": "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34" + }, + { + "url": "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45" + }, + { + "url": "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664" + }, + { + "url": "https://git.kernel.org/linus/c3198822c6cb9fb588e446540485669cc81c5d34(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26953" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-62", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26953" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26953", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26953" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96" + }, + { + "url": "https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5" + }, + { + "url": "https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df" + }, + { + "url": "https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26582" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-63", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26582" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26582", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-15T13:56:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T12:46:21Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9" + }, + { + "url": "https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643" + }, + { + "url": "https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6" + }, + { + "url": "https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16" + }, + { + "url": "https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3" + }, + { + "url": "https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824" + }, + { + "url": "https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26749" + }, + { + "url": "https://git.kernel.org/linus/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-64", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26749" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n list_del_init(&priv_req->list);\n ...\n\n'priv_req' actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req->list after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26749", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26749" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9" + }, + { + "url": "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2" + }, + { + "url": "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a" + }, + { + "url": "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816" + }, + { + "url": "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2" + }, + { + "url": "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36005" + }, + { + "url": "https://git.kernel.org/linus/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-65", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36005" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-36005", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36005" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9db89b1fb85557892e6681724b367287de5f9f20" + }, + { + "url": "https://git.kernel.org/stable/c/a71f66bd5f7b9b35a8aaa49e29565eca66299399" + }, + { + "url": "https://git.kernel.org/stable/c/8a01335aedc50a66d04dd39203c89f4bc8042596" + }, + { + "url": "https://git.kernel.org/stable/c/03e6d4e948432a61b35783323b6ab2be071d2619" + }, + { + "url": "https://git.kernel.org/stable/c/dbf291d8ffffb70f48286176a15c6c54f0bb0743" + }, + { + "url": "https://git.kernel.org/stable/c/a853450bf4c752e664abab0b2fad395b7ad7701c" + }, + { + "url": "https://git.kernel.org/stable/c/23bc89fdce71124cd2126fc919c7076e7cb489cf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26877" + }, + { + "url": "https://git.kernel.org/linus/a853450bf4c752e664abab0b2fad395b7ad7701c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-66", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26877" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xilinx - call finalize with bh disabled\n\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n Modules linked in: cryptodev(O)\n CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G O 6.8.0-rc1-yocto-standard #323\n Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : crypto_finalize_request+0xa0/0x118\n lr : crypto_finalize_request+0x104/0x118\n sp : ffffffc085353ce0\n x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n Call trace:\n crypto_finalize_request+0xa0/0x118\n crypto_finalize_aead_request+0x18/0x30\n zynqmp_handle_aes_req+0xcc/0x388\n crypto_pump_work+0x168/0x2d8\n kthread_worker_fn+0xfc/0x3a0\n kthread+0x118/0x138\n ret_from_fork+0x10/0x20\n irq event stamp: 40\n hardirqs last enabled at (39): [] _raw_spin_unlock_irqrestore+0x70/0xb0\n hardirqs last disabled at (40): [] el1_dbg+0x28/0x90\n softirqs last enabled at (36): [] kernel_neon_begin+0x8c/0xf0\n softirqs last disabled at (34): [] kernel_neon_begin+0x60/0xf0\n ---[ end trace 0000000000000000 ]---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26877", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26877" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2" + }, + { + "url": "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + }, + { + "url": "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825" + }, + { + "url": "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac" + }, + { + "url": "https://git.kernel.org/linus/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35863" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-67", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35863" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35863", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35863" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2" + }, + { + "url": "https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f" + }, + { + "url": "https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de" + }, + { + "url": "https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce" + }, + { + "url": "https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7" + }, + { + "url": "https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2" + }, + { + "url": "https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38" + }, + { + "url": "https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27053" + }, + { + "url": "https://git.kernel.org/linus/205c50306acf58a335eb19fa84e40140f4fe814f(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-68", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27053" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix RCU usage in connect path\n\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\n\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\n\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27053", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27053" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e16a1389b5a7983b45cb2aa20b0e3f0ee364d6c" + }, + { + "url": "https://git.kernel.org/stable/c/3f8217c323fd6ecd6829a0c3ae7ac3f14eac368e" + }, + { + "url": "https://git.kernel.org/stable/c/74ecdda68242b174920fe7c6133a856fb7d8559b" + }, + { + "url": "https://git.kernel.org/stable/c/2037cb9d95f1741885f7daf50e8a028c4ade5317" + }, + { + "url": "https://git.kernel.org/stable/c/8393c80cce45f40c1256d72e21ad351b3650c57e" + }, + { + "url": "https://git.kernel.org/stable/c/fc67a2e18f4c4e3f07e9f9ae463da24530470e73" + }, + { + "url": "https://git.kernel.org/stable/c/70780914cb57e2ba711e0ac1b677aaaa75103603" + }, + { + "url": "https://git.kernel.org/stable/c/3d3898b4d72c677d47fe3cb554449f2df5c12555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52601" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/74ecdda68242b174920fe7c6133a856fb7d8559b(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-69", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52601" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in dbAdjTree\n\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52601" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/228742b2ddfb99dfd71e5a307e6088ab6836272e" + }, + { + "url": "https://git.kernel.org/stable/c/98a4026b22ff440c7f47056481bcbbe442f607d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea5ddbc11613b55e5128c85f57b08f907abd9b28" + }, + { + "url": "https://git.kernel.org/stable/c/38296afe3c6ee07319e01bb249aa4bb47c07b534" + }, + { + "url": "https://git.kernel.org/stable/c/e38585401d464578d30f5868ff4ca54475c34f7d" + }, + { + "url": "https://git.kernel.org/stable/c/8494ba2c9ea00a54d5b50e69b22c55a8958bce32" + }, + { + "url": "https://git.kernel.org/stable/c/862ee4422c38be5c249844a684b00d0dbe9d1e46" + }, + { + "url": "https://git.kernel.org/stable/c/7e9b622bd0748cc104d66535b76d9b3535f9dc0f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26696" + }, + { + "url": "https://git.kernel.org/linus/38296afe3c6ee07319e01bb249aa4bb47c07b534(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-70", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26696" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\n\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\n\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio. Thus causing a deadlock.\n\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty. Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed. Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\n\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\n\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26696", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" + }, + { + "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + }, + { + "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26767" + }, + { + "url": "https://git.kernel.org/linus/0484e05d048b66d01d1f3c1d2306010bb57d8738(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-71", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26767" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26767", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/36b32816fbab267611f073223f1b0b816ec5920f" + }, + { + "url": "https://git.kernel.org/stable/c/fe42754b94a42d08cf9501790afc25c4f6a5f631" + }, + { + "url": "https://git.kernel.org/stable/c/af6d6a923b40bf6471e44067ac61cc5814b48e7f" + }, + { + "url": "https://git.kernel.org/stable/c/fd8547ebc187037cc69441a15c1441aeaab80f49" + }, + { + "url": "https://git.kernel.org/stable/c/8292f4f8dd1b005d0688d726261004f816ef730a" + }, + { + "url": "https://git.kernel.org/stable/c/38f17d1fbb5bfb56ca1419e2d06376d57a9396f9" + }, + { + "url": "https://git.kernel.org/linus/fe42754b94a42d08cf9501790afc25c4f6a5f631(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35996" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-72", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35996" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu: Re-enable CPU mitigations by default for !X86 architectures\n\nRename x86's to CPU_MITIGATIONS, define it in generic code, and force it\non for all architectures exception x86. A recent commit to turn\nmitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta\nmissed that \"cpu_mitigations\" is completely generic, whereas\nSPECULATION_MITIGATIONS is x86-specific.\n\nRename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it\nselect CPU_MITIGATIONS, as having two configs for the same thing is\nunnecessary and confusing. This will also allow x86 to use the knob to\nmanage mitigations that aren't strictly related to speculative\nexecution.\n\nUse another Kconfig to communicate to common code that CPU_MITIGATIONS\nis already defined instead of having x86's menu depend on the common\nCPU_MITIGATIONS. This allows keeping a single point of contact for all\nof x86's mitigations, and it's not clear that other architectures *want*\nto allow disabling mitigations at compile-time.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35996", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35996" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209" + }, + { + "url": "https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641" + }, + { + "url": "https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea" + }, + { + "url": "https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7" + }, + { + "url": "https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c" + }, + { + "url": "https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a" + }, + { + "url": "https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35845" + }, + { + "url": "https://git.kernel.org/linus/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-73", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35845" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35845", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35845" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519" + }, + { + "url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887" + }, + { + "url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1" + }, + { + "url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1" + }, + { + "url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049" + }, + { + "url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121" + }, + { + "url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35854" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/54225988889931467a9b55fdbef534079b665519(6.9-rc6)" + } + ], + "bom-ref": "vuln-74", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35854" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35854", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35854" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b" + }, + { + "url": "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081" + }, + { + "url": "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0" + }, + { + "url": "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc" + }, + { + "url": "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561" + }, + { + "url": "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab" + }, + { + "url": "https://git.kernel.org/linus/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c(6.9-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35947" + } + ], + "bom-ref": "vuln-75", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35947" + } + } + ], + "created": "2024-05-19T12:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35947" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-76", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-131" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6" + }, + { + "url": "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be" + }, + { + "url": "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2" + }, + { + "url": "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b" + }, + { + "url": "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948" + }, + { + "url": "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35988" + }, + { + "url": "https://git.kernel.org/linus/6065e736f82c817c9a597a31ee67f0ce4628e948(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-77", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35988" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35988", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f9abaa6d7de0a70fc68acaedce290c1f96e2e59" + }, + { + "url": "https://git.kernel.org/stable/c/0580f4403ad33f379eef865c2a6fe94de37febdf" + }, + { + "url": "https://git.kernel.org/stable/c/42084a428a139f1a429f597d44621e3a18f3e414" + }, + { + "url": "https://git.kernel.org/stable/c/de4f5ed63b8a199704d8cdcbf810309d7eb4b36b" + }, + { + "url": "https://git.kernel.org/stable/c/848e1d7fd710900397e1d0e7584680c1c04e3afd" + }, + { + "url": "https://git.kernel.org/stable/c/beee482cc4c9a6b1dcffb2e190b4fd8782258678" + }, + { + "url": "https://git.kernel.org/stable/c/abd26515d4b767ba48241eea77b28ce0872aef3e" + }, + { + "url": "https://git.kernel.org/stable/c/28b8ba8eebf26f66d9f2df4ba550b6b3b136082c" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52606" + }, + { + "url": "https://git.kernel.org/linus/8f9abaa6d7de0a70fc68acaedce290c1f96e2e59(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-78", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52606" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/lib: Validate size for vector operations\n\nSome of the fp/vmx code in sstep.c assume a certain maximum size for the\ninstructions being emulated. The size of those operations however is\ndetermined separately in analyse_instr().\n\nAdd a check to validate the assumption on the maximum size of the\noperations, so as to prevent any unintended kernel stack corruption.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52606", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52606" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/be76ad74a43f90f340f9f479e6b04f02125f6aef" + }, + { + "url": "https://git.kernel.org/stable/c/486a4176bc783df798bce2903824801af8d2c3ae" + }, + { + "url": "https://git.kernel.org/stable/c/dc9ceb90c4b42c6e5c6757df1d6257110433788e" + }, + { + "url": "https://git.kernel.org/stable/c/b37259448bbc70af1d0e52a9dd5559a9c29c9621" + }, + { + "url": "https://git.kernel.org/stable/c/207557e393a135c1b6fe1df7cc0741d2c1789fff" + }, + { + "url": "https://git.kernel.org/stable/c/7219a692ffc00089015ada33b85b334d1a4b6e8e" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26829" + }, + { + "url": "https://git.kernel.org/linus/dc9ceb90c4b42c6e5c6757df1d6257110433788e(6.8-rc5)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-79", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26829" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: fix a memleak in irtoy_tx\n\nWhen irtoy_command fails, buf should be freed since it is allocated by\nirtoy_tx, or there is a memleak.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26829", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26829" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918" + }, + { + "url": "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35" + }, + { + "url": "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + }, + { + "url": "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26983" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/89f9a1e876b5a7ad884918c03a46831af202c8a0(6.9-rc5)" + } + ], + "bom-ref": "vuln-80", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26983" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26983", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26983" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5" + }, + { + "url": "https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c" + }, + { + "url": "https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914" + }, + { + "url": "https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a" + }, + { + "url": "https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5" + }, + { + "url": "https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74" + }, + { + "url": "https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca" + }, + { + "url": "https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26857" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1ca1ba465e55b9460e4e75dec9fff31e708fec74(6.8)" + } + ], + "bom-ref": "vuln-81", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26857" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: make sure to pull inner header in geneve_rx()\n\nsyzbot triggered a bug in geneve_rx() [1]\n\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n geneve_rx drivers/net/geneve.c:279 [inline]\n geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n process_backlog+0x480/0x8b0 net/core/dev.c:5976\n __napi_poll+0xe3/0x980 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n do_softirq+0x9a/0xf0 kernel/softirq.c:454\n __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1296 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905" + }, + { + "url": "https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715" + }, + { + "url": "https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b" + }, + { + "url": "https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298" + }, + { + "url": "https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90" + }, + { + "url": "https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11" + }, + { + "url": "https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2" + }, + { + "url": "https://git.kernel.org/linus/24355fcb0d4cbcb6ddda262596558e8cfba70f11(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26897" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-82", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26897" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26897", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26897" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4" + }, + { + "url": "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + }, + { + "url": "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069" + }, + { + "url": "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457" + }, + { + "url": "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26989" + }, + { + "url": "https://git.kernel.org/linus/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-83", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26989" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26989", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26989" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc" + }, + { + "url": "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d" + }, + { + "url": "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54" + }, + { + "url": "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772" + }, + { + "url": "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6" + }, + { + "url": "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86" + }, + { + "url": "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6" + }, + { + "url": "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf" + }, + { + "url": "https://git.kernel.org/linus/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35849" + } + ], + "bom-ref": "vuln-84", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35849" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35849", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + }, + { + "url": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26658" + }, + { + "url": "https://git.kernel.org/linus/2acc59dd88d27ad69b66ded80df16c042b04eeec(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-85", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26658" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26658", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + }, + { + "url": "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540" + }, + { + "url": "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b" + }, + { + "url": "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f" + }, + { + "url": "https://git.kernel.org/linus/be0384bf599cf1eb8d337517feeb732d71f75a6f(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35971" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-86", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35971" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35971", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35971" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7" + }, + { + "url": "https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d" + }, + { + "url": "https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-87", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: Check find_first_bit() return value\n\nWe must check the return value of find_first_bit() before using the\nreturn value as an index array since it happens to overflow the array\nand then panic:\n\n[ 107.318430] Kernel BUG [#1]\n[ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2\n[ 107.319465] Hardware name: riscv-virtio,qemu (DT)\n[ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae\n[ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae\n[ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350\n[ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480\n[ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520\n[ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff\n[ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000\n[ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55\n[ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f\n[ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000\n[ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0\n[ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000\n[ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000\n[ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n[ 107.320081] [] pmu_sbi_ovf_handler+0x3a4/0x3ae\n[ 107.320112] [] handle_percpu_devid_irq+0x9e/0x1a0\n[ 107.320131] [] generic_handle_domain_irq+0x28/0x36\n[ 107.320148] [] riscv_intc_irq+0x36/0x4e\n[ 107.320166] [] handle_riscv_irq+0x54/0x86\n[ 107.320189] [] do_irq+0x64/0x96\n[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097\n[ 107.320585] ---[ end trace 0000000000000000 ]---\n[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt\n[ 107.320775] SMP: stopping secondary CPUs\n[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000\n[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52797", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52797" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5099871b370335809c0fd1abad74d9c7c205d43f" + }, + { + "url": "https://git.kernel.org/stable/c/16b1025eaa8fc223ab4273ece20d1c3a4211a95d" + }, + { + "url": "https://git.kernel.org/stable/c/65977bed167a92e87085e757fffa5798f7314c9f" + }, + { + "url": "https://git.kernel.org/stable/c/c593d26fb5d577ef31b6e49a31e08ae3ebc1bc1e" + }, + { + "url": "https://git.kernel.org/stable/c/1f12e4b3284d6c863f272eb2de0d4248ed211cf4" + }, + { + "url": "https://git.kernel.org/stable/c/9319b647902cbd5cc884ac08a8a6d54ce111fc78" + }, + { + "url": "https://git.kernel.org/stable/c/ec18ec230301583395576915d274b407743d8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/81e7d2530d458548b90a5c5e76b77ad5e5d1c0df" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26720" + }, + { + "url": "https://git.kernel.org/linus/9319b647902cbd5cc884ac08a8a6d54ce111fc78(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-88", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26720" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\n\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64(). On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\n\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\n\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\n\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26720", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26720" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + }, + { + "url": "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401" + }, + { + "url": "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767" + }, + { + "url": "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270" + }, + { + "url": "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35857" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c58e88d49097bd12dfcfef4f075b43f5d5830941(6.9-rc6)" + } + ], + "bom-ref": "vuln-89", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35857" + } + } + ], + "created": "2024-05-17T15:15:23Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab" + }, + { + "url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e" + }, + { + "url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3" + }, + { + "url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52" + }, + { + "url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + }, + { + "url": "https://git.kernel.org/linus/f7442a634ac06b953fc1f7418f307b25acd4cfbc(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35907" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-90", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35907" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35907", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9" + }, + { + "url": "https://lore.kernel.org/all/20240124063702.5642-1-richard@nod.at/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25739" + } + ], + "bom-ref": "vuln-91", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25739" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-25739", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-25T01:15:55Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c" + }, + { + "url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe" + }, + { + "url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4" + }, + { + "url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66" + }, + { + "url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e" + }, + { + "url": "https://git.kernel.org/linus/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35827" + } + ], + "bom-ref": "vuln-92", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35827" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35827", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35827" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" + }, + { + "url": "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341" + }, + { + "url": "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8" + }, + { + "url": "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62" + }, + { + "url": "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35912" + }, + { + "url": "https://git.kernel.org/linus/06a093807eb7b5c5b29b6cff49f8174a4e702341(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-93", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35912" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35912", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35912" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bdce67df7f12fb0409fbc604ce7c4254703f56d4" + }, + { + "url": "https://git.kernel.org/stable/c/02c6bbfb08bad78dd014e24c7b893723c15ec7a1" + }, + { + "url": "https://git.kernel.org/stable/c/8b13601d19c541158a6e18b278c00ba69ae37829" + }, + { + "url": "https://git.kernel.org/stable/c/7a4d6481fbdd661f9e40e95febb95e3dee82bad3" + }, + { + "url": "https://git.kernel.org/stable/c/856caf2730ea18cb39e95833719c02a02447dc0a" + }, + { + "url": "https://git.kernel.org/stable/c/28a1f492cb527f64593457a0a0f0d809b3f36c25" + }, + { + "url": "https://git.kernel.org/stable/c/6d0822f2cc9b153bf2df49a84599195a2e0d21a8" + }, + { + "url": "https://git.kernel.org/stable/c/6ccf904aac0292e1f6b1a1be6c407c414f7cf713" + }, + { + "url": "https://git.kernel.org/linus/8b13601d19c541158a6e18b278c00ba69ae37829(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52598" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-94", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52598" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ptrace: handle setting of fpc register correctly\n\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\n\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\n\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\n\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52598", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52598" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c3116e62ddeff79cae342147753ce596f01fcf06" + }, + { + "url": "https://git.kernel.org/stable/c/fa18aa507ea71d8914b6acb2c94db311c757c650" + }, + { + "url": "https://git.kernel.org/stable/c/ec09bcab32fc4765e0cc97e1b72cdd067135f37e" + }, + { + "url": "https://git.kernel.org/stable/c/ad999aa18103fa038787b6a8a55020abcf34df1a" + }, + { + "url": "https://git.kernel.org/stable/c/edbdb0d94143db46edd373cc93e433832d29fe19" + }, + { + "url": "https://git.kernel.org/stable/c/ebc5a3bd79e54f98c885c26f0862a27a02c487c5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27054" + }, + { + "url": "https://git.kernel.org/linus/c3116e62ddeff79cae342147753ce596f01fcf06(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-95", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27054" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix double module refcount decrement\n\nOnce the discipline is associated with the device, deleting the device\ntakes care of decrementing the module's refcount. Doing it manually on\nthis error path causes refcount to artificially decrease on each error\nwhile it should just stay the same.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27054", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27054" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b" + }, + { + "url": "https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47" + }, + { + "url": "https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de" + }, + { + "url": "https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35981" + }, + { + "url": "https://git.kernel.org/linus/059a49aa2e25c58f90b50151f109dd3c4cdb3a47(6.9-rc4)" + } + ], + "bom-ref": "vuln-96", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35981" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Do not send RSS key if it is not supported\n\nThere is a bug when setting the RSS options in virtio_net that can break\nthe whole machine, getting the kernel into an infinite loop.\n\nRunning the following command in any QEMU virtual machine with virtionet\nwill reproduce this problem:\n\n # ethtool -X eth0 hfunc toeplitz\n\nThis is how the problem happens:\n\n1) ethtool_set_rxfh() calls virtnet_set_rxfh()\n\n2) virtnet_set_rxfh() calls virtnet_commit_rss_command()\n\n3) virtnet_commit_rss_command() populates 4 entries for the rss\nscatter-gather\n\n4) Since the command above does not have a key, then the last\nscatter-gatter entry will be zeroed, since rss_key_size == 0.\nsg_buf_size = vi->rss_key_size;\n\n5) This buffer is passed to qemu, but qemu is not happy with a buffer\nwith zero length, and do the following in virtqueue_map_desc() (QEMU\nfunction):\n\n if (!sz) {\n virtio_error(vdev, \"virtio: zero sized buffers are not allowed\");\n\n6) virtio_error() (also QEMU function) set the device as broken\n\n vdev->broken = true;\n\n7) Qemu bails out, and do not repond this crazy kernel.\n\n8) The kernel is waiting for the response to come back (function\nvirtnet_send_command())\n\n9) The kernel is waiting doing the following :\n\n while (!virtqueue_get_buf(vi->cvq, &tmp) &&\n\t !virtqueue_is_broken(vi->cvq))\n\t cpu_relax();\n\n10) None of the following functions above is true, thus, the kernel\nloops here forever. Keeping in mind that virtqueue_is_broken() does\nnot look at the qemu `vdev->broken`, so, it never realizes that the\nvitio is broken at QEMU side.\n\nFix it by not sending RSS commands if the feature is not available in\nthe device.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35981", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35981" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302" + }, + { + "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26944" + }, + { + "url": "https://git.kernel.org/linus/1ec17ef59168a1a6f1105f5dc517f783839a5302(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-97", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26944" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26944", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://www.kb.cert.org/vuls/id/488902" + }, + { + "url": "https://xenbits.xen.org/xsa/advisory-453.html" + }, + { + "url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace" + }, + { + "url": "https://kb.cert.org/vuls/id/488902" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2525.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2193" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-98", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2193" + } + } + ], + "created": "2024-03-15T18:15:08Z", + "description": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-2193", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2193" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T17:15:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:26:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22386" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-99", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22386" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + } + } + ], + "created": "2024-02-05T08:15:43Z", + "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-22386", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:26Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1" + }, + { + "url": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6" + }, + { + "url": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a" + }, + { + "url": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc" + }, + { + "url": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c" + }, + { + "url": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd" + }, + { + "url": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df" + }, + { + "url": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5" + }, + { + "url": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c" + }, + { + "url": "https://git.kernel.org/linus/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35807" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-100", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35807" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35807", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35807" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + }, + { + "url": "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d" + }, + { + "url": "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6" + }, + { + "url": "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178" + }, + { + "url": "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27018" + }, + { + "url": "https://git.kernel.org/linus/751de2012eafa4d46d8081056761fa0e9cc8a178(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-101", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27018" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27018", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8" + }, + { + "url": "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003" + }, + { + "url": "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722" + }, + { + "url": "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22" + }, + { + "url": "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401" + }, + { + "url": "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e" + }, + { + "url": "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1" + }, + { + "url": "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35997" + }, + { + "url": "https://git.kernel.org/linus/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-102", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35997" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35997", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4" + }, + { + "url": "https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680" + }, + { + "url": "https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26618" + } + ], + "bom-ref": "vuln-103", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26618" + } + } + ], + "created": "2024-03-11T18:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26618", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26618" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-12T12:40:13Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2060" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2062" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2562" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2088" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2935" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2936" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2773" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2079" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1683" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1963" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2699" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1962" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1668" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-45288" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2892" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2672" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2671" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1681" + }, + { + "url": "https://kb.cert.org/vuls/id/421644" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1892" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2049" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2664" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2667" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1897" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2865" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2941" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1679" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1899" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2625" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2668" + } + ], + "bom-ref": "vuln-104", + "references": [ + { + "id": "GHSA-4v7x-pqxf-cx7m", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-4v7x-pqxf-cx7m" + } + } + ], + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45288" + } + } + ], + "created": "2024-04-04T21:15:16Z", + "description": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.", + "affects": [ + { + "ref": "comp-298" + } + ], + "id": "CVE-2023-45288", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45288" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T22:42:57Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-298", + "value": "0.23.0" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701" + }, + { + "url": "https://git.kernel.org/stable/c/e2b54eaf28df0c978626c9736b94f003b523b451" + }, + { + "url": "https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f" + }, + { + "url": "https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26792" + } + ], + "bom-ref": "vuln-105", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26792" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot->anon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot->anon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot->anon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n \n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n \n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26792", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26792" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda" + }, + { + "url": "https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a" + }, + { + "url": "https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996" + }, + { + "url": "https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2" + }, + { + "url": "https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835" + }, + { + "url": "https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26603" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-106", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26603" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:00:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T19:51:00Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" + }, + { + "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + }, + { + "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" + }, + { + "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" + }, + { + "url": "https://git.kernel.org/linus/85e985a4f46e462a37f1875cb74ed380e7c0c2e0(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26714" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-107", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26714" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26714", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b9ea86e662035a886ccb5c76d56793cba618827" + }, + { + "url": "https://git.kernel.org/stable/c/af7bbdac89739e2e7380387fda598848d3b7010f" + }, + { + "url": "https://git.kernel.org/stable/c/f6abd5e17da33eba15df2bddc93413e76c2b55f7" + }, + { + "url": "https://git.kernel.org/stable/c/a2c6206f18104fba7f887bf4dbbfe4c41adc4339" + }, + { + "url": "https://git.kernel.org/stable/c/9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41" + }, + { + "url": "https://git.kernel.org/stable/c/95bc866c11974d3e4a9d922275ea8127ff809cf7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52618" + }, + { + "url": "https://git.kernel.org/linus/9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-108", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52618" + } + } + ], + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rnbd-srv: Check for unlikely string overflow\n\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\n\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~\nIn function 'rnbd_srv_get_full_path',\n inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n 617 | dev_search_path, dev_name);\n | ~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52618", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52618" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-109", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-147" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + }, + { + "url": "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935" + }, + { + "url": "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26648" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7073934f5d73f8b53308963cee36f0d389ea857c(6.8-rc1)" + } + ], + "bom-ref": "vuln-110", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26648" + } + } + ], + "created": "2024-03-26T18:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26648", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91" + }, + { + "url": "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438" + }, + { + "url": "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137" + }, + { + "url": "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792" + }, + { + "url": "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9" + }, + { + "url": "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52" + }, + { + "url": "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662" + }, + { + "url": "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae" + }, + { + "url": "https://git.kernel.org/linus/c26591afd33adce296c022e3480dea4282b7ef91(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35847" + } + ], + "bom-ref": "vuln-111", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35847" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35847", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b" + }, + { + "url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2" + }, + { + "url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c" + }, + { + "url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144" + }, + { + "url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2" + }, + { + "url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af" + }, + { + "url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26809" + } + ], + "bom-ref": "vuln-112", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26809" + } + } + ], + "created": "2024-04-04T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26809", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26809" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e" + }, + { + "url": "https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b" + }, + { + "url": "https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2" + }, + { + "url": "https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3" + }, + { + "url": "https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857" + }, + { + "url": "https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30" + }, + { + "url": "https://git.kernel.org/linus/bae67893578d608e35691dcdfa90c4957debf1d3(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26833" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-113", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26833" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak in dm_sw_fini()\n\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\n\nunreferenced object 0xffff896302b45800 (size 1024):\n comm \"(udev-worker)\", pid 222, jiffies 4294894636\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 6265fd77):\n [] kmalloc_trace+0x29d/0x340\n [] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n [] dm_sw_init+0x15/0x2b0 [amdgpu]\n [] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n [] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n [] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n [] local_pci_probe+0x3e/0x90\n [] pci_device_probe+0xc3/0x230\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] do_one_initcall+0x41/0x300\n\nFix this by freeing dmub_srv after destroying it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26833", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26833" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4133" + }, + { + "url": "https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15(6.3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-114", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4133" + } + } + ], + "created": "2023-08-03T15:15:33Z", + "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-4133", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:15:10Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9eeb8e1231f6450c574c1db979122e171a1813ab" + }, + { + "url": "https://git.kernel.org/stable/c/ced7df8b3c5c4751244cad79011e86cf1f809153" + }, + { + "url": "https://git.kernel.org/stable/c/98f681b0f84cfc3a1d83287b77697679e0398306" + }, + { + "url": "https://git.kernel.org/stable/c/044e220667157fb9d59320341badec59cf45ba48" + }, + { + "url": "https://git.kernel.org/stable/c/d133d67e7e724102d1e53009c4f88afaaf3e167c" + }, + { + "url": "https://git.kernel.org/linus/98f681b0f84cfc3a1d83287b77697679e0398306(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26927" + } + ], + "bom-ref": "vuln-115", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26927" + } + } + ], + "created": "2024-04-28T12:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Add some bounds checking to firmware data\n\nSmatch complains about \"head->full_size - head->header_size\" can\nunderflow. To some extent, we're always going to have to trust the\nfirmware a bit. However, it's easy enough to add a check for negatives,\nand let's add a upper bounds check as well.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26927", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26927" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T12:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/12609c76b755dbeb1645c0aacc0f0f4743b2eff3" + }, + { + "url": "https://git.kernel.org/stable/c/2160ad6861c4a21d3fa553d7b2aaec6634a37f8a" + }, + { + "url": "https://git.kernel.org/stable/c/aeca49661fd02fd56fb026768b580ce301b45733" + }, + { + "url": "https://git.kernel.org/stable/c/7d271b798add90c6196539167c019d0817285cf0" + }, + { + "url": "https://git.kernel.org/stable/c/c45e53c27b78afd6c81fc25608003576f27b5735" + }, + { + "url": "https://git.kernel.org/stable/c/0d27056c24efd3d63a03f3edfbcfc4827086b110" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8af02b466e1beeae13e2de3dc58fcc7925e5a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26978" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0d27056c24efd3d63a03f3edfbcfc4827086b110(6.9-rc1)" + } + ], + "bom-ref": "vuln-116", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26978" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max310x: fix NULL pointer dereference in I2C instantiation\n\nWhen trying to instantiate a max14830 device from userspace:\n\n echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device\n\nwe get the following error:\n\n Unable to handle kernel NULL pointer dereference at virtual address...\n ...\n Call trace:\n max310x_i2c_probe+0x48/0x170 [max310x]\n i2c_device_probe+0x150/0x2a0\n ...\n\nAdd check for validity of devtype to prevent the error, and abort probe\nwith a meaningful error message.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26978", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26978" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a" + }, + { + "url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4" + }, + { + "url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0" + }, + { + "url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770" + }, + { + "url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef" + }, + { + "url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4" + }, + { + "url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35855" + }, + { + "url": "https://git.kernel.org/linus/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-117", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35855" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35855", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35855" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5e3eb862df9f972ab677fb19e0d4b9b1be8db7b5" + }, + { + "url": "https://git.kernel.org/stable/c/59b2626dd8c8a2e13f18054b3530e0c00073d79f" + }, + { + "url": "https://git.kernel.org/stable/c/704edc9252f4988ae1ad7dafa23d0db8d90d7190" + }, + { + "url": "https://git.kernel.org/stable/c/0e45882ca829b26b915162e8e86dbb1095768e9e" + }, + { + "url": "https://git.kernel.org/linus/0e45882ca829b26b915162e8e86dbb1095768e9e(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26939" + } + ], + "bom-ref": "vuln-118", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26939" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vma: Fix UAF on destroy against retire race\n\nObject debugging tools were sporadically reporting illegal attempts to\nfree a still active i915 VMA object when parking a GT believed to be idle.\n\n[161.359441] ODEBUG: free active (active state 0) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+0x0/0x50 [i915]\n[161.360082] WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+0x80/0xb0\n...\n[161.360304] CPU: 5 PID: 276 Comm: kworker/5:2 Not tainted 6.5.0-rc1-CI_DRM_13375-g003f860e5577+ #1\n[161.360314] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n[161.360322] Workqueue: i915-unordered __intel_wakeref_put_work [i915]\n[161.360592] RIP: 0010:debug_print_object+0x80/0xb0\n...\n[161.361347] debug_object_free+0xeb/0x110\n[161.361362] i915_active_fini+0x14/0x130 [i915]\n[161.361866] release_references+0xfe/0x1f0 [i915]\n[161.362543] i915_vma_parked+0x1db/0x380 [i915]\n[161.363129] __gt_park+0x121/0x230 [i915]\n[161.363515] ____intel_wakeref_put_last+0x1f/0x70 [i915]\n\nThat has been tracked down to be happening when another thread is\ndeactivating the VMA inside __active_retire() helper, after the VMA's\nactive counter has been already decremented to 0, but before deactivation\nof the VMA's object is reported to the object debugging tool.\n\nWe could prevent from that race by serializing i915_active_fini() with\n__active_retire() via ref->tree_lock, but that wouldn't stop the VMA from\nbeing used, e.g. from __i915_vma_retire() called at the end of\n__active_retire(), after that VMA has been already freed by a concurrent\ni915_vma_destroy() on return from the i915_active_fini(). Then, we should\nrather fix the issue at the VMA level, not in i915_active.\n\nSince __i915_vma_parked() is called from __gt_park() on last put of the\nGT's wakeref, the issue could be addressed by holding the GT wakeref long\nenough for __active_retire() to complete before that wakeref is released\nand the GT parked.\n\nI believe the issue was introduced by commit d93939730347 (\"drm/i915:\nRemove the vma refcount\") which moved a call to i915_active_fini() from\na dropped i915_vma_release(), called on last put of the removed VMA kref,\nto i915_vma_parked() processing path called on last put of a GT wakeref.\nHowever, its visibility to the object debugging tool was suppressed by a\nbug in i915_active that was fixed two weeks later with commit e92eb246feb9\n(\"drm/i915/active: Fix missing debug object activation\").\n\nA VMA associated with a request doesn't acquire a GT wakeref by itself.\nInstead, it depends on a wakeref held directly by the request's active\nintel_context for a GT associated with its VM, and indirectly on that\nintel_context's engine wakeref if the engine belongs to the same GT as the\nVMA's VM. Those wakerefs are released asynchronously to VMA deactivation.\n\nFix the issue by getting a wakeref for the VMA's GT when activating it,\nand putting that wakeref only after the VMA is deactivated. However,\nexclude global GTT from that processing path, otherwise the GPU never goes\nidle. Since __i915_vma_retire() may be called from atomic contexts, use\nasync variant of wakeref put. Also, to avoid circular locking dependency,\ntake care of acquiring the wakeref before VM mutex when both are needed.\n\nv7: Add inline comments with justifications for:\n - using untracked variants of intel_gt_pm_get/put() (Nirmoy),\n - using async variant of _put(),\n - not getting the wakeref in case of a global GTT,\n - always getting the first wakeref outside vm->mutex.\nv6: Since __i915_vma_active/retire() callbacks are not serialized, storing\n a wakeref tracking handle inside struct i915_vma is not safe, and\n there is no other good place for that. Use untracked variants of\n intel_gt_pm_get/put_async().\nv5: Replace \"tile\" with \"GT\" across commit description (Rodrigo),\n - \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26939", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26939" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a" + }, + { + "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b" + }, + { + "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03" + }, + { + "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + }, + { + "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/edcf9725150e42beeca42d085149f4c88fa97afd(6.8-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26629" + } + ], + "bom-ref": "vuln-119", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26629" + } + } + ], + "created": "2024-03-13T14:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-10T15:16:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8" + }, + { + "url": "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc" + }, + { + "url": "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041" + }, + { + "url": "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb" + }, + { + "url": "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70" + }, + { + "url": "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35940" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/98bc7e26e14fbb26a6abf97603d59532475e97f8(6.9-rc1)" + } + ], + "bom-ref": "vuln-120", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35940" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35940", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35940" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1" + }, + { + "url": "https://git.kernel.org/stable/c/e6450d5e46a737a008b4885aa223486113bf0ad6" + }, + { + "url": "https://git.kernel.org/stable/c/772a7def9868091da3bcb0d6c6ff9f0c03d7fa8b" + }, + { + "url": "https://git.kernel.org/stable/c/c1362eae861db28b1608b9dc23e49634fe87b63b" + }, + { + "url": "https://git.kernel.org/stable/c/cde76b3af247f615447bcfecf610bb76c3529126" + }, + { + "url": "https://git.kernel.org/stable/c/bf9ec1b24ab4e94345aa1c60811dd329f069c38b" + }, + { + "url": "https://git.kernel.org/stable/c/423b6bdf19bbc5e1f7e7461045099917378f7e71" + }, + { + "url": "https://git.kernel.org/stable/c/cba138f1ef37ec6f961baeab62f312dedc7cf730" + }, + { + "url": "https://git.kernel.org/stable/c/3948abaa4e2be938ccdfc289385a27342fb13d43" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26901" + }, + { + "url": "https://git.kernel.org/linus/3948abaa4e2be938ccdfc289385a27342fb13d43(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-121", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26901" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\n\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\n\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\n\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26901", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901" + }, + "cwes": [ + 908 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:38:34Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f" + }, + { + "url": "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2" + }, + { + "url": "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8" + }, + { + "url": "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54" + }, + { + "url": "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9" + }, + { + "url": "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696" + }, + { + "url": "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b" + }, + { + "url": "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27001" + }, + { + "url": "https://git.kernel.org/linus/d1718530e3f640b7d5f0050e725216eab57a85d8(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-122", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27001" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27001", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27001" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd" + }, + { + "url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3" + }, + { + "url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + }, + { + "url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b" + }, + { + "url": "https://git.kernel.org/linus/3773d65ae5154ed7df404b050fd7387a36ab5ef3(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27418" + } + ], + "bom-ref": "vuln-123", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27418" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27418", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27418" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d" + }, + { + "url": "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52624" + }, + { + "url": "https://git.kernel.org/linus/e5ffd1263dd5b44929c676171802e7b6af483f21(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-124", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52624" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52624", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + }, + { + "url": "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893" + }, + { + "url": "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404" + }, + { + "url": "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26830" + }, + { + "url": "https://git.kernel.org/linus/73d9629e1c8c1982f13688c4d1019c3994647ccc(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-125", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26830" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26830", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26830" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" + }, + { + "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26758" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1baae052cccd08daf9a9d64c3f959d8cdb689757(6.8-rc6)" + } + ], + "bom-ref": "vuln-126", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26758" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26758", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd" + }, + { + "url": "https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea" + }, + { + "url": "https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7" + }, + { + "url": "https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed" + }, + { + "url": "https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf" + }, + { + "url": "https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f" + }, + { + "url": "https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab" + }, + { + "url": "https://git.kernel.org/linus/04ae3eb470e52a3c41babe85ff8cee195e4dcbea(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35829" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-127", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35829" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix a memleak in lima_heap_alloc\n\nWhen lima_vm_map_bo fails, the resources need to be deallocated, or\nthere will be memleaks.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35829", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35829" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + }, + { + "url": "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0" + }, + { + "url": "https://git.kernel.org/linus/4f32504a2f85a7b40fe149436881381f48e9c0c0(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26672" + } + ], + "bom-ref": "vuln-128", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26672" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26672", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282" + }, + { + "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9" + }, + { + "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b" + }, + { + "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f" + }, + { + "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee" + }, + { + "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383" + }, + { + "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26804" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-129", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26804" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb->data gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\n\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417" + }, + { + "url": "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267" + }, + { + "url": "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d" + }, + { + "url": "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9" + }, + { + "url": "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d" + }, + { + "url": "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede" + }, + { + "url": "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26814" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-130", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26814" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26814", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + }, + { + "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" + }, + { + "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" + }, + { + "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26700" + }, + { + "url": "https://git.kernel.org/linus/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-131", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26700" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26700", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/127587" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1714.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4038" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1980.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3595" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3550" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3594" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4282" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3591" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-116.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3931" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4008" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3777" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3810" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3556" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3776" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3811" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3932" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4004" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-24329" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3796" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4203" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1990.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3935" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-500.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-001.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3934" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3936" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1713.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5888-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3780" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5960-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6139-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4032" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6793" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3781" + } + ], + "bom-ref": "vuln-132", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" + } + }, + { + "severity": "none", + "score": 0.001, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-24329" + } + } + ], + "created": "2023-02-17T15:15:12Z", + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "affects": [ + { + "ref": "comp-41" + } + ], + "id": "CVE-2023-24329", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:08:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T14:11:20Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d" + }, + { + "url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76" + }, + { + "url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76" + }, + { + "url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977" + }, + { + "url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e" + }, + { + "url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8ca3f7a7b61393804c46f170743c3b839df13977(6.9-rc6)" + } + ], + "bom-ref": "vuln-133", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35853" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35853", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + }, + { + "url": "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03" + }, + { + "url": "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878" + }, + { + "url": "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52593" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-134", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52593" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52593", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ee8db6475cb15c8122855f72ad4cfa5375af6a7b" + }, + { + "url": "https://git.kernel.org/stable/c/aaab47f204aaf47838241d57bf8662c8840de60a" + }, + { + "url": "https://git.kernel.org/stable/c/847b68f58c212f0439c5a8101b3841f32caffccd" + }, + { + "url": "https://git.kernel.org/stable/c/50545eb6cd5f7ff852a01fa29b7372524ef948cc" + }, + { + "url": "https://git.kernel.org/stable/c/947c3f3d31ea185ddc8e7f198873f17d36deb24c" + }, + { + "url": "https://git.kernel.org/linus/aaab47f204aaf47838241d57bf8662c8840de60a(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52641" + } + ], + "bom-ref": "vuln-135", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52641" + } + } + ], + "created": "2024-04-03T17:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()\n\nIt is preferable to exit through the out: label because\ninternal debugging functions are located there.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52641", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52641" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b" + }, + { + "url": "https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69" + }, + { + "url": "https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221" + }, + { + "url": "https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29" + }, + { + "url": "https://git.kernel.org/linus/0cab687205986491302cd2e440ef1d253031c221(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26761" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-136", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26761" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder's CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26761", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26761" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6" + }, + { + "url": "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe" + }, + { + "url": "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985" + }, + { + "url": "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2" + }, + { + "url": "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778" + }, + { + "url": "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae" + }, + { + "url": "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061" + }, + { + "url": "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35886" + }, + { + "url": "https://git.kernel.org/linus/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-137", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35886" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35886", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35886" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b" + }, + { + "url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7" + }, + { + "url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72" + }, + { + "url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35868" + }, + { + "url": "https://git.kernel.org/linus/d3da25c5ac84430f89875ca7485a3828150a7e0a(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-138", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35868" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49f9637aafa6e63ba686c13cb8549bf5e6920402" + }, + { + "url": "https://git.kernel.org/stable/c/e2b77d107b33bb31c8b1f5c4cb8f277b23728f1e" + }, + { + "url": "https://git.kernel.org/stable/c/f423528488e4f9606cef858eceea210bf1163f41" + }, + { + "url": "https://git.kernel.org/stable/c/6996d43b14486f4a6655b10edc541ada1b580b4b" + }, + { + "url": "https://git.kernel.org/stable/c/de6a91aed1e0b1a23e9c11e7d7557f088eeeb017" + }, + { + "url": "https://git.kernel.org/stable/c/3537f92cd22c672db97fae6997481e678ad14641" + }, + { + "url": "https://git.kernel.org/stable/c/5a6660139195f5e2fbbda459eeecb8788f3885fe" + }, + { + "url": "https://git.kernel.org/stable/c/6aa30020879042d46df9f747e4f0a486eea6fe98" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/49f9637aafa6e63ba686c13cb8549bf5e6920402(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52599" + } + ], + "bom-ref": "vuln-139", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52599" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diNewExt\n\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\n\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\n\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52599" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062" + }, + { + "url": "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5" + }, + { + "url": "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face" + }, + { + "url": "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb" + }, + { + "url": "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1" + }, + { + "url": "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042" + }, + { + "url": "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e" + }, + { + "url": "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04" + }, + { + "url": "https://git.kernel.org/linus/cf92bb778eda7830e79452c6917efa8474a30c1e(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27008" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-140", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27008" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27008", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27008" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396" + }, + { + "url": "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c" + }, + { + "url": "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-141", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc" + }, + { + "url": "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10" + }, + { + "url": "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2" + }, + { + "url": "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + }, + { + "url": "https://git.kernel.org/linus/b76b46902c2d0395488c8412e1116c2486cdfcb2(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36000" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-142", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36000" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-36000", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36000" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9" + }, + { + "url": "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123" + }, + { + "url": "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9" + }, + { + "url": "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4" + }, + { + "url": "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995" + }, + { + "url": "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea" + }, + { + "url": "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26900" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/6cf350658736681b9d6b0b6e58c5c76b235bb4c4(6.9-rc1)" + } + ], + "bom-ref": "vuln-143", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26900" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26900", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900" + }, + "cwes": [ + 401 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500" + }, + { + "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6" + }, + { + "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d" + }, + { + "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae" + }, + { + "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56" + }, + { + "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79" + }, + { + "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243" + }, + { + "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26752" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79(6.8-rc6)" + } + ], + "bom-ref": "vuln-144", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26752" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26752", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c4a09fdac625e64abe478dcf88bfa20406616928" + }, + { + "url": "https://git.kernel.org/stable/c/f3e4963566f58726d3265a727116a42b591f6596" + }, + { + "url": "https://git.kernel.org/stable/c/d31c8721e816eff5ca6573cc487754f357c093cd" + }, + { + "url": "https://git.kernel.org/stable/c/2c3bdba00283a6c7a5b19481a59a730f46063803" + }, + { + "url": "https://git.kernel.org/stable/c/5bc09b397cbf1221f8a8aacb1152650c9195b02b" + }, + { + "url": "https://git.kernel.org/stable/c/626daab3811b772086aef1bf8eed3ffe6f523eff" + }, + { + "url": "https://git.kernel.org/stable/c/8fa90634ec3e9cc50f42dd605eec60f2d146ced8" + }, + { + "url": "https://git.kernel.org/stable/c/6589f0f72f8edd1fa11adce4eedbd3615f2e78ab" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/5bc09b397cbf1221f8a8aacb1152650c9195b02b(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26685" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-145", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26685" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential bug in end_buffer_async_write\n\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\n\nNilfs2 itself does not use end_buffer_async_write(). But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\n\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent. However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device. This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\n\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\n\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26685", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26685" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662" + }, + { + "url": "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52634" + }, + { + "url": "https://git.kernel.org/linus/2ce156482a6fef349d2eba98e5070c412d3af662(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-146", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52634" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52634", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535" + }, + { + "url": "https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731" + }, + { + "url": "https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340" + }, + { + "url": "https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e" + }, + { + "url": "https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b" + }, + { + "url": "https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a" + }, + { + "url": "https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49" + }, + { + "url": "https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7" + }, + { + "url": "https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710" + }, + { + "url": "https://git.kernel.org/linus/c958e86e9cc1b48cac004a6e245154dfba8e163b(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26874" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-147", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26874" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip\n\nIt's possible that mtk_crtc->event is NULL in\nmtk_drm_crtc_finish_page_flip().\n\npending_needs_vblank value is set by mtk_crtc->event, but in\nmtk_drm_crtc_atomic_flush(), it's is not guarded by the same\nlock in mtk_drm_finish_page_flip(), thus a race condition happens.\n\nConsider the following case:\n\nCPU1 CPU2\nstep 1:\nmtk_drm_crtc_atomic_begin()\nmtk_crtc->event is not null,\n step 1:\n mtk_drm_crtc_atomic_flush:\n mtk_drm_crtc_update_config(\n !!mtk_crtc->event)\nstep 2:\nmtk_crtc_ddp_irq ->\nmtk_drm_finish_page_flip:\nlock\nmtk_crtc->event set to null,\npending_needs_vblank set to false\nunlock\n pending_needs_vblank set to true,\n\n step 2:\n mtk_crtc_ddp_irq ->\n mtk_drm_finish_page_flip called again,\n pending_needs_vblank is still true\n //null pointer\n\nInstead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more\nefficient to just check if mtk_crtc->event is null before use.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26874", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26874" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92" + }, + { + "url": "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba" + }, + { + "url": "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461" + }, + { + "url": "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52648" + }, + { + "url": "https://git.kernel.org/linus/27571c64f1855881753e6f33c3186573afbab7ba(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-148", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52648" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52648", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52648" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e" + }, + { + "url": "https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857" + }, + { + "url": "https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75" + }, + { + "url": "https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6" + }, + { + "url": "https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa" + }, + { + "url": "https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7" + }, + { + "url": "https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90" + }, + { + "url": "https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26763" + }, + { + "url": "https://git.kernel.org/linus/50c70240097ce41fe6bce6478b80478281e4d0f7(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-149", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26763" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don't modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26763", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26763" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" + }, + { + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-150", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-33" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-33", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ddbec99f58571301679addbc022256970ca3eac6" + }, + { + "url": "https://git.kernel.org/stable/c/39cc316fb3bc5e7c9dc5eed314fe510d119c6862" + }, + { + "url": "https://git.kernel.org/stable/c/97d2148ea435dff4b4e71817c9032eb321bcd37e" + }, + { + "url": "https://git.kernel.org/stable/c/889ed056eae7fda85b769a9ab33c093379c45428" + }, + { + "url": "https://git.kernel.org/stable/c/1ed222ca7396938eb1ab2d034f1ba0d8b00a7122" + }, + { + "url": "https://git.kernel.org/stable/c/09e5cdbe2cc88c3c758927644a3eb02fac317209" + }, + { + "url": "https://git.kernel.org/stable/c/e3b2bfb8ff1810a537b2aa55ba906a6743ed120c" + }, + { + "url": "https://git.kernel.org/stable/c/a809bbfd0e503351d3051317288a70a4569a4949" + }, + { + "url": "https://git.kernel.org/stable/c/7fb2d4d6bb1c85f7a23aace0ed6c86a95dea792a" + }, + { + "url": "https://git.kernel.org/linus/ddbec99f58571301679addbc022256970ca3eac6(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26863" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-151", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26863" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in hsr_get_node()\n\nKMSAN reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\n\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26863", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26863" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e4cbc857d75d4e22a1f75446e7480b1f305d8d60" + }, + { + "url": "https://git.kernel.org/stable/c/e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af" + }, + { + "url": "https://git.kernel.org/stable/c/edff092a59260bf0b0a2eba219cb3da6372c2f9f" + }, + { + "url": "https://git.kernel.org/stable/c/e4ce01c25ccbea02a09a5291c21749b1fc358e39" + }, + { + "url": "https://git.kernel.org/stable/c/7aa33854477d9c346f5560a1a1fcb3fe7783e2a8" + }, + { + "url": "https://git.kernel.org/stable/c/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16" + }, + { + "url": "https://git.kernel.org/stable/c/6e2902ecc77e9760a9fc447f56d598383e2372d2" + }, + { + "url": "https://git.kernel.org/stable/c/fd3486a893778770557649fe28afa5e463d4ed07" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52603" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" + } + ], + "bom-ref": "vuln-152", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52603" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUBSAN: array-index-out-of-bounds in dtSplitRoot\n\nSyzkaller reported the following issue:\n\noop0: detected capacity change from 0 to 32768\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n \n\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\n\nThe patch is tested via syzbot.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52603" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ff70e6ff6fc2413caf33410af7462d1f584d927e" + }, + { + "url": "https://git.kernel.org/stable/c/65158edb0a3a8df23197d52cd24287e39eaf95d6" + }, + { + "url": "https://git.kernel.org/stable/c/caa2565a2e13899be31f7b1e069e6465d3e2adb0" + }, + { + "url": "https://git.kernel.org/stable/c/916361685319098f696b798ef1560f69ed96e934" + }, + { + "url": "https://git.kernel.org/stable/c/d855ceb6a5fde668c5431156bc60fae0cc52b764" + }, + { + "url": "https://git.kernel.org/linus/916361685319098f696b798ef1560f69ed96e934(6.8-rc5)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26916" + } + ], + "bom-ref": "vuln-153", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26916" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: flush any delayed gfxoff on suspend entry\"\n\ncommit ab4750332dbe (\"drm/amdgpu/sdma5.2: add begin/end_use ring\ncallbacks\") caused GFXOFF control to be used more heavily and the\ncodepath that was removed from commit 0dee72639533 (\"drm/amd: flush any\ndelayed gfxoff on suspend entry\") now can be exercised at suspend again.\n\nUsers report that by using GNOME to suspend the lockscreen trigger will\ncause SDMA traffic and the system can deadlock.\n\nThis reverts commit 0dee726395333fea833eaaf838bc80962df886c8.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26916", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26916" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f" + }, + { + "url": "https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e" + }, + { + "url": "https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f" + }, + { + "url": "https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0" + }, + { + "url": "https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be" + }, + { + "url": "https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/6a9d552483d50953320b9d3b57abdee8d436f23f(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52642" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-154", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52642" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: bpf attach/detach requires write permission\n\nNote that bpf attach/detach also requires CAP_NET_ADMIN.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52642", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52642" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a03ed00787b0ce7a83eebabd0fa95ecc4a5cac84" + }, + { + "url": "https://git.kernel.org/stable/c/0cbefc7b5bdad86b18a263d837450cdc9a56f8d7" + }, + { + "url": "https://git.kernel.org/stable/c/9f3e5df38b4528213449e55b80f0316864f2a1c8" + }, + { + "url": "https://git.kernel.org/stable/c/7ae1b0dc12ec407f12f80b49d22c6ad2308e2202" + }, + { + "url": "https://git.kernel.org/stable/c/ba535bce57e71463a86f8b33a0ea88c26e3a6418" + }, + { + "url": "https://git.kernel.org/stable/c/a860aaebacbc908fa06e2642402058f40bfffe10" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26879" + }, + { + "url": "https://git.kernel.org/linus/ba535bce57e71463a86f8b33a0ea88c26e3a6418(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-155", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26879" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: meson: Add missing clocks to axg_clk_regmaps\n\nSome clocks were missing from axg_clk_regmaps, which caused kernel panic\nduring cat /sys/kernel/debug/clk/clk_summary\n\n[ 57.349402] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001fc\n...\n[ 57.430002] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 57.436900] pc : regmap_read+0x1c/0x88\n[ 57.440608] lr : clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.445611] sp : ffff800082f1b690\n[ 57.448888] x29: ffff800082f1b690 x28: 0000000000000000 x27: ffff800080eb9a70\n[ 57.455961] x26: 0000000000000007 x25: 0000000000000016 x24: 0000000000000000\n[ 57.463033] x23: ffff800080e8b488 x22: 0000000000000015 x21: ffff00000e7e7000\n[ 57.470106] x20: ffff00000400ec00 x19: 0000000000000000 x18: ffffffffffffffff\n[ 57.477178] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000042a3000\n[ 57.484251] x14: 0000000000000000 x13: ffff0000042a2fec x12: 0000000005f5e100\n[ 57.491323] x11: abcc77118461cefd x10: 0000000000000020 x9 : ffff8000805e4b24\n[ 57.498396] x8 : ffff0000028063c0 x7 : ffff800082f1b710 x6 : ffff800082f1b710\n[ 57.505468] x5 : 00000000ffffffd0 x4 : ffff800082f1b6e0 x3 : 0000000000001000\n[ 57.512541] x2 : ffff800082f1b6e4 x1 : 000000000000012c x0 : 0000000000000000\n[ 57.519615] Call trace:\n[ 57.522030] regmap_read+0x1c/0x88\n[ 57.525393] clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.530050] clk_core_is_enabled+0x44/0x120\n[ 57.534190] clk_summary_show_subtree+0x154/0x2f0\n[ 57.538847] clk_summary_show_subtree+0x220/0x2f0\n[ 57.543505] clk_summary_show_subtree+0x220/0x2f0\n[ 57.548162] clk_summary_show_subtree+0x220/0x2f0\n[ 57.552820] clk_summary_show_subtree+0x220/0x2f0\n[ 57.557477] clk_summary_show_subtree+0x220/0x2f0\n[ 57.562135] clk_summary_show_subtree+0x220/0x2f0\n[ 57.566792] clk_summary_show_subtree+0x220/0x2f0\n[ 57.571450] clk_summary_show+0x84/0xb8\n[ 57.575245] seq_read_iter+0x1bc/0x4b8\n[ 57.578954] seq_read+0x8c/0xd0\n[ 57.582059] full_proxy_read+0x68/0xc8\n[ 57.585767] vfs_read+0xb0/0x268\n[ 57.588959] ksys_read+0x70/0x108\n[ 57.592236] __arm64_sys_read+0x24/0x38\n[ 57.596031] invoke_syscall+0x50/0x128\n[ 57.599740] el0_svc_common.constprop.0+0x48/0xf8\n[ 57.604397] do_el0_svc+0x28/0x40\n[ 57.607675] el0_svc+0x34/0xb8\n[ 57.610694] el0t_64_sync_handler+0x13c/0x158\n[ 57.615006] el0t_64_sync+0x190/0x198\n[ 57.618635] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (b941fc00)\n[ 57.624668] ---[ end trace 0000000000000000 ]---\n\n[jbrunet: add missing Fixes tag]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26879", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26879" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270836" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1223307" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2627" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2628" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25743" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-156", + "created": "2024-05-15T18:15:10Z", + "description": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-25743", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25743" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-17T22:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" + }, + { + "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" + }, + { + "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" + }, + { + "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26759" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/13ddaf26be324a7f951891ecd9ccd04466d27458(6.8-rc6)" + } + ], + "bom-ref": "vuln-157", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26759" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26759", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a2ab028151841cd833cb53eb99427e0cc990112d" + }, + { + "url": "https://git.kernel.org/stable/c/0ac219c4c3ab253f3981f346903458d20bacab32" + }, + { + "url": "https://git.kernel.org/stable/c/9a0d18853c280f6a0ee99f91619f2442a17a323a" + }, + { + "url": "https://git.kernel.org/stable/c/7a9d14c63b35f89563c5ecbadf918ad64979712d" + }, + { + "url": "https://git.kernel.org/linus/9a0d18853c280f6a0ee99f91619f2442a17a323a(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26849" + } + ], + "bom-ref": "vuln-158", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26849" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: add nla be16/32 types to minlen array\n\nBUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]\nBUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]\nBUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]\nBUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631\n nla_validate_range_unsigned lib/nlattr.c:222 [inline]\n nla_validate_int_range lib/nlattr.c:336 [inline]\n validate_nla lib/nlattr.c:575 [inline]\n...\n\nThe message in question matches this policy:\n\n [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255),\n\nbut because NLA_BE32 size in minlen array is 0, the validation\ncode will read past the malformed (too small) attribute.\n\nNote: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:\nthose likely should be added too.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26849", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26849" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6f1ca235f68b22b3e691b2ea87ac285e5946848" + }, + { + "url": "https://git.kernel.org/stable/c/bd97cea7b18a0a553773af806dfbfac27a7c4acb" + }, + { + "url": "https://git.kernel.org/stable/c/635d79aa477f9912e602feb5498bdd51fb9cb824" + }, + { + "url": "https://git.kernel.org/stable/c/b2e4a5266e3d133b4c7f0e43bf40d13ce14fd1aa" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ad0013978f7471f22bcf45b027393e87f5dc" + }, + { + "url": "https://git.kernel.org/linus/bd97cea7b18a0a553773af806dfbfac27a7c4acb(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26838" + } + ], + "bom-ref": "vuln-159", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26838" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix KASAN issue with tasklet\n\nKASAN testing revealed the following issue assocated with freeing an IRQ.\n\n[50006.466686] Call Trace:\n[50006.466691] \n[50006.489538] dump_stack+0x5c/0x80\n[50006.493475] print_address_description.constprop.6+0x1a/0x150\n[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.511644] kasan_report.cold.11+0x7f/0x118\n[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]\n[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]\n[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]\n[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0\n[50006.551096] __do_softirq+0x1d0/0xaf8\n[50006.555396] irq_exit_rcu+0x219/0x260\n[50006.559670] irq_exit+0xa/0x20\n[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690\n[50006.568645] apic_timer_interrupt+0xf/0x20\n[50006.573341] \n\nThe issue is that a tasklet could be pending on another core racing\nthe delete of the irq.\n\nFix by insuring any scheduled tasklet is killed after deleting the\nirq.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26838", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26838" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + }, + { + "url": "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9" + }, + { + "url": "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e" + }, + { + "url": "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8" + }, + { + "url": "https://git.kernel.org/linus/e821d50ab5b956ed0effa49faaf29912fd4106d9(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52584" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-160", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52584" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52584", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d159d6637ccce25f879d662a480541ef4ba3a50" + }, + { + "url": "https://git.kernel.org/stable/c/26d4bac55750d535f1f0b8790dc26daf6089e373" + }, + { + "url": "https://git.kernel.org/stable/c/17ef8efc00b34918b966388b2af0993811895a8c" + }, + { + "url": "https://git.kernel.org/stable/c/7eb06ee5921189812e6b4bfe7b0f1e878be16df7" + }, + { + "url": "https://git.kernel.org/stable/c/a03ede2282ebbd181bd6f5c38cbfcb5765afcd04" + }, + { + "url": "https://git.kernel.org/stable/c/5da9a218340a2bc804dc4327e5804392e24a0b88" + }, + { + "url": "https://git.kernel.org/linus/17ef8efc00b34918b966388b2af0993811895a8c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27390" + } + ], + "bom-ref": "vuln-161", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27390" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()\n\nAs discussed in the past (commit 2d3916f31891 (\"ipv6: fix skb drops\nin igmp6_event_query() and igmp6_event_report()\")) I think the\nsynchronize_net() call in ipv6_mc_down() is not needed.\n\nUnder load, synchronize_net() can last between 200 usec and 5 ms.\n\nKASAN seems to agree as well.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27390", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27390" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d" + }, + { + "url": "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac" + }, + { + "url": "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9" + }, + { + "url": "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150" + }, + { + "url": "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d" + }, + { + "url": "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a" + }, + { + "url": "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211" + }, + { + "url": "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a" + }, + { + "url": "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26931" + }, + { + "url": "https://git.kernel.org/linus/a27d4d0e7de305def8a5098a614053be208d1aa1(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-162", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26931" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26931", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26931" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d" + }, + { + "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40" + }, + { + "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f" + }, + { + "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1" + }, + { + "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88" + }, + { + "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531" + }, + { + "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26961" + }, + { + "url": "https://git.kernel.org/linus/e8a1e58345cf40b7b272e08ac7b32328b2543e40(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-163", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26961" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26961" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c8dc26e31b8b410ad1895e0d314def50c76eed0" + }, + { + "url": "https://git.kernel.org/stable/c/f3f407ccbe84a34de9be3195d22cdd5969f3fd9f" + }, + { + "url": "https://git.kernel.org/stable/c/45c8034db47842b25a3ab6139d71e13b4e67b9b3" + }, + { + "url": "https://git.kernel.org/stable/c/845322a9c06dd1dcf35b6c4e3af89684297c23cc" + }, + { + "url": "https://git.kernel.org/stable/c/2388c36e028fff7f8ffd515681a14c6c2c07fea7" + }, + { + "url": "https://git.kernel.org/stable/c/fa74e4f5d0821829545b9f7034a0e577c205c101" + }, + { + "url": "https://git.kernel.org/linus/45c8034db47842b25a3ab6139d71e13b4e67b9b3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52661" + } + ], + "bom-ref": "vuln-164", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52661" + } + } + ], + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()\n\nIf clk_get_sys(..., \"pll_d2_out0\") fails, the clk_get_sys() call must be\nundone.\n\nAdd the missing clk_put and a new 'put_pll_d_out0' label in the error\nhandling path, and use it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52661", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52661" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7f7d39fe3d80d6143404940b2413010cf6527029" + }, + { + "url": "https://git.kernel.org/stable/c/1699fb915b9f61794d559b55114c09a390aaf234" + }, + { + "url": "https://git.kernel.org/stable/c/cda9c0d556283e2d4adaa9960b2dc19b16156bae" + }, + { + "url": "https://git.kernel.org/stable/c/a3f22feb2220a945d1c3282e34199e8bcdc5afc4" + }, + { + "url": "https://git.kernel.org/stable/c/d0647c3e81eff62b66d46fd4e475318cb8cb3610" + }, + { + "url": "https://git.kernel.org/linus/cda9c0d556283e2d4adaa9960b2dc19b16156bae(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48669" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-165", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48669" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix potential memleak in papr_get_attr()\n\n`buf` is allocated in papr_get_attr(), and krealloc() of `buf`\ncould fail. We need to free the original `buf` in the case of failure.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2022-48669", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48669" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684" + }, + { + "url": "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00" + }, + { + "url": "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed" + }, + { + "url": "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532" + }, + { + "url": "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27035" + }, + { + "url": "https://git.kernel.org/linus/8a430dd49e9cb021372b0ad91e60aeef9c6ced00(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-166", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27035" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27035", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27035" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd" + }, + { + "url": "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8" + }, + { + "url": "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + }, + { + "url": "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422" + }, + { + "url": "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35801" + }, + { + "url": "https://git.kernel.org/linus/10e4b5166df9ff7a2d5316138ca668b42d004422(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-167", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35801" + } + } + ], + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35801", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651" + }, + { + "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42" + }, + { + "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6" + }, + { + "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf" + }, + { + "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5" + }, + { + "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3" + }, + { + "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26810" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-168", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26810" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26810", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26810" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" + }, + { + "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" + }, + { + "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" + }, + { + "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" + }, + { + "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" + }, + { + "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26687" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fa765c4b4aed2d64266b694520ecb025c862c5a9(6.8-rc5)" + } + ], + "bom-ref": "vuln-169", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26687" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26687", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375" + }, + { + "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086" + }, + { + "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a" + }, + { + "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29" + }, + { + "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e" + }, + { + "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f" + }, + { + "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362" + }, + { + "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26813" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-170", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26813" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26813", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-171", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ + { + "ref": "comp-131" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4" + }, + { + "url": "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd" + }, + { + "url": "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + }, + { + "url": "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35865" + }, + { + "url": "https://git.kernel.org/linus/22863485a4626ec6ecf297f4cc0aef709bc862e4(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-172", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35865" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35865", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35865" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + }, + { + "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" + }, + { + "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26807" + } + ], + "bom-ref": "vuln-173", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26807" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: fix pointer reference in runtime PM hooks\n\ndev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI\ncontroller. Neither embed the other; this lead to memory corruption.\n\nOn a given platform (Mobileye EyeQ5) the memory corruption is hidden\ninside cqspi->f_pdata. Also, this uninitialised memory is used as a\nmutex (ctlr->bus_lock_mutex) by spi_controller_suspend().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26807", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675" + }, + { + "url": "https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22" + }, + { + "url": "https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475" + }, + { + "url": "https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6" + }, + { + "url": "https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9" + }, + { + "url": "https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52635" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6(6.8-rc1)" + } + ], + "bom-ref": "vuln-174", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52635" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\n\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\n\nwhile true\ndo\n echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\n\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\n\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\n\n[1]\n...\n..\n-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\n\n[2]\n\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\n\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52635", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52635" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/" + }, + { + "url": "https://www.python.org/dev/security/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6513-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5528" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-317.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2222.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1876.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-40217" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5992" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5531" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5993" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5990" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5991" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5472" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-319.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5998" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6823" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5996" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5997" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6885" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5994" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5995" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5456" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1816.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6290" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5462" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6793" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5463" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-010.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6513-2" + } + ], + "bom-ref": "vuln-175", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" + } + }, + { + "severity": "none", + "score": 0.00049, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40217" + } + } + ], + "created": "2023-08-25T01:15:09Z", + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "affects": [ + { + "ref": "comp-41" + } + ], + "id": "CVE-2023-40217", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:20:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T14:07:38Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3" + }, + { + "url": "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002" + }, + { + "url": "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35951" + }, + { + "url": "https://git.kernel.org/linus/1fc9af813b25e146d3607669247d0f970f5a87c3(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-176", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35951" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35951", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35951" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fba8eab2cfc7334e0f132d29dfd2552f2f2a579" + }, + { + "url": "https://git.kernel.org/stable/c/1bcdd66d33edb446903132456c948f0b764ef2f9" + }, + { + "url": "https://git.kernel.org/stable/c/8deeefb24786ea7950b37bde4516b286c877db00" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52658" + }, + { + "url": "https://git.kernel.org/linus/8deeefb24786ea7950b37bde4516b286c877db00(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-177", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52658" + } + } + ], + "created": "2024-05-17T12:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"\n\nThis reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b.\nThe revert is required due to the suspicion it is not good for anything\nand cause crash.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52658", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52658" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368" + }, + { + "url": "https://git.kernel.org/stable/c/33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3" + }, + { + "url": "https://git.kernel.org/stable/c/330d22aba17a4d30a56f007d0f51291d7e00862b" + }, + { + "url": "https://git.kernel.org/stable/c/d31b886ed6a5095214062ee4fb55037eb930adb6" + }, + { + "url": "https://git.kernel.org/linus/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26919" + } + ], + "bom-ref": "vuln-178", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26919" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: Fix debugfs directory leak\n\nThe ULPI per-device debugfs root is named after the ulpi device's\nparent, but ulpi_unregister_interface tries to remove a debugfs\ndirectory named after the ulpi device itself. This results in the\ndirectory sticking around and preventing subsequent (deferred) probes\nfrom succeeding. Change the directory name to match the ulpi device.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26919", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26919" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e39a3a14eafcf17f03c037290b78c8f483529028" + }, + { + "url": "https://git.kernel.org/stable/c/424eba06ed405d557077339edb19ce0ebe39e7c7" + }, + { + "url": "https://git.kernel.org/stable/c/07161b2416f740a2cb87faa5566873f401440a61" + }, + { + "url": "https://git.kernel.org/stable/c/8a8b6a24684bc278036c3f159f7b3a31ad89546a" + }, + { + "url": "https://git.kernel.org/stable/c/f546cc19f9b82975238d0ba413adc27714750774" + }, + { + "url": "https://git.kernel.org/stable/c/9c402819620a842cbfe39359a3ddfaac9adc8384" + }, + { + "url": "https://git.kernel.org/stable/c/efba65777f98457773c5b65e3135c6132d3b015f" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a39acafaf0186ed8e97c16e0aa6fca0e52009" + }, + { + "url": "https://git.kernel.org/stable/c/276873ae26c8d75b00747c1dadb9561d6ef20581" + }, + { + "url": "https://git.kernel.org/linus/07161b2416f740a2cb87faa5566873f401440a61(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26651" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-179", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26651" + } + } + ], + "created": "2024-03-27T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsr9800: Add check for usbnet_get_endpoints\n\nAdd check for usbnet_get_endpoints() and return the error if it fails\nin order to transfer the error.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26651", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26651" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a" + }, + { + "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744" + }, + { + "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb" + }, + { + "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1" + }, + { + "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a" + }, + { + "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169" + }, + { + "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731" + }, + { + "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35811" + }, + { + "url": "https://git.kernel.org/linus/0f7352557a35ab7888bc7831411ec8a3cbe20d78(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-180", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35811" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35811", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290" + }, + { + "url": "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf" + }, + { + "url": "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8" + }, + { + "url": "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf" + }, + { + "url": "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a" + }, + { + "url": "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e" + }, + { + "url": "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c" + }, + { + "url": "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252" + }, + { + "url": "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35822" + }, + { + "url": "https://git.kernel.org/linus/2a587a035214fa1b5ef598aea0b81848c5b72e5e(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-181", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35822" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35822", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35822" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/012df10717da02367aaf92c65f9c89db206c15f4" + }, + { + "url": "https://git.kernel.org/stable/c/9e0f0430389be7696396c62f037be4bf72cf93e3" + }, + { + "url": "https://git.kernel.org/stable/c/670548c8db44d76e40e1dfc06812bca36a61e9ae" + }, + { + "url": "https://git.kernel.org/stable/c/558b00a30e05753a62ecc7e05e939ca8f0241148" + }, + { + "url": "https://git.kernel.org/stable/c/4c167af9f6b5ae4a5dbc243d5983c295ccc2e43c" + }, + { + "url": "https://git.kernel.org/linus/9e0f0430389be7696396c62f037be4bf72cf93e3(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27403" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-182", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27403" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\n\ndst is transferred to the flow object, route object does not own it\nanymore. Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27403", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27403" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eabf131cba1db12005a68378305f13b9090a7a6b" + }, + { + "url": "https://git.kernel.org/stable/c/156c226cbbdcf5f3bce7b2408a33b59fab7fae2c" + }, + { + "url": "https://git.kernel.org/stable/c/2295bd846765c766701e666ed2e4b35396be25e6" + }, + { + "url": "https://git.kernel.org/stable/c/0336995512cdab0c65e99e4cdd47c4606debe14e" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2295bd846765c766701e666ed2e4b35396be25e6(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35916" + } + ], + "bom-ref": "vuln-183", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35916" + } + } + ], + "created": "2024-05-19T09:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: Fix NULL pointer dereference in sanitycheck()\n\nIf due to a memory allocation failure mock_chain() returns NULL, it is\npassed to dma_fence_enable_sw_signaling() resulting in NULL pointer\ndereference there.\n\nCall dma_fence_enable_sw_signaling() only if mock_chain() succeeds.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35916", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35916" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20e21c3c0195d915f33bc7321ee6b362177bf5bf" + }, + { + "url": "https://git.kernel.org/stable/c/338580a7fb9b0930bb38098007e89cc0fc496bf7" + }, + { + "url": "https://git.kernel.org/stable/c/6d35654f03c35c273240d85ec67e3f2c3596c4e0" + }, + { + "url": "https://git.kernel.org/stable/c/55e565c42dce81a4e49c13262d5bc4eb4c2e588a" + }, + { + "url": "https://git.kernel.org/stable/c/74abc2fe09691f3d836d8a54d599ca71f1e4287b" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26860" + }, + { + "url": "https://git.kernel.org/linus/55e565c42dce81a4e49c13262d5bc4eb4c2e588a(6.9-rc1)" + } + ], + "bom-ref": "vuln-184", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26860" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-integrity: fix a memory leak when rechecking the data\n\nMemory for the \"checksums\" pointer will leak if the data is rechecked\nafter checksum failure (because the associated kfree won't happen due\nto 'goto skip_io').\n\nFix this by freeing the checksums memory before recheck, and just use\nthe \"checksum_onstack\" memory for storing checksum during recheck.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26860", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26860" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10" + }, + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1578" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-019.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-36694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1739" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-185", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36694" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + } + } + ], + "created": "2023-05-21T23:15:08Z", + "description": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2020-36694", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-06-22T15:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T13:16:19Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5" + }, + { + "url": "https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e" + }, + { + "url": "https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637" + }, + { + "url": "https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1" + }, + { + "url": "https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa" + }, + { + "url": "https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e" + }, + { + "url": "https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26736" + }, + { + "url": "https://git.kernel.org/linus/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-186", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26736" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26736", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26736" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5" + }, + { + "url": "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + }, + { + "url": "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8" + }, + { + "url": "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3" + }, + { + "url": "https://git.kernel.org/linus/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27002" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-187", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27002" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27002", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27002" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8c91c60858473731bcdaf04fda99fcbcf84420d4" + }, + { + "url": "https://git.kernel.org/stable/c/c6e77aa9dd82bc18a89bf49418f8f7e961cfccc8" + }, + { + "url": "https://git.kernel.org/stable/c/967caa3d37c078e5b95a32094657e6a4cad145f0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35961" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c6e77aa9dd82bc18a89bf49418f8f7e961cfccc8(6.9-rc4)" + } + ], + "bom-ref": "vuln-188", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35961" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Register devlink first under devlink lock\n\nIn case device is having a non fatal FW error during probe, the\ndriver will report the error to user via devlink. This will trigger\na WARN_ON, since mlx5 is calling devlink_register() last.\nIn order to avoid the WARN_ON[1], change mlx5 to invoke devl_register()\nfirst under devlink lock.\n\n[1]\nWARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0\nCPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core]\nRIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0\nCall Trace:\n \n ? __warn+0x79/0x120\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n devlink_health_report+0x4a/0x1c0\n mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core]\n process_one_work+0x1bb/0x3c0\n ? process_one_work+0x3c0/0x3c0\n worker_thread+0x4d/0x3c0\n ? process_one_work+0x3c0/0x3c0\n kthread+0xc6/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35961" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8e60b99f6b7ccb3badeb512f5eb613ad45904592" + }, + { + "url": "https://git.kernel.org/stable/c/3a1ec89708d2e57e2712f46241282961b1a7a475" + }, + { + "url": "https://git.kernel.org/stable/c/eaa410e05bdf562c90b23cdf2d9327f9c4625e16" + }, + { + "url": "https://git.kernel.org/stable/c/0a0b79ea55de8514e1750884e5fec77f9fdd01ee" + }, + { + "url": "https://git.kernel.org/stable/c/ed8000e1e8e9684ab6c30cf2b526c0cea039929c" + }, + { + "url": "https://git.kernel.org/stable/c/eb6e9dce979c08210ff7249e5e0eceb8991bfcd7" + }, + { + "url": "https://git.kernel.org/stable/c/d29ed08964cec8b9729bc55c7bb23f679d7a18fb" + }, + { + "url": "https://git.kernel.org/stable/c/40cd818fae875c424a8335009db33c7b5a07de3a" + }, + { + "url": "https://git.kernel.org/stable/c/ab896d93fd6a2cd1afeb034c3cc9226cb499209f" + }, + { + "url": "https://git.kernel.org/linus/0a0b79ea55de8514e1750884e5fec77f9fdd01ee(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26875" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-189", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26875" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\n\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\n\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\n\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\n\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\n\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26875", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26875" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6" + }, + { + "url": "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014" + }, + { + "url": "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304" + }, + { + "url": "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2" + }, + { + "url": "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56" + }, + { + "url": "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28" + }, + { + "url": "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55" + }, + { + "url": "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35813" + }, + { + "url": "https://git.kernel.org/linus/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-190", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35813" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35813", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35813" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVVYSTEVMPYGF6GDSOD44MUXZXAZHOHB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSXNF4RLEFLH35BFUQGYXRRVHHUIVBAE/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22099" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-191", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22099" + } + } + ], + "created": "2024-01-25T07:15:08Z", + "description": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-22099", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-13T03:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995" + }, + { + "url": "https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df" + }, + { + "url": "https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2" + }, + { + "url": "https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980" + }, + { + "url": "https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d" + }, + { + "url": "https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e" + }, + { + "url": "https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838" + }, + { + "url": "https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9" + }, + { + "url": "https://git.kernel.org/linus/f78c1375339a291cba492a70eaf12ec501d28a8e(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27410" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-192", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27410" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt's currently possible to change the mesh ID when the\ninterface isn't yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev->u union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere's no userspace that's going to do this, so just\ndisallow changes in iftype when setting mesh ID.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27410", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27410" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea" + }, + { + "url": "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949" + }, + { + "url": "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0" + }, + { + "url": "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764" + }, + { + "url": "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055" + }, + { + "url": "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35950" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/3eadd887dbac1df8f25f701e5d404d1b90fd0fea(6.9-rc4)" + } + ], + "bom-ref": "vuln-193", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35950" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35950", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35950" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf" + }, + { + "url": "https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28" + }, + { + "url": "https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051" + }, + { + "url": "https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26745" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-194", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26745" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26745", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26745" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dab75b433ed2480d57ae4f8f725186a46223e42" + }, + { + "url": "https://git.kernel.org/stable/c/f341055b10bd8be55c3c995dff5f770b236b8ca9" + }, + { + "url": "https://git.kernel.org/linus/f341055b10bd8be55c3c995dff5f770b236b8ca9(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35906" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-195", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35906" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Send DTBCLK disable message on first commit\n\n[Why]\nPrevious patch to allow DTBCLK disable didn't address boot case. Driver\nthinks DTBCLK is disabled by default, so we don't send disable message to\nPMFW. DTBCLK is then enabled at idle desktop on boot, burning power.\n\n[How]\nSet dtbclk_en to true on boot so that disable message is sent during first\ncommit.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35906", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35906" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350" + }, + { + "url": "https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa" + }, + { + "url": "https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c" + }, + { + "url": "https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d" + }, + { + "url": "https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd" + }, + { + "url": "https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21" + }, + { + "url": "https://git.kernel.org/linus/4d5e86a56615cc387d21c629f9af8fb0e958d350(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26907" + } + ], + "bom-ref": "vuln-196", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26907" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\n\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? show_regs+0x72/0x90\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? __warn+0x8d/0x160\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? report_bug+0x1bb/0x1d0\n ? handle_bug+0x46/0x90\n ? exc_invalid_op+0x19/0x80\n ? asm_exc_invalid_op+0x1b/0x20\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n ipoib_send+0x2ec/0x770 [ib_ipoib]\n ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n dev_hard_start_xmit+0x8e/0x1e0\n ? validate_xmit_skb_list+0x4d/0x80\n sch_direct_xmit+0x116/0x3a0\n __dev_xmit_skb+0x1fd/0x580\n __dev_queue_xmit+0x284/0x6b0\n ? _raw_spin_unlock_irq+0xe/0x50\n ? __flush_work.isra.0+0x20d/0x370\n ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n neigh_connected_output+0xcd/0x110\n ip_finish_output2+0x179/0x480\n ? __smp_call_single_queue+0x61/0xa0\n __ip_finish_output+0xc3/0x190\n ip_finish_output+0x2e/0xf0\n ip_output+0x78/0x110\n ? __pfx_ip_finish_output+0x10/0x10\n ip_local_out+0x64/0x70\n __ip_queue_xmit+0x18a/0x460\n ip_queue_xmit+0x15/0x30\n __tcp_transmit_skb+0x914/0x9c0\n tcp_write_xmit+0x334/0x8d0\n tcp_push_one+0x3c/0x60\n tcp_sendmsg_locked+0x2e1/0xac0\n tcp_sendmsg+0x2d/0x50\n inet_sendmsg+0x43/0x90\n sock_sendmsg+0x68/0x80\n sock_write_iter+0x93/0x100\n vfs_write+0x326/0x3c0\n ksys_write+0xbd/0xf0\n ? do_syscall_64+0x69/0x90\n __x64_sys_write+0x19/0x30\n do_syscall_\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26907", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:44:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b427f55e9d4185f6f17cc1e3296eb8d0c4425283" + }, + { + "url": "https://git.kernel.org/stable/c/abe4eaa8618bb36c2b33e9cdde0499296a23448c" + }, + { + "url": "https://git.kernel.org/stable/c/4f7dad73df4cdb2b7042103d3922745d040ad025" + }, + { + "url": "https://git.kernel.org/stable/c/0c7478a2da3f5fe106b4658338873d50c86ac7ab" + }, + { + "url": "https://git.kernel.org/stable/c/de3e9d8e8d1ae0a4d301109d1ec140796901306c" + }, + { + "url": "https://git.kernel.org/linus/abe4eaa8618bb36c2b33e9cdde0499296a23448c(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52633" + } + ], + "bom-ref": "vuln-197", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52633" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\num: time-travel: fix time corruption\n\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\n\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52633", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52633" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1" + }, + { + "url": "https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47" + }, + { + "url": "https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363" + }, + { + "url": "https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63" + }, + { + "url": "https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26753" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c0ec2a712daf133d9996a8a1b7ee2d4996080363(6.8-rc6)" + } + ], + "bom-ref": "vuln-198", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26753" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper >/dev/null 2>&1\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26753", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26753" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33" + }, + { + "url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a" + }, + { + "url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01" + }, + { + "url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-043.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26583" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-057.html" + }, + { + "url": "https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d(6.8-rc5)" + } + ], + "bom-ref": "vuln-199", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26583" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26583", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-15T13:05:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367" + }, + { + "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471" + }, + { + "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da" + }, + { + "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580" + }, + { + "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e" + }, + { + "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa" + }, + { + "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26790" + } + ], + "bom-ref": "vuln-200", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26790" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26790", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26790" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395" + }, + { + "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + }, + { + "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5" + }, + { + "url": "https://git.kernel.org/linus/9253c54e01b6505d348afbc02abaa4d9f8a01395(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26982" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-201", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26982" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26982", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26982" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:10Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f" + }, + { + "url": "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3" + }, + { + "url": "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35943" + }, + { + "url": "https://git.kernel.org/linus/5d7f58ee08434a33340f75ac7ac5071eea9673b3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-202", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35943" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35943", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6" + }, + { + "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b" + }, + { + "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989" + }, + { + "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970" + }, + { + "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491" + }, + { + "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674" + }, + { + "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1" + }, + { + "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5" + }, + { + "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf" + }, + { + "url": "https://git.kernel.org/linus/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35809" + } + ], + "bom-ref": "vuln-203", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35809" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35809", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc" + }, + { + "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + }, + { + "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35929" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/dda98810b552fc6bf650f4270edeebdc2f28bd3f(6.9-rc1)" + } + ], + "bom-ref": "vuln-204", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35929" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35929", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb" + }, + { + "url": "https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a" + }, + { + "url": "https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf" + }, + { + "url": "https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65" + }, + { + "url": "https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf" + }, + { + "url": "https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b" + }, + { + "url": "https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768" + }, + { + "url": "https://git.kernel.org/linus/251a658bbfceafb4d58c76b77682c8bf7bcfad65(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26870" + } + ], + "bom-ref": "vuln-205", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26870" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n [ 99.403778] kernel BUG at mm/usercopy.c:102!\n [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n [ 99.415827] Call trace:\n [ 99.415985] usercopy_abort+0x70/0xa0\n [ 99.416227] __check_heap_object+0x134/0x158\n [ 99.416505] check_heap_object+0x150/0x188\n [ 99.416696] __check_object_size.part.0+0x78/0x168\n [ 99.416886] __check_object_size+0x28/0x40\n [ 99.417078] listxattr+0x8c/0x120\n [ 99.417252] path_listxattr+0x78/0xe0\n [ 99.417476] __arm64_sys_listxattr+0x28/0x40\n [ 99.417723] invoke_syscall+0x78/0x100\n [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0\n [ 99.418186] do_el0_svc+0x24/0x38\n [ 99.418376] el0_svc+0x3c/0x110\n [ 99.418554] el0t_64_sync_handler+0x120/0x130\n [ 99.418788] el0t_64_sync+0x194/0x198\n [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26870", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26870" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb" + }, + { + "url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699" + }, + { + "url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598" + }, + { + "url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68" + }, + { + "url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec" + }, + { + "url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c" + }, + { + "url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4" + }, + { + "url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d" + }, + { + "url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26859" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d27e2da94a42655861ca4baea30c8cd65546f25d(6.9-rc1)" + } + ], + "bom-ref": "vuln-206", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26859" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801 {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803 struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n EEH: Beginning: 'slot_reset'\n PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc0080000025065fc\n Oops: Kernel access of bad area, sig: 11 [#1]\n .....\n Call Trace:\n [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26859", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26859" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2" + }, + { + "url": "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae" + }, + { + "url": "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + }, + { + "url": "https://git.kernel.org/linus/e7870cf13d20f56bfc19f9c3e89707c69cf104ef(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26677" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-207", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26677" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26677", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777" + }, + { + "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285" + }, + { + "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d" + }, + { + "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65" + }, + { + "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd" + }, + { + "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736" + }, + { + "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77" + }, + { + "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26805" + } + ], + "bom-ref": "vuln-208", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26805" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26805", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26805" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + }, + { + "url": "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4" + }, + { + "url": "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3" + }, + { + "url": "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3" + }, + { + "url": "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c" + }, + { + "url": "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1" + }, + { + "url": "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35995" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2f4a4d63a193be6fd530d180bb13c3592052904c(6.9-rc1)" + } + ], + "bom-ref": "vuln-209", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35995" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35995", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35995" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71" + }, + { + "url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6" + }, + { + "url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537" + }, + { + "url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1" + }, + { + "url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f" + }, + { + "url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1" + }, + { + "url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1" + }, + { + "url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26704" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/55583e899a5357308274601364741a83e78d6ac4(6.8-rc3)" + } + ], + "bom-ref": "vuln-210", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26704" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26704", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26704" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:58:29Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + }, + { + "url": "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b" + }, + { + "url": "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35945" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/61c81872815f46006982bb80460c0c80a949b35b(6.9-rc1)" + } + ], + "bom-ref": "vuln-211", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35945" + } + } + ], + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35945", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35945" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + }, + { + "url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2" + }, + { + "url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f" + }, + { + "url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ef27f655b438bed4c83680e4f01e1cde2739854b(6.8)" + } + ], + "bom-ref": "vuln-212", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26853" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26853", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26853" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c4a89f4690478969729c7ba5f69d53d8516aa12" + }, + { + "url": "https://git.kernel.org/stable/c/9e8742cdfc4b0e65266bb4a901a19462bda9285e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35964" + }, + { + "url": "https://git.kernel.org/linus/9e8742cdfc4b0e65266bb4a901a19462bda9285e(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-213", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35964" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35964", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35964" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bc004f5038220b1891ef4107134ccae44be55109" + }, + { + "url": "https://git.kernel.org/stable/c/35768baf0fdfc47ede42d899506bad78450e9294" + }, + { + "url": "https://git.kernel.org/stable/c/a81b2acd43e24e419f65df97348c76a5a1496066" + }, + { + "url": "https://git.kernel.org/stable/c/8a6fea3fcb577a543ef67683ca7105bde49a38fb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35952" + }, + { + "url": "https://git.kernel.org/linus/bc004f5038220b1891ef4107134ccae44be55109(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-214", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35952" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: Fix soft lockup\n\nThere is a while-loop in ast_dp_set_on_off() that could lead to\ninfinite-loop. This is because the register, VGACRI-Dx, checked in\nthis API is a scratch register actually controlled by a MCU, named\nDPMCU, in BMC.\n\nThese scratch registers are protected by scu-lock. If suc-lock is not\noff, DPMCU can not update these registers and then host will have soft\nlockup due to never updated status.\n\nDPMCU is used to control DP and relative registers to handshake with\nhost's VGA driver. Even the most time-consuming task, DP's link\ntraining, is less than 100ms. 200ms should be enough.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35952", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35952" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/25b3498485ac281e5851700e33b97f12c9533fd8" + }, + { + "url": "https://git.kernel.org/stable/c/73224a5d2180066c7fe05b4656647601ba08d588" + }, + { + "url": "https://git.kernel.org/stable/c/9827caa5105fb16d1fae2e75c8d0e4662014b3ca" + }, + { + "url": "https://git.kernel.org/stable/c/bf6e4ee5c43690e4c5a8a057bbcd4ff986bed052" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35986" + }, + { + "url": "https://git.kernel.org/linus/bf6e4ee5c43690e4c5a8a057bbcd4ff986bed052(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-215", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35986" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered\n\nThe power_supply frame-work is not really designed for there to be\nlong living in kernel references to power_supply devices.\n\nSpecifically unregistering a power_supply while some other code has\na reference to it triggers a WARN in power_supply_unregister():\n\n\tWARN_ON(atomic_dec_return(&psy->use_cnt));\n\nFolllowed by the power_supply still getting removed and the\nbacking data freed anyway, leaving the tusb1210 charger-detect code\nwith a dangling reference, resulting in a crash the next time\ntusb1210_get_online() is called.\n\nFix this by only holding the reference in tusb1210_get_online()\nfreeing it at the end of the function. Note this still leaves\na theoretical race window, but it avoids the issue when manually\nrmmod-ing the charger chip driver during development.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35986", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35986" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8db10cee51e3e11a6658742465edc21986cf1e8d" + }, + { + "url": "https://git.kernel.org/stable/c/8f3e68c6a3fff53c2240762a47a0045d89371775" + }, + { + "url": "https://git.kernel.org/stable/c/cdb637d339572398821204a1142d8d615668f1e9" + }, + { + "url": "https://git.kernel.org/stable/c/b33d4af102b9c1f7a83d3f0ad3cab7d2bab8f058" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27042" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/cdb637d339572398821204a1142d8d615668f1e9(6.9-rc1)" + } + ], + "bom-ref": "vuln-216", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27042" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'\n\nThe issue arises when the array 'adev->vcn.vcn_config' is accessed\nbefore checking if the index 'adev->vcn.num_vcn_inst' is within the\nbounds of the array.\n\nThe fix involves moving the bounds check before the array access. This\nensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array\nbefore it is used as an index.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27042", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27042" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67" + }, + { + "url": "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76" + }, + { + "url": "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5" + }, + { + "url": "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2" + }, + { + "url": "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06" + }, + { + "url": "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8" + }, + { + "url": "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0" + }, + { + "url": "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810" + }, + { + "url": "https://git.kernel.org/linus/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35978" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-217", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35978" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35978", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2a84744a037b8a511d6a9055f3defddc28ff4a4d" + }, + { + "url": "https://git.kernel.org/stable/c/3e82f7383e0b82a835e6b6b06a348b2bc4e2c2ee" + }, + { + "url": "https://git.kernel.org/stable/c/16e87fe23d4af6df920406494ced5c0f4354567b" + }, + { + "url": "https://git.kernel.org/stable/c/9acfd8b083a0ffbd387566800d89f55058a68af2" + }, + { + "url": "https://git.kernel.org/stable/c/5e81773757a95fc298e96cfd6d4700f07b6192a2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26943" + }, + { + "url": "https://git.kernel.org/linus/16e87fe23d4af6df920406494ced5c0f4354567b(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-218", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26943" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dmem: handle kcalloc() allocation failure\n\nThe kcalloc() in nouveau_dmem_evict_chunk() will return null if\nthe physical memory has run out. As a result, if we dereference\nsrc_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs\nwill happen.\n\nMoreover, the GPU is going away. If the kcalloc() fails, we could not\nevict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL\nflag in kcalloc().\n\nFinally, as there is no need to have physically contiguous memory,\nthis patch switches kcalloc() to kvcalloc() in order to avoid\nfailing allocations.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26943", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26943" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b" + }, + { + "url": "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + }, + { + "url": "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35887" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89(6.9-rc3)" + } + ], + "bom-ref": "vuln-219", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35887" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35887", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736" + }, + { + "url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941" + }, + { + "url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664" + }, + { + "url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325" + }, + { + "url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26803" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-220", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26803" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26803", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26803" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53" + }, + { + "url": "https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d" + }, + { + "url": "https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36" + }, + { + "url": "https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03" + }, + { + "url": "https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe" + }, + { + "url": "https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea" + }, + { + "url": "https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1" + }, + { + "url": "https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5" + }, + { + "url": "https://git.kernel.org/linus/4530b3660d396a646aad91a787b6ab37cf604b53(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26773" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-221", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26773" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn't use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac->ac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26773", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26773" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f" + }, + { + "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2" + }, + { + "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64" + }, + { + "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453" + }, + { + "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0" + }, + { + "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d" + }, + { + "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423" + }, + { + "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801" + }, + { + "url": "https://git.kernel.org/linus/7c6782ad4911cbee874e85630226ed389ff2e453(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35960" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-222", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35960" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35960", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35960" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" + }, + { + "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + }, + { + "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" + }, + { + "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26800" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-223", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26800" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26800", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49955b24002dc16a0ae2e83a57a2a6c863a1845c" + }, + { + "url": "https://git.kernel.org/stable/c/882e1180c83f5b75bae03d0ccc31ccedfe5159de" + }, + { + "url": "https://git.kernel.org/stable/c/1983184c22dd84a4d95a71e5c6775c2638557dc7" + }, + { + "url": "https://git.kernel.org/stable/c/5ef7ba2799a3b5ed292b8f6407376e2c25ef002e" + }, + { + "url": "https://git.kernel.org/linus/1983184c22dd84a4d95a71e5c6775c2638557dc7(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26987" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-224", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26987" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\n\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\n\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n __mutex_lock+0x6c/0x770\n page_alloc_cpu_online+0x3c/0x70\n cpuhp_invoke_callback+0x397/0x5f0\n __cpuhp_invoke_callback_range+0x71/0xe0\n _cpu_up+0xeb/0x210\n cpu_up+0x91/0xe0\n cpuhp_bringup_mask+0x49/0xb0\n bringup_nonboot_cpus+0xb7/0xe0\n smp_init+0x25/0xa0\n kernel_init_freeable+0x15f/0x3e0\n kernel_init+0x15/0x1b0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(pcp_batch_high_lock);\n lock(cpu_hotplug_lock);\n lock(pcp_batch_high_lock);\n rlock(cpu_hotplug_lock);\n\n *** DEADLOCK ***\n\n5 locks held by bash/46904:\n #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x68/0xa0\n check_noncircular+0x129/0x140\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\n\nIn short, below scene breaks the \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26987", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26987" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3" + }, + { + "url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3" + }, + { + "url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019" + }, + { + "url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8" + }, + { + "url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48" + }, + { + "url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c" + }, + { + "url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26748" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/5fd9e45f1ebcd57181358af28506e8a661a260b3(6.8-rc6)" + } + ], + "bom-ref": "vuln-225", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26748" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request->complete) {\n830 spin_unlock(&priv_dev->lock);\n831 usb_gadget_giveback_request(&priv_ep->endpoint,\n832 request);\n833 spin_lock(&priv_dev->lock);\n834 }\n835\n836 if (request->buf == priv_dev->zlp_buf)\n837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn't call\nusb_gadget_giveback_request() because it is allocated in this driver.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26748", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26748" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" + }, + { + "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + }, + { + "url": "https://git.kernel.org/linus/55a48ad2db64737f7ffc0407634218cc6e4c513b(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26757" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-226", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26757" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26757", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216702" + }, + { + "url": "https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz@163.com/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-47233" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6776-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-227", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47233" + } + } + ], + "created": "2023-11-03T21:15:17Z", + "description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-47233", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754" + }, + { + "url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72" + }, + { + "url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3" + }, + { + "url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-043.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26584" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-057.html" + } + ], + "bom-ref": "vuln-228", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26584" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26584", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + }, + "cwes": [ + 755 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T19:35:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + } + ], + "bom-ref": "vuln-229", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-147" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/916cd2fcbc1e344bcabf4b2a834cdf5a0417d30c" + }, + { + "url": "https://git.kernel.org/stable/c/8672ad663a22d0e4a325bb7d817b36ec412b967c" + }, + { + "url": "https://git.kernel.org/stable/c/a86e54a345139f1a7668c9f83bdc7ac6f91b6f78" + }, + { + "url": "https://git.kernel.org/stable/c/ab92e11b73b48b79f144421430891f3aa6242656" + }, + { + "url": "https://git.kernel.org/stable/c/e4e47e406d74cab601b2ab21ba5e3add811e05ae" + }, + { + "url": "https://git.kernel.org/stable/c/164be0a824387301312689bb29b2be92ab2cd39d" + }, + { + "url": "https://git.kernel.org/stable/c/347cca11bb78b9f3c29b45a9c52e70258bd008bf" + }, + { + "url": "https://git.kernel.org/stable/c/da3b75931bb737be74d6b4341e0080f233ed1409" + }, + { + "url": "https://git.kernel.org/stable/c/19f955ad9437a6859a529af34e2eafd903d5e7c1" + }, + { + "url": "https://git.kernel.org/stable/c/3afdcc4e1a00facad210f5c5891bb2fbc026067f" + }, + { + "url": "https://git.kernel.org/stable/c/9b319f4a88094b2e020e6db6e819c808d890098d" + }, + { + "url": "https://git.kernel.org/stable/c/9723602387217caa71d623ffcce314dc39e84a09" + }, + { + "url": "https://git.kernel.org/stable/c/2ff436b6399859e06539a2b9c667897d3cc85ad5" + }, + { + "url": "https://git.kernel.org/stable/c/5904411219601127ffdbd2d622bb5d67f9d8d16c" + }, + { + "url": "https://git.kernel.org/stable/c/339f83612f3a569b194680768b22bf113c26a29d" + }, + { + "url": "https://git.kernel.org/stable/c/7182175f565ffffa2ba1911726c5656bfc7a1bae" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35812" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/339f83612f3a569b194680768b22bf113c26a29d(6.9-rc2)" + } + ], + "bom-ref": "vuln-230", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35812" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-wdm: close race between read and workqueue\n\nwdm_read() cannot race with itself. However, in\nservice_outstanding_interrupt() it can race with the\nworkqueue, which can be triggered by error handling.\n\nHence we need to make sure that the WDM_RESPONDING\nflag is not just only set but tested.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31" + }, + { + "url": "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02" + }, + { + "url": "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + }, + { + "url": "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc" + }, + { + "url": "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35803" + }, + { + "url": "https://git.kernel.org/linus/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02(6.9-rc1)" + } + ], + "bom-ref": "vuln-231", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35803" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35803", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35803" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3" + }, + { + "url": "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + }, + { + "url": "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3" + }, + { + "url": "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a" + }, + { + "url": "https://git.kernel.org/linus/a43e0fc5e9134a46515de2f2f8d4100b74e50de3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27389" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-232", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27389" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27389", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd" + }, + { + "url": "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6" + }, + { + "url": "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64" + }, + { + "url": "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7" + }, + { + "url": "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29" + }, + { + "url": "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58" + }, + { + "url": "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07" + }, + { + "url": "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27396" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f2a904107ee2b647bb7794a1a82b67740d7c8a64(6.9-rc6)" + } + ], + "bom-ref": "vuln-233", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27396" + } + } + ], + "created": "2024-05-14T15:12:27Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27396", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27396" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af" + }, + { + "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9" + }, + { + "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e" + }, + { + "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd" + }, + { + "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe" + }, + { + "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26795" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-234", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26795" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap’s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26795", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26795" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-09T16:51:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dfb2ce952143de60dd756ed666901236c76cb3fa" + }, + { + "url": "https://git.kernel.org/stable/c/6be74b1e21f8de4c48af772c2f658b464bfe6145" + }, + { + "url": "https://git.kernel.org/stable/c/9c573cd313433f6c1f7236fe64b9b743500c1628" + }, + { + "url": "https://git.kernel.org/stable/c/300a2b9c2b28282974ee300bb5d5025cbbb1f64c" + }, + { + "url": "https://git.kernel.org/stable/c/e80b4980af2688d8ff69c157ffa773dd1f1eb02c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35918" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9c573cd313433f6c1f7236fe64b9b743500c1628(6.9-rc4)" + } + ], + "bom-ref": "vuln-235", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35918" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrandomize_kstack: Improve entropy diffusion\n\nThe kstack_offset variable was really only ever using the low bits for\nkernel stack offset entropy. Add a ror32() to increase bit diffusion.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35918", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35918" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395" + }, + { + "url": "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe" + }, + { + "url": "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/870565f063a58576e8a4529f122cac4325c6b395(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52589" + } + ], + "bom-ref": "vuln-236", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52589" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52589", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d" + }, + { + "url": "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39" + }, + { + "url": "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c" + }, + { + "url": "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186" + }, + { + "url": "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20" + }, + { + "url": "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183" + }, + { + "url": "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c" + }, + { + "url": "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07" + }, + { + "url": "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26955" + }, + { + "url": "https://git.kernel.org/linus/269cdf353b5bdd15f1a079671b0f889113865f20(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-237", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26955" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26955", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26955" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49767b0df276f12e3e7184601e09ee7430e252dc" + }, + { + "url": "https://git.kernel.org/stable/c/10608161696c2768f53426642f78a42bcaaa53e8" + }, + { + "url": "https://git.kernel.org/stable/c/96c155943a703f0655c0c4cab540f67055960e91" + }, + { + "url": "https://git.kernel.org/stable/c/95c1016a2d92c4c28a9d1b6d09859c00b19c0ea4" + }, + { + "url": "https://git.kernel.org/linus/96c155943a703f0655c0c4cab540f67055960e91(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35891" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-238", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35891" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: Fix potential null pointer dereference\n\nIn lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may\nreturn NULL as ptp_header due to abnormal packet type or corrupted packet.\nFix this bug by adding ptp_header check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35891", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35891" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be" + }, + { + "url": "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + }, + { + "url": "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8" + }, + { + "url": "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35908" + }, + { + "url": "https://git.kernel.org/linus/417e91e856099e9b8a42a2520e2255e6afe024be(6.9-rc2)" + } + ], + "bom-ref": "vuln-239", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35908" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35908", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35908" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3" + }, + { + "url": "https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b" + }, + { + "url": "https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2" + }, + { + "url": "https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a" + }, + { + "url": "https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7" + }, + { + "url": "https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8" + }, + { + "url": "https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25" + }, + { + "url": "https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896" + }, + { + "url": "https://git.kernel.org/linus/809aa64ebff51eb170ee31a95f83b2d21efa32e2(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26839" + } + ], + "bom-ref": "vuln-240", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26839" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix a memleak in init_credit_return\n\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26839", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26839" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/989b0ff35fe5fc9652ee5bafbe8483db6f27b137" + }, + { + "url": "https://git.kernel.org/stable/c/23d05d563b7e7b0314e65c8e882bc27eac2da8e7" + }, + { + "url": "https://git.kernel.org/stable/c/cd1022eaf87be8e6151435bd4df4c242c347e083" + }, + { + "url": "https://git.kernel.org/stable/c/95b3904a261a9f810205da560e802cc326f50d77" + }, + { + "url": "https://git.kernel.org/stable/c/8f8f185643747fbb448de6aab0efa51c679909a3" + }, + { + "url": "https://git.kernel.org/stable/c/6c53e8547687d9c767c139cd4b50af566f58c29a" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://git.kernel.org/linus/23d05d563b7e7b0314e65c8e882bc27eac2da8e7(6.7-rc6)" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52435" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-241", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52435" + } + } + ], + "created": "2024-02-20T20:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52435", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-15T14:06:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T19:50:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54PLF5J33IRSLSR4UU6LQSMXX6FI5AOQ/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255497" + }, + { + "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20231208043433.271449-1-hdthky0@gmail.com/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C25BK2YH5MZ6VNQXKF2NAJBTGXVEPKGC/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-7042" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=ad25ee36f00172f7d53242dc77c69fff7ced0755" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-7042" + }, + { + "url": "https://lore.kernel.org/all/20231208043433.271449-1-hdthky0@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/?h=ath-next" + } + ], + "bom-ref": "vuln-242", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-7042" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + } + } + ], + "created": "2023-12-21T20:15:09Z", + "description": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-7042", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-22T05:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677" + }, + { + "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + }, + { + "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1" + }, + { + "url": "https://git.kernel.org/linus/41425f96d7aa59bc865f60f5dda3d7697b555677(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26962" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-243", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26962" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26962", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26962" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/20240207132416.1488485-1-aconole@redhat.com/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-1151" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262241" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-1151" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bd128f62c365(selftests)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-244", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1151" + } + } + ], + "created": "2024-02-11T15:15:07Z", + "description": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-1151", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-22T04:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090" + }, + { + "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592" + }, + { + "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03" + }, + { + "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b" + }, + { + "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2" + }, + { + "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1" + }, + { + "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1" + }, + { + "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26801" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-245", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26801" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth ]\n hci_error_reset+0x4f/0xa4 [bluetooth ]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26801", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26801" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/176256ff8abff29335ecff905a09fb49e8dcf513" + }, + { + "url": "https://git.kernel.org/stable/c/792595bab4925aa06532a14dd256db523eb4fa5e" + }, + { + "url": "https://git.kernel.org/stable/c/1d8c67e94e9e977603473a543d4f322cf2c4aa01" + }, + { + "url": "https://git.kernel.org/stable/c/7200170e88e3ec54d9e9c63f07514c3cead11481" + }, + { + "url": "https://git.kernel.org/stable/c/36a49290d7e6d554020057a409747a092b1d3b56" + }, + { + "url": "https://git.kernel.org/stable/c/8d5838a473e8e6d812257c69745f5920e4924a60" + }, + { + "url": "https://git.kernel.org/stable/c/57d05dbbcd0b3dc0c252103b43012eef5d6430d1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26702" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/792595bab4925aa06532a14dd256db523eb4fa5e(6.8-rc5)" + } + ], + "bom-ref": "vuln-246", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26702" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\n\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26702", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26702" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc" + }, + { + "url": "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f" + }, + { + "url": "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + }, + { + "url": "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35998" + }, + { + "url": "https://git.kernel.org/linus/8861fd5180476f45f9e8853db154600469a0284f(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-247", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35998" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35998", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35998" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b775ced05489f4b77a35fe203e9aeb22f428e38f" + }, + { + "url": "https://git.kernel.org/stable/c/65ee90efc928410c6f73b3d2e0afdd762652c09d" + }, + { + "url": "https://git.kernel.org/stable/c/8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4" + }, + { + "url": "https://git.kernel.org/stable/c/f549f340c91f08b938d60266e792ff7748dae483" + }, + { + "url": "https://git.kernel.org/stable/c/cfe3550ea5df292c9e2d608e8c4560032391847e" + }, + { + "url": "https://git.kernel.org/stable/c/38cc1605338d99205a263707f4dde76408d3e0e8" + }, + { + "url": "https://git.kernel.org/stable/c/0f501dae16b7099e69ee9b0d5c70b8f40fd30e98" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26673" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-248", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26673" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations\n\n- Disallow families other than NFPROTO_{IPV4,IPV6,INET}.\n- Disallow layer 4 protocol with no ports, since destination port is a\n mandatory attribute for this object.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26673", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26673" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b" + }, + { + "url": "https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6" + }, + { + "url": "https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a" + }, + { + "url": "https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5" + }, + { + "url": "https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95" + }, + { + "url": "https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27431" + }, + { + "url": "https://git.kernel.org/linus/2487007aa3b9fafbd2cb14068f49791ce1d7ede5(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-249", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27431" + } + } + ], + "created": "2024-05-17T12:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\n\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\n\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27431", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27431" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89" + }, + { + "url": "https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02" + }, + { + "url": "https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb" + }, + { + "url": "https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4" + }, + { + "url": "https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b" + }, + { + "url": "https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3" + }, + { + "url": "https://git.kernel.org/linus/6e5e6d274956305f1fc0340522b38f5f5be74bdb(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52656" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-250", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52656" + } + } + ], + "created": "2024-05-14T14:23:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: drop any code related to SCM_RIGHTS\n\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52656", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52656" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a" + }, + { + "url": "https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59" + }, + { + "url": "https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e" + }, + { + "url": "https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4" + }, + { + "url": "https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707" + }, + { + "url": "https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e45b1361" + }, + { + "url": "https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e" + }, + { + "url": "https://git.kernel.org/linus/1213acb478a7181cd73eeaf00db430f1e45b1361(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27052" + } + ], + "bom-ref": "vuln-251", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27052" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work\n\nThe workqueue might still be running, when the driver is stopped. To\navoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27052", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27052" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827" + }, + { + "url": "https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064" + }, + { + "url": "https://git.kernel.org/stable/c/6d88b289fb0a8d055cb79d1c46a56aba7809d96d" + }, + { + "url": "https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72" + }, + { + "url": "https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35cde517a9" + }, + { + "url": "https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a" + }, + { + "url": "https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f" + }, + { + "url": "https://git.kernel.org/stable/c/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7" + }, + { + "url": "https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27436" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7(6.9-rc1)" + } + ], + "bom-ref": "vuln-252", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27436" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Stop parsing channels bits when all channels are found.\n\nIf a usb audio device sets more bits than the amount of channels\nit could write outside of the map array.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27436", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27436" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + }, + { + "url": "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed" + }, + { + "url": "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52591" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed(6.8-rc1)" + } + ], + "bom-ref": "vuln-253", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52591" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52591", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301" + }, + { + "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + }, + { + "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512" + }, + { + "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26828" + }, + { + "url": "https://git.kernel.org/linus/cffe487026be13eaf37ea28b783d9638ab147204(6.8-rc5)" + } + ], + "bom-ref": "vuln-254", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26828" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26828", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644" + }, + { + "url": "https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2" + }, + { + "url": "https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487" + }, + { + "url": "https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc" + }, + { + "url": "https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a" + }, + { + "url": "https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26924" + }, + { + "url": "https://git.kernel.org/linus/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-255", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26924" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: do not free live element\n\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern. Quoting Pablo:\n\n add_elem(\"00000000\") timeout 100 ms\n ...\n add_elem(\"0000000X\") timeout 100 ms\n del_elem(\"0000000X\") <---------------- delete one that was just added\n ...\n add_elem(\"00005000\") timeout 100 ms\n\n 1) nft_pipapo_remove() removes element 0000000X\n Then, KASAN shows a splat.\n\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\n\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\n\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\n\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\n\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\n\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\n\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\n\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\n\nv2: avoid uneeded temporary variable (Stefano)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26924", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26924" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921" + }, + { + "url": "https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804" + }, + { + "url": "https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec" + }, + { + "url": "https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231" + }, + { + "url": "https://git.kernel.org/linus/de959094eb2197636f7c803af0943cb9d3b35804(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26760" + } + ], + "bom-ref": "vuln-256", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26760" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26760", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26760" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4" + }, + { + "url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326" + }, + { + "url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e" + }, + { + "url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581" + }, + { + "url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a" + }, + { + "url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26601" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-052.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e(6.8-rc3)" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-257", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26601" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + } + } + ], + "created": "2024-02-26T16:27:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:03:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T09:06:04Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9256ab9232e35a16af9c30fa4e522e6d1bd3605a" + }, + { + "url": "https://git.kernel.org/stable/c/2d17cf10179a7de6d8f0128168b84ad0b4a1863f" + }, + { + "url": "https://git.kernel.org/stable/c/13b57b5cd591d5b22f9bbf047b2922967de411f3" + }, + { + "url": "https://git.kernel.org/stable/c/8762785f459be1cfe6fcf7285c123aad6a3703f0" + }, + { + "url": "https://git.kernel.org/stable/c/a6cafdb49a7bbf4a88367db209703eee6941e023" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26834" + }, + { + "url": "https://git.kernel.org/linus/8762785f459be1cfe6fcf7285c123aad6a3703f0(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-258", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26834" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: release dst in case direct xmit path is used\n\nDirect xmit does not use it since it calls dev_queue_xmit() to send\npackets, hence it calls dst_release().\n\nkmemleak reports:\n\nunreferenced object 0xffff88814f440900 (size 184):\n comm \"softirq\", pid 0, jiffies 4294951896\n hex dump (first 32 bytes):\n 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[.............\n 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P.............\n backtrace (crc cb2bf5d6):\n [<000000003ee17107>] kmem_cache_alloc+0x286/0x340\n [<0000000021a5de2c>] dst_alloc+0x43/0xb0\n [<00000000f0671159>] rt_dst_alloc+0x2e/0x190\n [<00000000fe5092c9>] __mkroute_output+0x244/0x980\n [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160\n [<0000000045367433>] nf_ip_route+0xf/0x30\n [<0000000085da1d8e>] nf_route+0x2d/0x60\n [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload]\n [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload]\n [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables]\n [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables]\n [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables]\n [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160\n [<0000000005eccab1>] ip_forward+0x8b6/0x9b0\n [<00000000553a269b>] ip_rcv+0x221/0x230\n [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26834", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26834" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" + }, + { + "url": "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e" + }, + { + "url": "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26876" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/aeedaee5ef5468caf59e2bb1265c2116e0c9a924(6.9-rc1)" + } + ], + "bom-ref": "vuln-259", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26876" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26876", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26876" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + }, + { + "url": "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35832" + }, + { + "url": "https://git.kernel.org/linus/369acf97d6fd5da620d053d0f1878ffe32eff555(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-260", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35832" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35832", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35832" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8d14a4d0afb49a5b8535d414c782bb334860e73e" + }, + { + "url": "https://git.kernel.org/stable/c/d351bcadab6caa6d8ce7159ff4b77e2da35c09fa" + }, + { + "url": "https://git.kernel.org/stable/c/cd5c2d0b09d5b6d3f0a7bbabe6761a4997e9dee9" + }, + { + "url": "https://git.kernel.org/stable/c/fad9bcd4d754cc689c19dc04d2c44b82c1a5d6c8" + }, + { + "url": "https://git.kernel.org/stable/c/e18afcb7b2a12b635ac10081f943fcf84ddacc51" + }, + { + "url": "https://git.kernel.org/stable/c/ea96bf3f80625cddba1391a87613356b1b45716d" + }, + { + "url": "https://git.kernel.org/stable/c/1cbaf4c793b0808532f4e7b40bc4be7cec2c78f2" + }, + { + "url": "https://git.kernel.org/stable/c/c2a30c81bf3cb9033fa9f5305baf7c377075e2e5" + }, + { + "url": "https://git.kernel.org/stable/c/3d48e5be107429ff5d824e7f2a00d1b610d36fbc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26894" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e18afcb7b2a12b635ac10081f943fcf84ddacc51(6.9-rc1)" + } + ], + "bom-ref": "vuln-261", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26894" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()\n\nAfter unregistering the CPU idle device, the memory associated with\nit is not freed, leading to a memory leak:\n\nunreferenced object 0xffff896282f6c000 (size 1024):\n comm \"swapper/0\", pid 1, jiffies 4294893170\n hex dump (first 32 bytes):\n 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 8836a742):\n [] kmalloc_trace+0x29d/0x340\n [] acpi_processor_power_init+0xf3/0x1c0\n [] __acpi_processor_start+0xd3/0xf0\n [] acpi_processor_start+0x2c/0x50\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] acpi_processor_driver_init+0x3b/0xc0\n [] do_one_initcall+0x41/0x300\n [] kernel_init_freeable+0x320/0x470\n [] kernel_init+0x16/0x1b0\n [] ret_from_fork+0x2d/0x50\n\nFix this by freeing the CPU idle device after unregistering it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26894", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26894" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3151051b787f7cd7e3329ea0016eb9113c248812" + }, + { + "url": "https://git.kernel.org/stable/c/d0b5b1f12429df3cd9751ab8b2f53729b77733b7" + }, + { + "url": "https://git.kernel.org/stable/c/64babb17e8150771c58575d8f93a35c5296b499f" + }, + { + "url": "https://git.kernel.org/stable/c/9c333d9891f34cea8af1b229dc754552304c8eee" + }, + { + "url": "https://git.kernel.org/stable/c/8e51f084b5716653f19e291ed5f026791d4b3ed4" + }, + { + "url": "https://git.kernel.org/stable/c/aa2b2eb3934859904c287bf5434647ba72e14c1c" + }, + { + "url": "https://git.kernel.org/stable/c/6b950c712a9a05cdda4aea7fcb2848766576c11b" + }, + { + "url": "https://git.kernel.org/stable/c/dbc1b89981f9c5360277071d33d7f04a43ffda4a" + }, + { + "url": "https://git.kernel.org/linus/aa2b2eb3934859904c287bf5434647ba72e14c1c(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26625" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-262", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26625" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: call sock_orphan() at release time\n\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\n\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\n\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\n\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\n\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n list_empty include/linux/list.h:373 [inline]\n waitqueue_active include/linux/wait.h:127 [inline]\n sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n skb_release_all net/core/skbuff.c:1092 [inline]\n napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x956/0xe90 net/core/dev.c:6778\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n \n\nAllocated by task 5167:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3019 [inline]\n sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n alloc_inode+0x5d/0x220 fs/inode.c:260\n new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n sock_alloc+0x40/0x270 net/socket.c:634\n __sock_create+0xbc/0x800 net/socket.c:1535\n sock_create net/socket.c:1622 [inline]\n __sys_socket_create net/socket.c:1659 [inline]\n __sys_socket+0x14c/0x260 net/socket.c:1706\n __do_sys_socket net/socket.c:1720 [inline]\n __se_sys_socket net/socket.c:1718 [inline]\n __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 0:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n poison_slab_object mm/kasan/common.c:241 [inline]\n __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2121 [inlin\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26625", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/328efda22af81130c2ad981c110518cb29ff2f1d" + }, + { + "url": "https://git.kernel.org/stable/c/9ab0c303ccabfd6bdce14432792d41090070008c" + }, + { + "url": "https://git.kernel.org/stable/c/4041c60a9d543b3ad50225385b072ba68e96166e" + }, + { + "url": "https://git.kernel.org/stable/c/515cc676dfbce40d93c92b1ff3c1070e917f4e52" + }, + { + "url": "https://git.kernel.org/stable/c/90ae293d1d255f622318fce6eeea2e18f9fde5c1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27391" + }, + { + "url": "https://git.kernel.org/linus/328efda22af81130c2ad981c110518cb29ff2f1d(6.9-rc1)" + } + ], + "bom-ref": "vuln-263", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27391" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: do not realloc workqueue everytime an interface is added\n\nCommit 09ed8bfc5215 (\"wilc1000: Rename workqueue from \"WILC_wq\" to\n\"NETDEV-wq\"\") moved workqueue creation in wilc_netdev_ifc_init in order to\nset the interface name in the workqueue name. However, while the driver\nneeds only one workqueue, the wilc_netdev_ifc_init is called each time we\nadd an interface over a phy, which in turns overwrite the workqueue with a\nnew one. This can be observed with the following commands:\n\nfor i in $(seq 0 10)\ndo\n iw phy phy0 interface add wlan1 type managed\n iw dev wlan1 del\ndone\nps -eo pid,comm|grep wlan\n\n 39 kworker/R-wlan0\n 98 kworker/R-wlan1\n102 kworker/R-wlan1\n105 kworker/R-wlan1\n108 kworker/R-wlan1\n111 kworker/R-wlan1\n114 kworker/R-wlan1\n117 kworker/R-wlan1\n120 kworker/R-wlan1\n123 kworker/R-wlan1\n126 kworker/R-wlan1\n129 kworker/R-wlan1\n\nFix this leakage by putting back hif_workqueue allocation in\nwilc_cfg80211_init. Regarding the workqueue name, it is indeed relevant to\nset it lowercase, however it is not attached to a specific netdev, so\nenforcing netdev name in the name is not so relevant. Still, enrich the\nname with the wiphy name to make it clear which phy is using the workqueue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27391", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27391" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7f615232556f3c6e3eeecef96ef2b00d0aa905bb" + }, + { + "url": "https://git.kernel.org/stable/c/dec82a8fc45c6ce494c2cb31f001a2aadb132b57" + }, + { + "url": "https://git.kernel.org/stable/c/7510b08c5f5ba15983da004b021fc6154eeb4047" + }, + { + "url": "https://git.kernel.org/stable/c/e041df5dc9e68adffcba5499ca28e1252bed6f4b" + }, + { + "url": "https://git.kernel.org/stable/c/392eb88416dcbc5f1d61b9a88d79d78dc8b27652" + }, + { + "url": "https://git.kernel.org/stable/c/bbc21f134b89535d1cf110c5f2b33ac54e5839c4" + }, + { + "url": "https://git.kernel.org/stable/c/7644df766006d4878a556e427e3ecc78c2d5606b" + }, + { + "url": "https://git.kernel.org/stable/c/958d6145a6d9ba9e075c921aead8753fb91c9101" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27430" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/958d6145a6d9ba9e075c921aead8753fb91c9101(6.8)" + } + ], + "bom-ref": "vuln-264", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27430" + } + } + ], + "created": "2024-05-17T12:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_default_path_quality\n\nWe need to protect the reader reading sysctl_netrom_default_path_quality\nbecause the value can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27430", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27430" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6f7d0f5fd8e440c3446560100ac4ff9a55eec340" + }, + { + "url": "https://git.kernel.org/stable/c/2bfbe1e0aed00ba51d58573c79452fada3f62ed4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26836" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/6f7d0f5fd8e440c3446560100ac4ff9a55eec340(6.8-rc6)" + } + ], + "bom-ref": "vuln-265", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26836" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix password opcode ordering for workstations\n\nThe Lenovo workstations require the password opcode to be run before\nthe attribute value is changed (if Admin password is enabled).\n\nTested on some Thinkpads to confirm they are OK with this order too.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26836", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26836" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f" + }, + { + "url": "https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2" + }, + { + "url": "https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6" + }, + { + "url": "https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26905" + }, + { + "url": "https://git.kernel.org/linus/e06cc89475eddc1f3a7a4d471524256152c68166(6.8-rc7)" + } + ], + "bom-ref": "vuln-266", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26905" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data races when accessing the reserved amount of block reserves\n\nAt space_info.c we have several places where we access the ->reserved\nfield of a block reserve without taking the block reserve's spinlock\nfirst, which makes KCSAN warn about a data race since that field is\nalways updated while holding the spinlock.\n\nThe reports from KCSAN are like the following:\n\n [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs]\n\n [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3:\n [117.195172] need_preemptive_reclaim+0x222/0x2f0 [btrfs]\n [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs]\n [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs]\n [117.197620] btrfs_block_rsv_add+0x78/0xa8 [btrfs]\n [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs]\n [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs]\n [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs]\n [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs]\n [117.201754] touch_atime+0x16c/0x1e0\n [117.201789] filemap_read+0x674/0x728\n [117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs]\n [117.202653] vfs_read+0x2b6/0x498\n [117.203454] ksys_read+0xa2/0x150\n [117.203473] __s390x_sys_read+0x68/0x88\n [117.203495] do_syscall+0x1c6/0x210\n [117.203517] __do_syscall+0xc8/0xf0\n [117.203539] system_call+0x70/0x98\n\n [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0:\n [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs]\n [117.204432] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs]\n [117.205259] __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs]\n [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs]\n [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs]\n [117.207738] process_one_work+0x3b6/0x838\n [117.207768] worker_thread+0x75e/0xb10\n [117.207797] kthread+0x21a/0x230\n [117.207830] __ret_from_fork+0x6c/0xb8\n [117.207861] ret_from_fork+0xa/0x30\n\nSo add a helper to get the reserved amount of a block reserve while\nholding the lock. The value may be not be up to date anymore when used by\nneed_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but\nthat's ok since the worst it can do is cause more reclaim work do be done\nsooner rather than later. Reading the field while holding the lock instead\nof using the data_race() annotation is used in order to prevent load\ntearing.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26905", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26905" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477" + }, + { + "url": "https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0" + }, + { + "url": "https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26670" + } + ], + "bom-ref": "vuln-267", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26670" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\n\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\n\nIn both cases the workaround is described as:\n\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\n\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\n\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n| \teret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\n\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\n\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| \t[ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| \teret\n\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26670", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26670" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/57ca0e16f393bb21d69734e536e383a3a4c665fd" + }, + { + "url": "https://git.kernel.org/stable/c/a31cf46d108dabce3df80b3e5c07661e24912151" + }, + { + "url": "https://git.kernel.org/stable/c/2cb66b62a5d64ccf09b0591ab86fb085fa491fc5" + }, + { + "url": "https://git.kernel.org/stable/c/35b604a37ec70d68b19dafd10bbacf1db505c9ca" + }, + { + "url": "https://git.kernel.org/stable/c/76c51146820c5dac629f21deafab0a7039bc3ccd" + }, + { + "url": "https://git.kernel.org/stable/c/059285e04ebb273d32323fbad5431c5b94f77e48" + }, + { + "url": "https://git.kernel.org/stable/c/c7f43900bc723203d7554d299a2ce844054fab8e" + }, + { + "url": "https://git.kernel.org/stable/c/2b7ec68869d50ea998908af43b643bca7e54577e" + }, + { + "url": "https://git.kernel.org/linus/76c51146820c5dac629f21deafab0a7039bc3ccd(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27405" + } + ], + "bom-ref": "vuln-268", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27405" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\n\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\n\nAdding a few custom traces showed the following:\n[002] d..1 7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\n\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\n\nSame is case with packets of size 2048:\n[002] d..1 7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\n\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\n\n Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n Data(1024 bytes)\n Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n Data(1 byte)\n Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\n\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27405", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27405" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + }, + { + "url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486" + }, + { + "url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f" + }, + { + "url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad" + }, + { + "url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f" + }, + { + "url": "https://git.kernel.org/linus/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35890" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-269", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35890" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35890", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35890" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34cab94f7473e7b09f5205d4583fb5096cb63b5b" + }, + { + "url": "https://git.kernel.org/stable/c/0866afaff19d8460308b022345ed116a12b1d0e1" + }, + { + "url": "https://git.kernel.org/stable/c/16d71319e29d5825ab53f263b59fdd8dc2d60ad4" + }, + { + "url": "https://git.kernel.org/stable/c/43464808669ba9d23996f0b6d875450191687caf" + }, + { + "url": "https://git.kernel.org/stable/c/bbf950a6e96a91cf8cf0c71117b94ed3fafc9dd3" + }, + { + "url": "https://git.kernel.org/stable/c/d380ce70058a4ccddc3e5f5c2063165dc07672c6" + }, + { + "url": "https://git.kernel.org/stable/c/f9055fa2b2931261d5f89948ee5bc315b6a22d4a" + }, + { + "url": "https://git.kernel.org/stable/c/d623fd5298d95b65d27ef5a618ebf39541074856" + }, + { + "url": "https://git.kernel.org/linus/d380ce70058a4ccddc3e5f5c2063165dc07672c6(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27419" + } + ], + "bom-ref": "vuln-270", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27419" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_net_busy_read\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27419", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27419" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35" + }, + { + "url": "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35931" + }, + { + "url": "https://git.kernel.org/linus/601429cca96b4af3be44172c3b64e4228515dbe1(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-271", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35931" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35931", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35931" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1" + }, + { + "url": "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e" + }, + { + "url": "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa" + }, + { + "url": "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506" + }, + { + "url": "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df" + }, + { + "url": "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02" + }, + { + "url": "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59" + }, + { + "url": "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14" + }, + { + "url": "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc" + }, + { + "url": "https://git.kernel.org/linus/fbec4e7fed89b579f2483041fabf9650fb0dd6bc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35819" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-272", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35819" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35819", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35819" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c" + }, + { + "url": "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" + }, + { + "url": "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa" + }, + { + "url": "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6" + }, + { + "url": "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417" + }, + { + "url": "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35976" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/237f3cf13b20db183d3706d997eedc3c49eacd44(6.9-rc4)" + } + ], + "bom-ref": "vuln-273", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35976" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35976", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35976" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e" + }, + { + "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5" + }, + { + "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381" + }, + { + "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8" + }, + { + "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58" + }, + { + "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b" + }, + { + "url": "https://git.kernel.org/linus/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26906" + } + ], + "bom-ref": "vuln-274", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26906" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n \n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26906", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26906" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe" + }, + { + "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644" + }, + { + "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea" + }, + { + "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d" + }, + { + "url": "https://git.kernel.org/linus/e3b63e966cac0bf78aaa1efede1827a252815a1d(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26832" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-275", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26832" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26832", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26832" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91" + }, + { + "url": "https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839" + }, + { + "url": "https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c" + }, + { + "url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669" + }, + { + "url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26780" + } + ], + "bom-ref": "vuln-276", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26780" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26780", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26780" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c835df3bcc14858ae9b27315dd7de76370b94f3a" + }, + { + "url": "https://git.kernel.org/stable/c/a9bc32879a08f23cdb80a48c738017e39aea1080" + }, + { + "url": "https://git.kernel.org/stable/c/d54e4da98bbfa8c257bdca94c49652d81d18a4d8" + }, + { + "url": "https://git.kernel.org/stable/c/350a6640fac4b53564ec20aa3f4a0922cb0ba5e6" + }, + { + "url": "https://git.kernel.org/stable/c/af6b5c50d47ab43e5272ad61935d0ed2e264d3f0" + }, + { + "url": "https://git.kernel.org/stable/c/8d975c15c0cd744000ca386247432d57b21f9df0" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26641" + }, + { + "url": "https://git.kernel.org/linus/8d975c15c0cd744000ca386247432d57b21f9df0(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-277", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26641" + } + } + ], + "created": "2024-03-18T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\n\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\n\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:461 [inline]\n ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n netif_receive_skb_internal net/core/dev.c:5732 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n tun_alloc_skb drivers/net/tun.c:1531 [inline]\n tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26641", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3" + }, + { + "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51" + }, + { + "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009" + }, + { + "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423" + }, + { + "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c" + }, + { + "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f" + }, + { + "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26923" + }, + { + "url": "https://git.kernel.org/linus/47d8ac011fe1c9251070e1bd64cb10b48193ec51(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-278", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26923" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26923", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26923" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b" + }, + { + "url": "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851" + }, + { + "url": "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + }, + { + "url": "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36009" + }, + { + "url": "https://git.kernel.org/linus/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-279", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36009" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-36009", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36009" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/afe6fcb9775882230cd29b529203eabd5d2a638d" + }, + { + "url": "https://git.kernel.org/stable/c/52aa507148c4aad41436e2005d742ffcafad9976" + }, + { + "url": "https://git.kernel.org/stable/c/3169eaf1365541fd8e521091010c44fbe14691fc" + }, + { + "url": "https://git.kernel.org/stable/c/50c0ad785a780c72a2fdaba10b38c645ffb4eae6" + }, + { + "url": "https://git.kernel.org/stable/c/f05631a8525c3b5e5994ecb1304d2d878956c0f5" + }, + { + "url": "https://git.kernel.org/stable/c/93128052bf832359531c3c0a9e3567b2b8682a2d" + }, + { + "url": "https://git.kernel.org/stable/c/92003981a6df5dc84af8a5904f8ee112fa324129" + }, + { + "url": "https://git.kernel.org/stable/c/c5d2342d24ef6e08fc90a529fe3dc59de421a2b9" + }, + { + "url": "https://git.kernel.org/stable/c/47a13d0b9d8527518639ab5c39667f69d6203e80" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52650" + }, + { + "url": "https://git.kernel.org/linus/afe6fcb9775882230cd29b529203eabd5d2a638d(6.9-rc1)" + } + ], + "bom-ref": "vuln-280", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52650" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\n\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52650", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52650" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c" + }, + { + "url": "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b" + }, + { + "url": "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98" + }, + { + "url": "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa" + }, + { + "url": "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb" + }, + { + "url": "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285" + }, + { + "url": "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239" + }, + { + "url": "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f" + }, + { + "url": "https://git.kernel.org/linus/38762a0763c10c24a4915feee722d7aa6e73eb98(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27401" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-281", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27401" + } + } + ], + "created": "2024-05-14T15:12:29Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27401", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27401" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39" + }, + { + "url": "https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9" + }, + { + "url": "https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff" + }, + { + "url": "https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557" + }, + { + "url": "https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274" + }, + { + "url": "https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498" + }, + { + "url": "https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773" + }, + { + "url": "https://git.kernel.org/linus/79d72c68c58784a3e1cd2378669d51bfd0cb7498(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26688" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-282", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26688" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel: \n kernel: ? __die_body+0x1a/0x60\n kernel: ? page_fault_oops+0x16f/0x4a0\n kernel: ? search_bpf_extables+0x65/0x70\n kernel: ? fixup_exception+0x22/0x310\n kernel: ? exc_page_fault+0x69/0x150\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel: ? hugetlbfs_fill_super+0x28/0x1a0\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: vfs_get_super+0x40/0xa0\n kernel: ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel: vfs_get_tree+0x25/0xd0\n kernel: vfs_cmd_create+0x64/0xe0\n kernel: __x64_sys_fsconfig+0x395/0x410\n kernel: do_syscall_64+0x80/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? exc_page_fault+0x69/0x150\n kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26688", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26688" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95" + }, + { + "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3" + }, + { + "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab" + }, + { + "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605" + }, + { + "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f" + }, + { + "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5" + }, + { + "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26958" + }, + { + "url": "https://git.kernel.org/linus/17f46b803d4f23c66cacce81db35fef3adb8f2af(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-283", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26958" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26958", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26958" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/linus/8d037973d48c026224ab285e6a06985ccac6f7bf(6.3-rc1)" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1382" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1250" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0461" + }, + { + "url": "https://lkml.org/lkml/2022/12/9/178" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6224-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6235-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2176" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0448" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1306" + }, + { + "url": "https://patchwork.kernel.org/project/linux-rdma/patch/3d0e9a2fd62bc10ba02fed1c7c48a48638952320.1672819273.git.leonro@nvidia.com/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0439" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6228-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1367" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6194-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1404" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + } + ], + "bom-ref": "vuln-284", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2176" + } + } + ], + "created": "2023-04-20T21:15:08Z", + "description": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-2176", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-07-27T15:21:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T18:17:48Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99" + }, + { + "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8" + }, + { + "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478" + }, + { + "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1" + }, + { + "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b" + }, + { + "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d" + }, + { + "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26788" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-285", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26788" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26788", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26788" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1" + }, + { + "url": "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c" + }, + { + "url": "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8" + }, + { + "url": "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595" + }, + { + "url": "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f" + }, + { + "url": "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f" + }, + { + "url": "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76" + }, + { + "url": "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222" + }, + { + "url": "https://git.kernel.org/linus/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26994" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-286", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26994" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26994", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26994" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49" + }, + { + "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7" + }, + { + "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65" + }, + { + "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35867" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0865ffefea197b437ba78b5dd8d8e256253efd65(6.9-rc3)" + } + ], + "bom-ref": "vuln-287", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35867" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35867", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35867" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97830f3c3088638ff90b20dfba2eb4d487bf14d7" + }, + { + "url": "https://git.kernel.org/stable/c/a423042052ec2bdbf1e552e621e6a768922363cc" + }, + { + "url": "https://git.kernel.org/stable/c/93b372c39c40cbf179e56621e6bc48240943af69" + }, + { + "url": "https://git.kernel.org/stable/c/dd64bb8329ce0ea27bc557e4160c2688835402ac" + }, + { + "url": "https://git.kernel.org/stable/c/42beab162dcee1e691ee4934292d51581c29df61" + }, + { + "url": "https://git.kernel.org/stable/c/90e09c016d72b91e76de25f71c7b93d94cc3c769" + }, + { + "url": "https://git.kernel.org/stable/c/a7ae586f6f6024f490b8546c8c84670f96bb9b68" + }, + { + "url": "https://git.kernel.org/stable/c/82722b453dc2f967b172603e389ee7dc1b3137cc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26606" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/97830f3c3088638ff90b20dfba2eb4d487bf14d7(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-288", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26606" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26606", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T17:49:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304" + }, + { + "url": "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b" + }, + { + "url": "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007" + }, + { + "url": "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77" + }, + { + "url": "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331" + }, + { + "url": "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859" + }, + { + "url": "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df" + }, + { + "url": "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8" + }, + { + "url": "https://git.kernel.org/linus/24225011d81b471acc0e1e315b7d9905459a6304(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35898" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-289", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35898" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35898", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35898" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" + }, + { + "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + }, + { + "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" + }, + { + "url": "https://git.kernel.org/linus/39126abc5e20611579602f03b66627d7cd1422f0(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26719" + } + ], + "bom-ref": "vuln-290", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26719" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26719", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c" + }, + { + "url": "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366" + }, + { + "url": "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2" + }, + { + "url": "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e" + }, + { + "url": "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc" + }, + { + "url": "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683" + }, + { + "url": "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1" + }, + { + "url": "https://git.kernel.org/linus/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35805" + } + ], + "bom-ref": "vuln-291", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35805" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35805", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35805" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d83309e7e006cee8afca83523559017c824fbf7a" + }, + { + "url": "https://git.kernel.org/stable/c/9de787139b0258a5dd1f498780c26d76b61d2958" + }, + { + "url": "https://git.kernel.org/stable/c/f803982190f0265fd36cf84670aa6daefc2b0768" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-292", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: split initial and dynamic conditions for extent_cache\n\nLet's allocate the extent_cache tree without dynamic conditions to avoid a\nmissing condition causing a panic as below.\n\n # create a file w/ a compressed flag\n # disable the compression\n # panic while updating extent_cache\n\nF2FS-fs (dm-64): Swapfile: last extent is not aligned to section\nF2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)\nAdding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k\n==================================================================\nBUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\nBUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\nBUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\nBUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\nBUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\nWrite of size 4 at addr 0000000000000030 by task syz-executor154/3327\n\nCPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1\nHardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023\nCall Trace:\n __dump_stack out/common/lib/dump_stack.c:77 [inline]\n dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118\n __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415\n kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428\n kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186\n __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37\n instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\n atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\n queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\n __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\n _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\n __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155\n f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172\n f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]\n f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764\n vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310\n ksys_fallocate out/common/fs/open.c:333 [inline]\n __do_sys_fallocate out/common/fs/open.c:341 [inline]\n __se_sys_fallocate out/common/fs/open.c:339 [inline]\n __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339\n do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52770", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52770" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + }, + { + "url": "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d" + }, + { + "url": "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d" + }, + { + "url": "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/169410eba271afc9f0fb476d996795aa26770c6d(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52621" + } + ], + "bom-ref": "vuln-293", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52621" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52621", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256786" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6270" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1923.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2475.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6270" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-294", + "ratings": [ + { + "severity": "high", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6270" + } + } + ], + "created": "2024-01-04T17:15:08Z", + "description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-6270", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-10T15:59:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/907761307469adecb02461a14120e9a1812a5fb1" + }, + { + "url": "https://git.kernel.org/stable/c/c055fc00c07be1f0df7375ab0036cebd1106ed38" + }, + { + "url": "https://git.kernel.org/stable/c/997efea2bf3a4adb96c306b9ad6a91442237bf5b" + }, + { + "url": "https://git.kernel.org/stable/c/2b505d05280739ce31d5708da840f42df827cb85" + }, + { + "url": "https://git.kernel.org/stable/c/9dfc15a10dfd44f8ff7f27488651cb5be6af83c2" + }, + { + "url": "https://git.kernel.org/stable/c/998fd719e6d6468b930ac0c44552ea9ff8b07b80" + }, + { + "url": "https://git.kernel.org/stable/c/b562ebe21ed9adcf42242797dd6cb75beef12bf0" + }, + { + "url": "https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27024" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c055fc00c07be1f0df7375ab0036cebd1106ed38(6.8)" + } + ], + "bom-ref": "vuln-295", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27024" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix WARNING in rds_conn_connect_if_down\n\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27024", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27024" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4" + }, + { + "url": "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d" + }, + { + "url": "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea" + }, + { + "url": "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd" + }, + { + "url": "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757" + }, + { + "url": "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26964" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/be95cc6d71dfd0cba66e3621c65413321b398052(6.9-rc1)" + } + ], + "bom-ref": "vuln-296", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26964" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26964", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26964" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + }, + { + "url": "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587" + }, + { + "url": "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63" + }, + { + "url": "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52660" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e(6.8-rc5)" + } + ], + "bom-ref": "vuln-297", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52660" + } + } + ], + "created": "2024-05-17T13:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52660", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52660" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3" + }, + { + "url": "https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3" + }, + { + "url": "https://git.kernel.org/stable/c/b9b683844b01d171a72b9c0419a2d760d946ee12" + }, + { + "url": "https://git.kernel.org/stable/c/7405a0d4442792988e9ae834e7d84f9d163731a4" + }, + { + "url": "https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159" + }, + { + "url": "https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5" + }, + { + "url": "https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96cd78661" + }, + { + "url": "https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073" + }, + { + "url": "https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975" + }, + { + "url": "https://git.kernel.org/linus/b9b683844b01d171a72b9c0419a2d760d946ee12(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27074" + } + ], + "bom-ref": "vuln-298", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27074" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: go7007: fix a memleak in go7007_load_encoder\n\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\n\nsaa7134_go7007_init\n |-> go7007_boot_encoder\n |-> go7007_load_encoder\n |-> kfree(go)\n\ngo is freed and thus bounce is leaked.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27074", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383" + }, + { + "url": "https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15" + }, + { + "url": "https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182" + }, + { + "url": "https://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819" + }, + { + "url": "https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62" + }, + { + "url": "https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26586" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-048.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-036.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2674" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2006" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2008" + } + ], + "bom-ref": "vuln-299", + "ratings": [ + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26586" + } + } + ], + "created": "2024-02-22T17:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26586", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-26T16:10:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1936.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6597" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070135" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-616.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-617.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2541.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + } + ], + "bom-ref": "vuln-300", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6597" + } + } + ], + "created": "2024-03-19T16:15:08Z", + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "affects": [ + { + "ref": "comp-41" + } + ], + "id": "CVE-2023-6597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560" + }, + { + "url": "https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5" + }, + { + "url": "https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97" + }, + { + "url": "https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37" + }, + { + "url": "https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234" + }, + { + "url": "https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97" + }, + { + "url": "https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd" + }, + { + "url": "https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0" + }, + { + "url": "https://git.kernel.org/linus/6ebfad33161afacb3e1e59ed1c2feefef70f9f97(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26862" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-301", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26862" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -> 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26862", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26862" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c" + }, + { + "url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828" + }, + { + "url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7" + }, + { + "url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71" + }, + { + "url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81" + }, + { + "url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be" + }, + { + "url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7" + }, + { + "url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc" + }, + { + "url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26974" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7d42e097607c4d246d99225bf2b195b6167a210c(6.9-rc1)" + } + ], + "bom-ref": "vuln-302", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26974" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26974", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26974" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695" + }, + { + "url": "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35966" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695(6.9-rc4)" + } + ], + "bom-ref": "vuln-303", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35966" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35966", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210781" + }, + { + "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A@mail.gmail.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-31082" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-304", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31082" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + } + } + ], + "created": "2023-04-24T06:15:07Z", + "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-31082", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + }, + "cwes": [ + 763 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-17T02:23:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T14:55:07Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e" + }, + { + "url": "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9" + }, + { + "url": "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + }, + { + "url": "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6" + }, + { + "url": "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf" + }, + { + "url": "https://git.kernel.org/linus/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35970" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-305", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35970" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35970", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35970" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-306", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24861" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + } + } + ], + "created": "2024-02-05T08:15:45Z", + "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-24861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34925d01baf3ee62ab21c21efd9e2c44c24c004a" + }, + { + "url": "https://git.kernel.org/stable/c/b5085b5ac1d96ea2a8a6240f869655176ce44197" + }, + { + "url": "https://git.kernel.org/stable/c/26ebeffff238488466fa578be3b35b8a46e69906" + }, + { + "url": "https://git.kernel.org/stable/c/bcf4a115a5068f3331fafb8c176c1af0da3d8b19" + }, + { + "url": "https://git.kernel.org/stable/c/56cfbe60710772916a5ba092c99542332b48e870" + }, + { + "url": "https://git.kernel.org/stable/c/0958b33ef5a04ed91f61cef4760ac412080c4e08" + }, + { + "url": "https://git.kernel.org/stable/c/4b001ef14baab16b553a002cb9979e31b8fc0c6b" + }, + { + "url": "https://git.kernel.org/stable/c/2450a69d2ee75d1f0112d509ac82ef98f5ad6b5f" + }, + { + "url": "https://git.kernel.org/stable/c/6022c065c9ec465d84cebff8f480db083e4ee06b" + }, + { + "url": "https://git.kernel.org/stable/c/8ffd5590f4d6ef5460acbeac7fbdff7025f9b419" + }, + { + "url": "https://git.kernel.org/stable/c/2a3073d58382157ab396734ed4e421ba9e969db1" + }, + { + "url": "https://git.kernel.org/stable/c/36be97e9eb535fe3008a5cb040b1e56f29f2e398" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26920" + }, + { + "url": "https://git.kernel.org/linus/0958b33ef5a04ed91f61cef4760ac412080c4e08(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-307", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26920" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/trigger: Fix to return error if failed to alloc snapshot\n\nFix register_snapshot_trigger() to return error code if it failed to\nallocate a snapshot instead of 0 (success). Unless that, it will register\nsnapshot trigger without an error.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26920", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26920" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65" + }, + { + "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + }, + { + "url": "https://git.kernel.org/linus/246f80a0b17f8f582b2c0996db02998239057c65(6.6-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52629" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-308", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52629" + } + } + ], + "created": "2024-03-29T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-29T12:45:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b" + }, + { + "url": "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a" + }, + { + "url": "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769" + }, + { + "url": "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab" + }, + { + "url": "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb" + }, + { + "url": "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830" + }, + { + "url": "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7" + }, + { + "url": "https://git.kernel.org/linus/994209ddf4f430946f6247616b2e33d179243769(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35900" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-309", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35900" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35900", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35900" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66" + }, + { + "url": "https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3" + }, + { + "url": "https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a" + }, + { + "url": "https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355" + }, + { + "url": "https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693" + }, + { + "url": "https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c" + }, + { + "url": "https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52617" + }, + { + "url": "https://git.kernel.org/linus/df25461119d987b8c81d232cfe4411e91dcabe66(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-310", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52617" + } + } + ], + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\n\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\n\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\n\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\n\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52617", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52617" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d" + }, + { + "url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f" + }, + { + "url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04" + }, + { + "url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5" + }, + { + "url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab" + }, + { + "url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758" + }, + { + "url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35852" + }, + { + "url": "https://git.kernel.org/linus/fb4e2b70a7194b209fc7320bbf33b375f7114bd5(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-311", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35852" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35852", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35852" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f5e7ffa9269a448a720e21f1ed1384d118298c97" + }, + { + "url": "https://git.kernel.org/stable/c/418456c0ce56209610523f21734c5612ee634134" + }, + { + "url": "https://git.kernel.org/stable/c/2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3" + }, + { + "url": "https://git.kernel.org/stable/c/696e4112e5c1ee61996198f0ebb6ca3fab55166e" + }, + { + "url": "https://git.kernel.org/stable/c/2aa7bcfdbb46241c701811bbc0d64d7884e3346c" + }, + { + "url": "https://git.kernel.org/stable/c/7c4650ded49e5b88929ecbbb631efb8b0838e811" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26659" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7c4650ded49e5b88929ecbbb631efb8b0838e811(6.8-rc3)" + } + ], + "bom-ref": "vuln-312", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26659" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: handle isoc Babble and Buffer Overrun events properly\n\nxHCI 4.9 explicitly forbids assuming that the xHC has released its\nownership of a multi-TRB TD when it reports an error on one of the\nearly TRBs. Yet the driver makes such assumption and releases the TD,\nallowing the remaining TRBs to be freed or overwritten by new TDs.\n\nThe xHC should also report completion of the final TRB due to its IOC\nflag being set by us, regardless of prior errors. This event cannot\nbe recognized if the TD has already been freed earlier, resulting in\n\"Transfer event TRB DMA ptr not part of current TD\" error message.\n\nFix this by reusing the logic for processing isoc Transaction Errors.\nThis also handles hosts which fail to report the final completion.\n\nFix transfer length reporting on Babble errors. They may be caused by\ndevice malfunction, no guarantee that the buffer has been filled.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26659", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26659" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366" + }, + { + "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5" + }, + { + "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14" + }, + { + "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd" + }, + { + "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077" + }, + { + "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924" + }, + { + "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c" + }, + { + "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec" + }, + { + "url": "https://git.kernel.org/linus/d313eb8b77557a6d5855f42d2234bd592c7b50dd(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35893" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-313", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35893" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35893", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + }, + { + "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d" + }, + { + "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88" + }, + { + "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1" + }, + { + "url": "https://git.kernel.org/linus/ca545b7f0823f19db0f1148d59bc5e1a56634502(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26928" + } + ], + "bom-ref": "vuln-314", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26928" + } + } + ], + "created": "2024-04-28T12:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26928" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T12:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f" + }, + { + "url": "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/45284ff733e4caf6c118aae5131eb7e7cf3eea5a(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52586" + } + ], + "bom-ref": "vuln-315", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52586" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52586", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b" + }, + { + "url": "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460" + }, + { + "url": "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1" + }, + { + "url": "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + }, + { + "url": "https://git.kernel.org/linus/7eb322360b0266481e560d1807ee79e0cef5742b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35892" + } + ], + "bom-ref": "vuln-316", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35892" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35892", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35892" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88" + }, + { + "url": "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489" + }, + { + "url": "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189" + }, + { + "url": "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + }, + { + "url": "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371" + }, + { + "url": "https://git.kernel.org/linus/73e87c0a49fda31d7b589edccf4c72e924411371(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35851" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-317", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35851" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35851", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35851" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/54a03e4ac1a41edf8a5087bd59f8241b0de96d3d" + }, + { + "url": "https://git.kernel.org/stable/c/68644bf5ec6baaff40fc39b3529c874bfda709bd" + }, + { + "url": "https://git.kernel.org/stable/c/2e845867b4e279eff0a19ade253390470e07e8a1" + }, + { + "url": "https://git.kernel.org/stable/c/a41c8efe659caed0e21422876bbb6b73c15b5244" + }, + { + "url": "https://git.kernel.org/stable/c/d47e6c1932cee02954ea588c9f09fd5ecefeadfc" + }, + { + "url": "https://git.kernel.org/stable/c/8c28598a2c29201d2ba7fc37539a7d41c264fb10" + }, + { + "url": "https://git.kernel.org/stable/c/6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac" + }, + { + "url": "https://git.kernel.org/stable/c/81137162bfaa7278785b24c1fd2e9e74f082e8e4" + }, + { + "url": "https://git.kernel.org/stable/c/2edce8e9a99dd5e4404259d52e754fdc97fb42c2" + }, + { + "url": "https://git.kernel.org/linus/81137162bfaa7278785b24c1fd2e9e74f082e8e4(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26889" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-318", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26889" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix possible buffer overflow\n\nstruct hci_dev_info has a fixed size name[8] field so in the event that\nhdev->name is bigger than that strcpy would attempt to write past its\nsize, so this fixes this problem by switching to use strscpy.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26889", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26889" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/107052a8cfeff3a97326277192b4f052e4860a8a" + }, + { + "url": "https://git.kernel.org/stable/c/d20b64f156de5d10410963fe238d82a4e7e97a2f" + }, + { + "url": "https://git.kernel.org/stable/c/c073c8cede5abd3836e83d70d72606d11d0759d4" + }, + { + "url": "https://git.kernel.org/stable/c/ed514ecf4f29c80a2f09ae3c877059b401efe893" + }, + { + "url": "https://git.kernel.org/stable/c/7a4cf27d1f0538f779bf31b8c99eda394e277119" + }, + { + "url": "https://git.kernel.org/stable/c/fb07104a02e87c06c39914d13ed67fd8f839ca82" + }, + { + "url": "https://git.kernel.org/stable/c/8fad9c5bb00d3a9508d18bbfe832e33a47377730" + }, + { + "url": "https://git.kernel.org/stable/c/fa8b472952ef46eb632825051078c21ce0cafe55" + }, + { + "url": "https://git.kernel.org/stable/c/d6b4895197ab5a47cb81c6852d49320b05052960" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27075" + }, + { + "url": "https://git.kernel.org/linus/7a4cf27d1f0538f779bf31b8c99eda394e277119(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-319", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27075" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: avoid stack overflow warnings with clang\n\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\n\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\n\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27075", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27075" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50" + }, + { + "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de" + }, + { + "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada" + }, + { + "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87" + }, + { + "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a" + }, + { + "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f" + }, + { + "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4" + }, + { + "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35910" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada(6.9-rc2)" + } + ], + "bom-ref": "vuln-320", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35910" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35910", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35910" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bea82355df9e1c299625405b1947fc9b26b4c6d4" + }, + { + "url": "https://git.kernel.org/stable/c/55f8ea6731aa64871ee6aef7dba53ee9f9f3b2f6" + }, + { + "url": "https://git.kernel.org/stable/c/766ec94cc57492eab97cbbf1595bd516ab0cb0e4" + }, + { + "url": "https://git.kernel.org/stable/c/62b1f837b15cf3ec2835724bdf8577e47d14c753" + }, + { + "url": "https://git.kernel.org/stable/c/1784053cf10a14c4ebd8a890bad5cfe1bee51713" + }, + { + "url": "https://git.kernel.org/stable/c/c10fed329c1c104f375a75ed97ea3abef0786d62" + }, + { + "url": "https://git.kernel.org/stable/c/bcfcdf19698024565eff427706ebbd8df65abd11" + }, + { + "url": "https://git.kernel.org/stable/c/a20ad45008a7c82f1184dc6dee280096009ece55" + }, + { + "url": "https://git.kernel.org/stable/c/2342b05ec5342a519e00524a507f7a6ea6791a38" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27028" + }, + { + "url": "https://git.kernel.org/linus/a20ad45008a7c82f1184dc6dee280096009ece55(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-321", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27028" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\n\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\n\nAdd a check to trans->tx_buf before using it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27028", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27028" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9" + }, + { + "url": "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a" + }, + { + "url": "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + }, + { + "url": "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c" + }, + { + "url": "https://git.kernel.org/linus/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35939" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-322", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35939" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35939", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35939" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d" + }, + { + "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a" + }, + { + "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9" + }, + { + "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b" + }, + { + "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c" + }, + { + "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14" + }, + { + "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029" + }, + { + "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196" + }, + { + "url": "https://git.kernel.org/linus/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35902" + } + ], + "bom-ref": "vuln-323", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35902" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35902", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430" + }, + { + "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63" + }, + { + "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d" + }, + { + "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e" + }, + { + "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee" + }, + { + "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26781" + } + ], + "bom-ref": "vuln-324", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26781" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26781", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26781" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac" + }, + { + "url": "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee" + }, + { + "url": "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7" + }, + { + "url": "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3" + }, + { + "url": "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35785" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/95915ba4b987cf2b222b0f251280228a1ff977ac(6.8)" + } + ], + "bom-ref": "vuln-325", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35785" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35785", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5f369efd9d963c1f711a06c9b8baf9f5ce616d85" + }, + { + "url": "https://git.kernel.org/stable/c/2535b848fa0f42ddff3e5255cf5e742c9b77bb26" + }, + { + "url": "https://git.kernel.org/stable/c/5f9fe302dd3a9bbc50f4888464c1773f45166bfd" + }, + { + "url": "https://git.kernel.org/stable/c/369f419c097e82407dd429a202cde9a73d3ae29b" + }, + { + "url": "https://git.kernel.org/stable/c/3ead59bafad05f2967ae2438c0528d53244cfde5" + }, + { + "url": "https://git.kernel.org/stable/c/8d1753973f598531baaa2c1033cf7f7b5bb004b0" + }, + { + "url": "https://git.kernel.org/stable/c/567c0411dc3b424fc7bd1e6109726d7ba32d4f73" + }, + { + "url": "https://git.kernel.org/stable/c/81d7d920a22fd58ef9aedb1bd0a68ee32bd23e96" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26903" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2535b848fa0f42ddff3e5255cf5e742c9b77bb26(6.8-rc7)" + } + ], + "bom-ref": "vuln-326", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26903" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\n\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\n\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\n\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\n\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\n\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26903", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:41:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b" + }, + { + "url": "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783" + }, + { + "url": "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21" + }, + { + "url": "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5" + }, + { + "url": "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0" + }, + { + "url": "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b" + }, + { + "url": "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6" + }, + { + "url": "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb" + }, + { + "url": "https://git.kernel.org/linus/977fe773dcc7098d8eaf4ee6382cb51e13e784cb(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26917" + } + ], + "bom-ref": "vuln-327", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26917" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26917", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26917" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-328", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-131" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706" + }, + { + "url": "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + }, + { + "url": "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8" + }, + { + "url": "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5" + }, + { + "url": "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e" + }, + { + "url": "https://git.kernel.org/linus/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-329", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35872" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35872", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35872" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6edefe1b6c29a9932f558a898968a9fcbeec5711" + }, + { + "url": "https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVVYSTEVMPYGF6GDSOD44MUXZXAZHOHB/" + }, + { + "url": "https://git.kernel.org/stable/c/a23ac1788e2c828c097119e9a3178f0b7e503fee" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSXNF4RLEFLH35BFUQGYXRRVHHUIVBAE/" + }, + { + "url": "https://git.kernel.org/stable/c/3bfe04c1273d30b866f4c7c238331ed3b08e5824" + }, + { + "url": "https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815" + }, + { + "url": "https://git.kernel.org/stable/c/7d930a4da17958f869ef679ee0e4a8729337affc" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6776-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26622" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815(6.8-rc7)" + } + ], + "bom-ref": "vuln-330", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26622" + } + } + ], + "created": "2024-03-04T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26622", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-13T03:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f51849833705dea5b4f9b0c8de714dd87bd6c95c" + }, + { + "url": "https://git.kernel.org/stable/c/73d1589b91f2099e5f6534a8497b7c6b527e064e" + }, + { + "url": "https://git.kernel.org/stable/c/9dac54f08198147f5ec0ec52fcf1bc8ac899ac05" + }, + { + "url": "https://git.kernel.org/stable/c/4facc9421117ba9d8148c73771b213887fec77f7" + }, + { + "url": "https://git.kernel.org/stable/c/f4d1960764d8a70318b02f15203a1be2b2554ca1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26933" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f4d1960764d8a70318b02f15203a1be2b2554ca1(6.9-rc2)" + } + ], + "bom-ref": "vuln-331", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26933" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in port \"disable\" sysfs attribute\n\nThe show and store callback routines for the \"disable\" sysfs attribute\nfile in port.c acquire the device lock for the port's parent hub\ndevice. This can cause problems if another process has locked the hub\nto remove it or change its configuration:\n\n\tRemoving the hub or changing its configuration requires the\n\thub interface to be removed, which requires the port device\n\tto be removed, and device_del() waits until all outstanding\n\tsysfs attribute callbacks for the ports have returned. The\n\tlock can't be released until then.\n\n\tBut the disable_show() or disable_store() routine can't return\n\tuntil after it has acquired the lock.\n\nThe resulting deadlock can be avoided by calling\nsysfs_break_active_protection(). This will cause the sysfs core not\nto wait for the attribute's callback routine to return, allowing the\nremoval to proceed. The disadvantage is that after making this call,\nthere is no guarantee that the hub structure won't be deallocated at\nany moment. To prevent this, we have to acquire a reference to it\nfirst by calling hub_get().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26933", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26933" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://people.redhat.com/~hkario/marvin/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6240" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-332", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6240" + } + } + ], + "created": "2024-02-04T14:15:47Z", + "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-6240", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-08T13:15:07Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-333", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-131" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/119cae5ea3f9e35cdada8e572cc067f072fa825a" + }, + { + "url": "https://git.kernel.org/stable/c/acc653e8a3aaab1b7103f98645f2cce7be89e3d3" + }, + { + "url": "https://git.kernel.org/stable/c/5731369af2de21695fe7c1c91fe134fabe5b33b8" + }, + { + "url": "https://git.kernel.org/stable/c/775ed3549819f814a6ecef5726d2b4c23f249b77" + }, + { + "url": "https://git.kernel.org/stable/c/eda02a0bed550f07a8283d3e1f25b90a38e151ed" + }, + { + "url": "https://git.kernel.org/stable/c/a47d68d777b41862757b7e3051f2d46d6e25f87b" + }, + { + "url": "https://git.kernel.org/stable/c/d1261bde59a3a087ab0c81181821e194278d9264" + }, + { + "url": "https://git.kernel.org/stable/c/dca1d93fe42fb9c42b66f61714fbdc55c87eb002" + }, + { + "url": "https://git.kernel.org/linus/119cae5ea3f9e35cdada8e572cc067f072fa825a(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27428" + } + ], + "bom-ref": "vuln-334", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27428" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_netrom_network_ttl_initialiser\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27428", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27428" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8" + }, + { + "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808" + }, + { + "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f" + }, + { + "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412" + }, + { + "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0" + }, + { + "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e" + }, + { + "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33" + }, + { + "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35955" + }, + { + "url": "https://git.kernel.org/linus/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-335", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35955" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35955", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/01511ac7be8e45f80e637f6bf61af2d3d2dee9db" + }, + { + "url": "https://git.kernel.org/stable/c/7938e9ce39d6779d2f85d822cc930f73420e54a6" + }, + { + "url": "https://git.kernel.org/stable/c/ca976c6a592f789700200069ef9052493c0b73d8" + }, + { + "url": "https://git.kernel.org/stable/c/8c4889a9ea861d7be37463c10846eb75e1b49c9d" + }, + { + "url": "https://git.kernel.org/stable/c/58a946ab43501f2eba058d24d96af0ad1122475b" + }, + { + "url": "https://git.kernel.org/stable/c/0801c893fd48cdba66a3c8f44c3fe43cc67d3b85" + }, + { + "url": "https://git.kernel.org/linus/7938e9ce39d6779d2f85d822cc930f73420e54a6(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27037" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-336", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27037" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\n\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\n\nThis patch uses a stack variable to replace the kmalloc().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27037", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27037" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed" + }, + { + "url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0" + }, + { + "url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10" + }, + { + "url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676" + }, + { + "url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b" + }, + { + "url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2" + }, + { + "url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f" + }, + { + "url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/5266caaf5660529e3da53004b8b7174cab6374ed(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26671" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-337", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26671" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26671", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26671" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/913421f9f7fd8324dcc41753d0f28b52e177ef04" + }, + { + "url": "https://git.kernel.org/stable/c/6632a54ac8057cc0b0d789c6f73883e871bcd25c" + }, + { + "url": "https://git.kernel.org/stable/c/e8025439ef8e16029dc313d78a351ef192469b7b" + }, + { + "url": "https://git.kernel.org/stable/c/a62b9f3d7bbfac874cc0c638bc1776dcf1f8ec06" + }, + { + "url": "https://git.kernel.org/stable/c/a039690d323221eb5865f1f31db3ec264e7a14b6" + }, + { + "url": "https://git.kernel.org/stable/c/aebfdfe39b9327a3077d0df8db3beb3160c9bdd0" + }, + { + "url": "https://git.kernel.org/linus/aebfdfe39b9327a3077d0df8db3beb3160c9bdd0(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52652" + } + ], + "bom-ref": "vuln-338", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52652" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNTB: fix possible name leak in ntb_register_device()\n\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\n\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\n\n[mani: reworded commit message]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52652", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52652" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0430bfcd46657d9116a26cd377f112cbc40826a4" + }, + { + "url": "https://git.kernel.org/stable/c/14ef61594a5a286ae0d493b8acbf9eac46fd04c4" + }, + { + "url": "https://git.kernel.org/stable/c/486218c11e8d1c8f515a3bdd70d62203609d4b6b" + }, + { + "url": "https://git.kernel.org/stable/c/7104ba0f1958adb250319e68a15eff89ec4fd36d" + }, + { + "url": "https://git.kernel.org/stable/c/396e17af6761b3cc9e6e4ca94b4de7f642bfece1" + }, + { + "url": "https://git.kernel.org/stable/c/be3b82e4871ba00e9b5d0ede92d396d579d7b3b3" + }, + { + "url": "https://git.kernel.org/stable/c/8cc889b9dea0579726be9520fcc766077890b462" + }, + { + "url": "https://git.kernel.org/stable/c/8398d8d735ee93a04fb9e9f490e8cacd737e3bf5" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-339", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26600" + } + } + ], + "created": "2024-02-26T16:27:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T18:29:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316" + }, + { + "url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751" + }, + { + "url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7" + }, + { + "url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b" + }, + { + "url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26715" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/61a348857e869432e6a920ad8ea9132e8d44c316(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-340", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26715" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc->gadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc->gadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc->gadget_driver is already NULL because of which the\nNULL pointer deference occur.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26715", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26715" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09a1907433865b7c8ee6777e507f5126bdd38c0f" + }, + { + "url": "https://git.kernel.org/stable/c/943c14ece95eb1cf98d477462aebcbfdfd714633" + }, + { + "url": "https://git.kernel.org/stable/c/49202a8256fc50517ef06fd5e2084c4febde6369" + }, + { + "url": "https://git.kernel.org/stable/c/9fcadd125044007351905d40c405fadc2d3bb6d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea80e3ed09ab2c2b75724faf5484721753e92c31" + }, + { + "url": "https://git.kernel.org/stable/c/f78807362828ad01db2a9ed005bf79501b620f27" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27432" + }, + { + "url": "https://git.kernel.org/linus/ea80e3ed09ab2c2b75724faf5484721753e92c31(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-341", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27432" + } + } + ], + "created": "2024-05-17T13:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix PPE hanging issue\n\nA patch to resolve an issue was found in MediaTek's GPL-licensed SDK:\nIn the mtk_ppe_stop() function, the PPE scan mode is not disabled before\ndisabling the PPE. This can potentially lead to a hang during the process\nof disabling the PPE.\n\nWithout this patch, the PPE may experience a hang during the reboot test.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27432", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27432" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a1227b27fcccc99dc44f912b479e01a17e2d7d31" + }, + { + "url": "https://git.kernel.org/stable/c/831bc2728fb48a8957a824cba8c264b30dca1425" + }, + { + "url": "https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f" + }, + { + "url": "https://git.kernel.org/stable/c/167d8642daa6a44b51de17f8ff0f584e1e762db7" + }, + { + "url": "https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef02c5125" + }, + { + "url": "https://git.kernel.org/stable/c/743ad091fb46e622f1b690385bb15e3cd3daf874" + }, + { + "url": "https://git.kernel.org/stable/c/f2261eb994aa5757c1da046b78e3229a3ece0ad9" + }, + { + "url": "https://git.kernel.org/linus/743ad091fb46e622f1b690385bb15e3cd3daf874(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27414" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-342", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27414" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back\n\nIn the commit d73ef2d69c0d (\"rtnetlink: let rtnl_bridge_setlink checks\nIFLA_BRIDGE_MODE length\"), an adjustment was made to the old loop logic\nin the function `rtnl_bridge_setlink` to enable the loop to also check\nthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustment\nremoved the `break` statement and led to an error logic of the flags\nwriting back at the end of this function.\n\nif (have_flags)\n memcpy(nla_data(attr), &flags, sizeof(flags));\n // attr should point to IFLA_BRIDGE_FLAGS NLA !!!\n\nBefore the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.\nHowever, this is not necessarily true fow now as the updated loop will let\nthe attr point to the last NLA, even an invalid NLA which could cause\noverflow writes.\n\nThis patch introduces a new variable `br_flag` to save the NLA pointer\nthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned\nerror logic.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27414", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27414" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84" + }, + { + "url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8" + }, + { + "url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4" + }, + { + "url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef" + }, + { + "url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9" + }, + { + "url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35871" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d14fa1fcf69db9d070e75f1c4425211fa619dfc8(6.9-rc3)" + } + ], + "bom-ref": "vuln-343", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35871" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35871", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35871" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896" + }, + { + "url": "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd" + }, + { + "url": "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c" + }, + { + "url": "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + }, + { + "url": "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300" + }, + { + "url": "https://git.kernel.org/linus/a677ebd8ca2f2632ccdecbad7b87641274e15aac(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26811" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-344", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26811" + } + } + ], + "created": "2024-04-08T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26811", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-28T12:15:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/997ca415384612c8df76d99d9a768e0b3f42b325" + }, + { + "url": "https://git.kernel.org/stable/c/4154e767354140db7804207117e7238fb337b0e7" + }, + { + "url": "https://git.kernel.org/stable/c/ac3e0384073b2408d6cb0d972fee9fcc3776053d" + }, + { + "url": "https://git.kernel.org/stable/c/f6df761182fc953907b18aba5049fc2a044ecb45" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35824" + }, + { + "url": "https://git.kernel.org/linus/ac3e0384073b2408d6cb0d972fee9fcc3776053d(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-345", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35824" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume\n\nWhen not configured for wakeup lis3lv02d_i2c_suspend() will call\nlis3lv02d_poweroff() even if the device has already been turned off\nby the runtime-suspend handler and if configured for wakeup and\nthe device is runtime-suspended at this point then it is not turned\nback on to serve as a wakeup source.\n\nBefore commit b1b9f7a49440 (\"misc: lis3lv02d_i2c: Add missing setting\nof the reg_ctrl callback\"), lis3lv02d_poweroff() failed to disable\nthe regulators which as a side effect made calling poweroff() twice ok.\n\nNow that poweroff() correctly disables the regulators, doing this twice\ntriggers a WARN() in the regulator core:\n\nunbalanced disables for regulator-dummy\nWARNING: CPU: 1 PID: 92 at drivers/regulator/core.c:2999 _regulator_disable\n...\n\nFix lis3lv02d_i2c_suspend() to not call poweroff() a second time if\nalready runtime-suspended and add a poweron() call when necessary to\nmake wakeup work.\n\nlis3lv02d_i2c_resume() has similar issues, with an added weirness that\nit always powers on the device if it is runtime suspended, after which\nthe first runtime-resume will call poweron() again, causing the enabled\ncount for the regulator to increase by 1 every suspend/resume. These\nunbalanced regulator_enable() calls cause the regulator to never\nbe turned off and trigger the following WARN() on driver unbind:\n\nWARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put\n\nFix this by making lis3lv02d_i2c_resume() mirror the new suspend().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35824", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35824" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de" + }, + { + "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + }, + { + "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015" + }, + { + "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559" + }, + { + "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1cca1bddf9ef080503c15378cecf4877f7510015(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35938" + } + ], + "bom-ref": "vuln-346", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35938" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35938", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35938" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/00000000000056e02f05dfb6e11a@google.com/T/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6f861765464f43a71462d52026fbddfc858239a5" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-37454" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-347", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37454" + } + } + ], + "created": "2023-07-06T17:15:14Z", + "description": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-37454", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:01:50Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ba3c5574203034781ac4231acf117da917efcd2a" + }, + { + "url": "https://git.kernel.org/stable/c/0c3687822259a7628c85cd21a3445cbe3c367165" + }, + { + "url": "https://git.kernel.org/stable/c/2bb86817b33c9d704e127f92b838035a72c315b6" + }, + { + "url": "https://git.kernel.org/stable/c/7ebf812b7019fd2d4d5a7ca45ef4bf3a6f4bda0a" + }, + { + "url": "https://git.kernel.org/stable/c/7abdfd45a650c714d5ebab564bb1b988f14d9b49" + }, + { + "url": "https://git.kernel.org/stable/c/bb44477d4506e52785693a39f03cdc6a2c5e8598" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52616" + }, + { + "url": "https://git.kernel.org/linus/ba3c5574203034781ac4231acf117da917efcd2a(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-348", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52616" + } + } + ], + "created": "2024-03-18T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\n\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52616", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52616" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4010" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-349", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4010" + } + }, + { + "severity": "medium", + "score": 4.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + } + } + ], + "created": "2023-07-31T17:15:10Z", + "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-4010", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T04:22:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/25c6f49ef59b7a9b80a3f7ab9e95268a1b01a234" + }, + { + "url": "https://git.kernel.org/stable/c/be609c7002dd4504b15b069cb7582f4c778548d1" + }, + { + "url": "https://git.kernel.org/stable/c/f44f073c78112ff921a220d01b86d09f2ace59bc" + }, + { + "url": "https://git.kernel.org/stable/c/84770a996ad8d7f121ff2fb5a8d149aad52d64c1" + }, + { + "url": "https://git.kernel.org/stable/c/9003fa9a0198ce004b30738766c67eb7373479c9" + }, + { + "url": "https://git.kernel.org/stable/c/e4f4bac7d3b64eb75f70cd3345712de6f68a215d" + }, + { + "url": "https://git.kernel.org/stable/c/2adc886244dff60f948497b59affb6c6ebb3c348" + }, + { + "url": "https://git.kernel.org/stable/c/f11f0fd1ad6c11ae7856d4325fe9d05059767225" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52594" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2adc886244dff60f948497b59affb6c6ebb3c348(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-350", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52594" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\n\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\n\nFound by a modified version of syzkaller.\n\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52594", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52594" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4297217bcf1f0948a19c2bacc6b68d92e7778ad9" + }, + { + "url": "https://git.kernel.org/stable/c/f1acb109505d983779bbb7e20a1ee6244d2b5736" + }, + { + "url": "https://git.kernel.org/stable/c/4cc31fa07445879a13750cb061bb8c2654975fcb" + }, + { + "url": "https://git.kernel.org/stable/c/b29b16bd836a838b7690f80e37f8376414c74cbe" + }, + { + "url": "https://git.kernel.org/linus/f1acb109505d983779bbb7e20a1ee6244d2b5736(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26710" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-351", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26710" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Limit KASAN thread size increase to 32KB\n\nKASAN is seen to increase stack usage, to the point that it was reported\nto lead to stack overflow on some 32-bit machines (see link).\n\nTo avoid overflows the stack size was doubled for KASAN builds in\ncommit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with\nKASAN\").\n\nHowever with a 32KB stack size to begin with, the doubling leads to a\n64KB stack, which causes build errors:\n arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)\n\nAlthough the asm could be reworked, in practice a 32KB stack seems\nsufficient even for KASAN builds - the additional usage seems to be in\nthe 2-3KB range for a 64-bit KASAN build.\n\nSo only increase the stack for KASAN if the stack size is < 32KB.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26710", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b" + }, + { + "url": "https://git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd" + }, + { + "url": "https://git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56" + }, + { + "url": "https://git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03" + }, + { + "url": "https://git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b" + }, + { + "url": "https://git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68" + }, + { + "url": "https://git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15" + }, + { + "url": "https://git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52604" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-352", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52604" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \nKernel Offset: disabled\nRebooting in 86400 seconds..\n\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\n\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\n\nThe patch is tested via syzbot.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52604", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3" + }, + { + "url": "https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26914" + }, + { + "url": "https://git.kernel.org/linus/39079fe8e660851abbafa90cd55cbf029210661f(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-353", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26914" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix incorrect mpc_combine array size\n\n[why]\nMAX_SURFACES is per stream, while MAX_PLANES is per asic. The\nmpc_combine is an array that records all the planes per asic. Therefore\nMAX_PLANES should be used as the array size. Using MAX_SURFACES causes\narray overflow when there are more than 3 planes.\n\n[how]\nUse the MAX_PLANES for the mpc_combine array size.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26914", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26914" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z" + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" + } + ], + "bom-ref": "vuln-354", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" + } + } + ], + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-235" + } + ], + "id": "CVE-2023-6237", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d" + }, + { + "url": "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + }, + { + "url": "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35942" + }, + { + "url": "https://git.kernel.org/linus/697624ee8ad557ab5417f985d2c804241a7ad30d(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-355", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35942" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35942", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35942" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9" + }, + { + "url": "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544" + }, + { + "url": "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35937" + }, + { + "url": "https://git.kernel.org/linus/9ad7974856926129f190ffbe3beea78460b3b7cc(6.9-rc1)" + } + ], + "bom-ref": "vuln-356", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35937" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35937", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35937" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862" + }, + { + "url": "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4" + }, + { + "url": "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb" + }, + { + "url": "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba" + }, + { + "url": "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84" + }, + { + "url": "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35" + }, + { + "url": "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713" + }, + { + "url": "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e" + }, + { + "url": "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7" + }, + { + "url": "https://git.kernel.org/linus/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26956" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-357", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26956" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26956", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26956" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0" + }, + { + "url": "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec" + }, + { + "url": "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2" + }, + { + "url": "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4" + }, + { + "url": "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35934" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0(6.9-rc1)" + } + ], + "bom-ref": "vuln-358", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35934" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35934", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35934" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d" + }, + { + "url": "https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8" + }, + { + "url": "https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed" + }, + { + "url": "https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc" + }, + { + "url": "https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50" + }, + { + "url": "https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba" + }, + { + "url": "https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532" + }, + { + "url": "https://git.kernel.org/linus/efe7cf828039aedb297c1f9920b638fffee6aabc(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52637" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-359", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52637" + } + } + ], + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\n\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\n\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\n\n CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n print_report+0xd3/0x620\n ? kasan_complete_mode_report_info+0x7d/0x200\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n kasan_report+0xc2/0x100\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n __asan_load4+0x84/0xb0\n j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n j1939_sk_recv+0x20b/0x320 [can_j1939]\n ? __kasan_check_write+0x18/0x20\n ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n ? j1939_simple_recv+0x69/0x280 [can_j1939]\n ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n j1939_can_recv+0x43f/0x580 [can_j1939]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n ? raw_rcv+0x42/0x3c0 [can_raw]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n can_rcv_filter+0x11f/0x350 [can]\n can_receive+0x12f/0x190 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n can_rcv+0xdd/0x130 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n __netif_receive_skb_one_core+0x13d/0x150\n ? __pfx___netif_receive_skb_one_core+0x10/0x10\n ? __kasan_check_write+0x18/0x20\n ? _raw_spin_lock_irq+0x8c/0xe0\n __netif_receive_skb+0x23/0xb0\n process_backlog+0x107/0x260\n __napi_poll+0x69/0x310\n net_rx_action+0x2a1/0x580\n ? __pfx_net_rx_action+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? handle_irq_event+0x7d/0xa0\n __do_softirq+0xf3/0x3f8\n do_softirq+0x53/0x80\n \n \n __local_bh_enable_ip+0x6e/0x70\n netif_rx+0x16b/0x180\n can_send+0x32b/0x520 [can]\n ? __pfx_can_send+0x10/0x10 [can]\n ? __check_object_size+0x299/0x410\n raw_sendmsg+0x572/0x6d0 [can_raw]\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n ? apparmor_socket_sendmsg+0x2f/0x40\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n sock_sendmsg+0xef/0x100\n sock_write_iter+0x162/0x220\n ? __pfx_sock_write_iter+0x10/0x10\n ? __rtnl_unlock+0x47/0x80\n ? security_file_permission+0x54/0x320\n vfs_write+0x6ba/0x750\n ? __pfx_vfs_write+0x10/0x10\n ? __fget_light+0x1ca/0x1f0\n ? __rcu_read_unlock+0x5b/0x280\n ksys_write+0x143/0x170\n ? __pfx_ksys_write+0x10/0x10\n ? __kasan_check_read+0x15/0x20\n ? fpregs_assert_state_consistent+0x62/0x70\n __x64_sys_write+0x47/0x60\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6d/0x90\n ? irqentry_exit+0x3f/0x50\n ? exc_page_fault+0x79/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 348:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x1f/0x30\n __kasan_kmalloc+0xb5/0xc0\n __kmalloc_node_track_caller+0x67/0x160\n j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 349:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_free_info+0x2f/0x50\n __kasan_slab_free+0x12e/0x1c0\n __kmem_cache_free+0x1b9/0x380\n kfree+0x7a/0x120\n j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52637", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52637" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987" + }, + { + "url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + }, + { + "url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35878" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a1aa5390cc912934fee76ce80af5f940452fa987(6.9-rc3)" + } + ], + "bom-ref": "vuln-360", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35878" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35878", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d8eb1238377cd994829f9162ae396a84ae037b2" + }, + { + "url": "https://git.kernel.org/stable/c/c8df9203bf22c66fa26e8d8c7f8ce181cf88099d" + }, + { + "url": "https://git.kernel.org/stable/c/3b1e8a617eb0f4cdc19def530047a95b5abde07d" + }, + { + "url": "https://git.kernel.org/stable/c/0d387dc503f9a53e6d1f6e9dd0292d38f083eba5" + }, + { + "url": "https://git.kernel.org/stable/c/408ba7fd04f959c61b50db79c983484312fea642" + }, + { + "url": "https://git.kernel.org/stable/c/d746889db75a76aeee95fb705b8e1ac28c684a2e" + }, + { + "url": "https://git.kernel.org/stable/c/c9b4e220dd18f79507803f38a55d53b483f6c9c3" + }, + { + "url": "https://git.kernel.org/stable/c/84e95149bd341705f0eca6a7fcb955c548805002" + }, + { + "url": "https://git.kernel.org/stable/c/928705e341010dd910fdece61ccb974f494a758f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27046" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/84e95149bd341705f0eca6a7fcb955c548805002(6.9-rc1)" + } + ], + "bom-ref": "vuln-361", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27046" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: handle acti_netdevs allocation failure\n\nThe kmalloc_array() in nfp_fl_lag_do_work() will return null, if\nthe physical memory has run out. As a result, if we dereference\nthe acti_netdevs, the null pointer dereference bugs will happen.\n\nThis patch adds a check to judge whether allocation failure occurs.\nIf it happens, the delayed work will be rescheduled and try again.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27046", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27046" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b" + }, + { + "url": "https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26596" + } + ], + "bom-ref": "vuln-362", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26596" + } + } + ], + "created": "2024-02-23T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26596", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T19:54:59Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae" + }, + { + "url": "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + }, + { + "url": "https://git.kernel.org/linus/6379b44cdcd67f5f5d986b73953e99700591edfa(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26972" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-363", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26972" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26972", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26972" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ae4acad41b0f93f1c26cc0fc9135bb79d8282d0b" + }, + { + "url": "https://git.kernel.org/stable/c/b2dd7b953c25ffd5912dda17e980e7168bebcf6c" + }, + { + "url": "https://git.kernel.org/stable/c/fb7bcd1722bc9bc55160378f5f99c01198fd14a7" + }, + { + "url": "https://git.kernel.org/stable/c/ec1bedd797588fe38fc11cba26d77bb1d9b194c6" + }, + { + "url": "https://git.kernel.org/stable/c/686820fe141ea0220fc6fdfc7e5694f915cf64b2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/b2dd7b953c25ffd5912dda17e980e7168bebcf6c(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52631" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-364", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52631" + } + } + ], + "created": "2024-04-02T07:15:40Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix an NULL dereference bug\n\nThe issue here is when this is called from ntfs_load_attr_list(). The\n\"size\" comes from le32_to_cpu(attr->res.data_size) so it can't overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero. This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52631", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52631" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974" + }, + { + "url": "https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e" + }, + { + "url": "https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26783" + } + ], + "bom-ref": "vuln-365", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26783" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn't have its local memory so it has no managed zones, the following\noops has been observed. It's because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n> BUG: unable to handle page fault for address: 00000000000033f3\n> #PF: supervisor read access in kernel mode\n> #PF: error_code(0x0000) - not-present page\n> PGD 0 P4D 0\n> Oops: 0000 [#1] PREEMPT SMP NOPTI\n> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n> Code: (omitted)\n> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> PKRU: 55555554\n> Call Trace:\n> \n> ? __die\n> ? page_fault_oops\n> ? __pte_offset_map_lock\n> ? exc_page_fault\n> ? asm_exc_page_fault\n> ? wakeup_kswapd\n> migrate_misplaced_page\n> __handle_mm_fault\n> handle_mm_fault\n> do_user_addr_fault\n> exc_page_fault\n> asm_exc_page_fault\n> RIP: 0033:0x55b897ba0808\n> Code: (omitted)\n> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n> ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26783", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26783" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2" + }, + { + "url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760" + }, + { + "url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + }, + { + "url": "https://git.kernel.org/linus/1d38a9ee81570c4bd61f557832dead4d6f816760(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52676" + } + ], + "bom-ref": "vuln-366", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52676" + } + } + ], + "created": "2024-05-17T15:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52676", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52676" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96" + }, + { + "url": "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f" + }, + { + "url": "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589" + }, + { + "url": "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95" + }, + { + "url": "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194" + }, + { + "url": "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089" + }, + { + "url": "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060" + }, + { + "url": "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362" + }, + { + "url": "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26965" + }, + { + "url": "https://git.kernel.org/linus/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-367", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26965" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26965", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26965" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f46c8a75263f97bda13c739ba1c90aced0d3b071" + }, + { + "url": "https://git.kernel.org/stable/c/aa28eecb43cac6e20ef14dfc50b8892c1fbcda5b" + }, + { + "url": "https://git.kernel.org/stable/c/145febd85c3bcc5c74d87ef9a598fc7d9122d532" + }, + { + "url": "https://git.kernel.org/stable/c/ffd29dc45bc0355393859049f6becddc3ed08f74" + }, + { + "url": "https://git.kernel.org/stable/c/d482d61025e303a2bef3733a011b6b740215cfa1" + }, + { + "url": "https://git.kernel.org/stable/c/21e45a7b08d7cd98d6a53c5fc5111879f2d96611" + }, + { + "url": "https://git.kernel.org/stable/c/f6781add1c311c17eff43e14c786004bbacf901e" + }, + { + "url": "https://git.kernel.org/stable/c/ac3ed969a40357b0542d20f096a6d43acdfa6cc7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/f46c8a75263f97bda13c739ba1c90aced0d3b071(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52607" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-368", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52607" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52607", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52607" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5" + }, + { + "url": "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47" + }, + { + "url": "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996" + }, + { + "url": "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068" + }, + { + "url": "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f" + }, + { + "url": "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37" + }, + { + "url": "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26950" + }, + { + "url": "https://git.kernel.org/linus/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-369", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26950" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26950", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26950" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259" + }, + { + "url": "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0" + }, + { + "url": "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924" + }, + { + "url": "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d" + }, + { + "url": "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f" + }, + { + "url": "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6" + }, + { + "url": "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa" + }, + { + "url": "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35982" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b1f532a3b1e6d2e5559c7ace49322922637a28aa(6.9-rc4)" + } + ], + "bom-ref": "vuln-370", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35982" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35982", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051" + }, + { + "url": "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75" + }, + { + "url": "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f" + }, + { + "url": "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74" + }, + { + "url": "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73" + }, + { + "url": "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100" + }, + { + "url": "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b" + }, + { + "url": "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35944" + }, + { + "url": "https://git.kernel.org/linus/19b070fefd0d024af3daa7329cbc0d00de5302ec(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-371", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35944" + } + } + ], + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35944", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35944" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/06dd21045a7e8bc8701b0ebedcd9a30a6325878b" + }, + { + "url": "https://git.kernel.org/stable/c/c0691de7df1d51482a52cac93b7fe82fd9dd296b" + }, + { + "url": "https://git.kernel.org/stable/c/589ec16174dd9378953b8232ae76fad0a96e1563" + }, + { + "url": "https://git.kernel.org/stable/c/0307cf443308ecc6be9b2ca312bb31bae5e5a7ad" + }, + { + "url": "https://git.kernel.org/stable/c/4469c0c5b14a0919f5965c7ceac96b523eb57b79" + }, + { + "url": "https://git.kernel.org/stable/c/2a2ff709511617de9c6c072eeee82bcbbdfecaf8" + }, + { + "url": "https://git.kernel.org/stable/c/0e939a002c8a7d66e60bd0ea6b281fb39d713c1a" + }, + { + "url": "https://git.kernel.org/linus/4469c0c5b14a0919f5965c7ceac96b523eb57b79(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27047" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-372", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27047" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: fix phy_get_internal_delay accessing an empty array\n\nThe phy_get_internal_delay function could try to access to an empty\narray in the case that the driver is calling phy_get_internal_delay\nwithout defining delay_values and rx-internal-delay-ps or\ntx-internal-delay-ps is defined to 0 in the device-tree.\nThis will lead to \"unable to handle kernel NULL pointer dereference at\nvirtual address 0\". To avoid this kernel oops, the test should be delay\n>= 0. As there is already delay < 0 test just before, the test could\nonly be size == 0.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27047", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27047" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d951cf510fb0df91d3abac0121a59ebbc63c0567" + }, + { + "url": "https://git.kernel.org/stable/c/74b84d0d71180330efe67c82f973a87f828323e5" + }, + { + "url": "https://git.kernel.org/stable/c/9127599c075caff234359950117018a010dd01db" + }, + { + "url": "https://git.kernel.org/stable/c/f661017e6d326ee187db24194cabb013d81bc2a6" + }, + { + "url": "https://git.kernel.org/stable/c/b25b64a241d769e932a022e5c780cf135ef56035" + }, + { + "url": "https://git.kernel.org/stable/c/e72160cb6e23b78b41999d6885a34ce8db536095" + }, + { + "url": "https://git.kernel.org/stable/c/e6e3e51ffba0784782b1a076d7441605697ea3c6" + }, + { + "url": "https://git.kernel.org/linus/f661017e6d326ee187db24194cabb013d81bc2a6(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27051" + } + ], + "bom-ref": "vuln-373", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27051" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value\n\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return 0 in case of error.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27051", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27051" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/39001e3c42000e7c2038717af0d33c32319ad591" + }, + { + "url": "https://git.kernel.org/stable/c/ccd1108b16ab572d9bf635586b0925635dbd6bbc" + }, + { + "url": "https://git.kernel.org/stable/c/98db42191329c679f4ca52bec0b319689e1ad8cb" + }, + { + "url": "https://git.kernel.org/stable/c/4bafcc43baf7bcf93566394dbd15726b5b456b7a" + }, + { + "url": "https://git.kernel.org/stable/c/767146637efc528b5e3d31297df115e85a2fd362" + }, + { + "url": "https://git.kernel.org/stable/c/b3c0f553820516ad4b62a9390ecd28d6f73a7b13" + }, + { + "url": "https://git.kernel.org/stable/c/80ee5054435a11c87c9a4f30f1ff750080c96416" + }, + { + "url": "https://git.kernel.org/stable/c/014a807f1cc9c9d5173c1cd935835553b00d211c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26851" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/767146637efc528b5e3d31297df115e85a2fd362(6.8)" + } + ], + "bom-ref": "vuln-374", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26851" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\n\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\n\nvmlinux get_bitmap(b=75) + 712\n\nvmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n\nvmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n\nvmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n\nvmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n\nvmlinux DecodeRasMessage() + 304\n\nvmlinux ras_help() + 684\n\nvmlinux nf_confirm() + 188\n\n\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26851", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26851" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + }, + { + "url": "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7" + }, + { + "url": "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb" + }, + { + "url": "https://git.kernel.org/linus/652cfeb43d6b9aba5c7c4902bed7a7340df131fb(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27407" + } + ], + "bom-ref": "vuln-375", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27407" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27407", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27407" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/" + }, + { + "url": "https://groups.google.com/g/golang-announce" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" + }, + { + "url": "https://security.gentoo.org/glsa/202208-02" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1860.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6038-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1863.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2022-1635.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29526" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6038-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3642" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:1529" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1858.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6277" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6156" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5699" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5337" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5799" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-046.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1847.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-29526" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1859.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5392" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1864.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-047.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:0408" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1861.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1865.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5840" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5201" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1862.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:6714" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2022:5729" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1846.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2022-020.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-048.html" + } + ], + "bom-ref": "vuln-376", + "references": [ + { + "id": "GHSA-p782-xgp4-8hr8", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-p782-xgp4-8hr8" + } + } + ], + "created": "2022-06-23T17:15:12Z", + "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", + "affects": [ + { + "ref": "comp-286" + }, + { + "ref": "comp-281" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526" + }, + "cwes": [ + 269 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526" + } + }, + { + "severity": "none", + "score": 0.00244, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-29526" + } + } + ], + "id": "CVE-2022-29526", + "updated": "2023-11-07T03:46:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T00:50:59Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-286", + "value": "0.0.0-20220412211240-33da011f77ad" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-281", + "value": "0.0.0-20220412211240-33da011f77ad" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8" + }, + { + "url": "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + }, + { + "url": "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26669" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/32f2a0afa95fae0d1ceec2ff06e0e816939964b8(6.8-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-377", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26669" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26669", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32465" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-378", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32465" + } + } + ], + "created": "2024-05-14T20:15:14Z", + "description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.", + "affects": [ + { + "ref": "comp-113" + } + ], + "id": "CVE-2024-32465", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32465" + }, + "cwes": [ + 22 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-15T16:40:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc" + }, + { + "url": "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" + }, + { + "url": "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669" + }, + { + "url": "https://git.kernel.org/linus/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35808" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-379", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35808" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35808", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35808" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1a770927dc1d642b22417c3e668c871689fc58b3" + }, + { + "url": "https://git.kernel.org/stable/c/afdd29726a6de4ba27cd15590661424c888dc596" + }, + { + "url": "https://git.kernel.org/stable/c/d9fefc51133107e59d192d773be86c1150cfeebb" + }, + { + "url": "https://git.kernel.org/stable/c/0e296067ae0d74a10b4933601f9aa9f0ec8f157f" + }, + { + "url": "https://git.kernel.org/stable/c/8d95465d9a424200485792858c5b3be54658ce19" + }, + { + "url": "https://git.kernel.org/stable/c/37fe99016b12d32100ce670216816dba6c48b309" + }, + { + "url": "https://git.kernel.org/stable/c/06e456a05d669ca30b224b8ed962421770c1496c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26855" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/06e456a05d669ca30b224b8ed962421770c1496c(6.8)" + } + ], + "bom-ref": "vuln-380", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26855" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\n\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26855", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26855" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e" + }, + { + "url": "https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760" + }, + { + "url": "https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f" + }, + { + "url": "https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e" + }, + { + "url": "https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60" + }, + { + "url": "https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894" + }, + { + "url": "https://git.kernel.org/linus/577e4432f3ac810049cb7e6b71f4d96ec7c6e894(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26640" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-381", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26640" + } + } + ], + "created": "2024-03-18T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity checks to rx zerocopy\n\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\n\nThis patch adds to can_map_frag() these additional checks:\n\n- Page must not be a compound one.\n- page->mapping must be NULL.\n\nThis fixes the panic reported by ZhangPeng.\n\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\n\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26640", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26640" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e0e1958f4c365e380b17ccb35617345b31ef7bf3" + }, + { + "url": "https://git.kernel.org/stable/c/8e44dc3f96e903815dab1d74fff8faafdc6feb61" + }, + { + "url": "https://git.kernel.org/stable/c/bc6ef64dbe71136f327d63b2b9071b828af2c2a8" + }, + { + "url": "https://git.kernel.org/stable/c/32e8f2d95528d45828c613417cb2827d866cbdce" + }, + { + "url": "https://git.kernel.org/stable/c/bacdaa04251382d7efd4f09f9a0686bfcc297e2e" + }, + { + "url": "https://git.kernel.org/stable/c/81b4249ef37297fb17ba102a524039a05c6c5d35" + }, + { + "url": "https://git.kernel.org/stable/c/93df0a2a0b3cde2d7ab3a52ed46ea1d6d4aaba5f" + }, + { + "url": "https://git.kernel.org/stable/c/1696d6d7d4a1b373e96428d0fe1166bd7c3c795e" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/e0e1958f4c365e380b17ccb35617345b31ef7bf3(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52600" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" + } + ], + "bom-ref": "vuln-382", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52600" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uaf in jfs_evict_inode\n\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\n\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52600" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + }, + { + "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52452" + } + ], + "bom-ref": "vuln-383", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52452" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + } + } + ], + "created": "2024-02-22T17:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52452", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + }, + "cwes": [ + 665 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T18:24:33Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" + }, + { + "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" + }, + { + "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" + }, + { + "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" + }, + { + "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" + }, + { + "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26727" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb(6.8-rc4)" + } + ], + "bom-ref": "vuln-384", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26727" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20fdb21eabaeb8f78f8f701f56d14ea0836ec861" + }, + { + "url": "https://git.kernel.org/stable/c/6417684315087904fffe8966d27ca74398c57dd6" + }, + { + "url": "https://git.kernel.org/stable/c/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b" + }, + { + "url": "https://git.kernel.org/stable/c/f13edd1871d4fb4ab829aff629d47914e251bae3" + }, + { + "url": "https://git.kernel.org/stable/c/b69f577308f1070004cafac106dd1a44099e5483" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26946" + }, + { + "url": "https://git.kernel.org/linus/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-385", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26946" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address\n\nRead from an unsafe address with copy_from_kernel_nofault() in\narch_adjust_kprobe_addr() because this function is used before checking\nthe address is in text or not. Syzcaller bot found a bug and reported\nthe case if user specifies inaccessible data area,\narch_adjust_kprobe_addr() will cause a kernel panic.\n\n[ mingo: Clarified the comment. ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26946", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26946" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428" + }, + { + "url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494" + }, + { + "url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139" + }, + { + "url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1" + }, + { + "url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30" + }, + { + "url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27" + }, + { + "url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-056.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26925" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-064.html" + }, + { + "url": "https://git.kernel.org/linus/0d459e2ffb541841714839e8228b845458ed3b27(6.9-rc3)" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-613.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-042.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-386", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26925" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26925", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26925" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e" + }, + { + "url": "https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913" + }, + { + "url": "https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa" + }, + { + "url": "https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db" + }, + { + "url": "https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1" + }, + { + "url": "https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26747" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1c9be13846c0b2abc2480602f8ef421360e1ad9e(6.8-rc6)" + } + ], + "bom-ref": "vuln-387", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26747" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module's reference\n\nIn current design, usb role class driver will get usb_role_switch parent's\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module's reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don't need to find module by iterating long relations.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26747", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26747" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557" + }, + { + "url": "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38" + }, + { + "url": "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11" + }, + { + "url": "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b" + }, + { + "url": "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076" + }, + { + "url": "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35990" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/244296cc3a155199a8b080d19e645d7d49081a38(6.9-rc6)" + } + ], + "bom-ref": "vuln-388", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35990" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35990", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7" + }, + { + "url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1" + }, + { + "url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2" + }, + { + "url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0" + }, + { + "url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35958" + }, + { + "url": "https://git.kernel.org/linus/bf02d9fe00632d22fa91d34749c7aacf397b6cde(6.9-rc4)" + } + ], + "bom-ref": "vuln-389", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35958" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35958", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35958" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6" + }, + { + "url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44" + }, + { + "url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee" + }, + { + "url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d" + }, + { + "url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197" + }, + { + "url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b" + }, + { + "url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa" + }, + { + "url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26735" + }, + { + "url": "https://git.kernel.org/linus/5559cea2d5aa3018a5f00dd2aca3427ba09b386b(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-390", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26735" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26735", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26735" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:04:56Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d219724d4b0ddb8ec7dfeaed5989f23edabaf591" + }, + { + "url": "https://git.kernel.org/stable/c/4d99d267da3415db2124029cb5a6d2d955ca43f9" + }, + { + "url": "https://git.kernel.org/stable/c/e888c4461e109f7b93c3522afcbbaa5a8fdf29d2" + }, + { + "url": "https://git.kernel.org/stable/c/5f0e4aede01cb01fa633171f0533affd25328c3a" + }, + { + "url": "https://git.kernel.org/stable/c/bea9573c795acec5614d4ac2dcc7b3b684cea5bf" + }, + { + "url": "https://git.kernel.org/stable/c/96481624fb5a6319079fb5059e46dbce43a90186" + }, + { + "url": "https://git.kernel.org/stable/c/da10f6b7918abd5b4bc5c9cb66f0fc6763ac48f3" + }, + { + "url": "https://git.kernel.org/stable/c/f0dd27314c7afe34794c2aa19dd6f2d30eb23bc7" + }, + { + "url": "https://git.kernel.org/stable/c/8e243ac649c10922a6b4855170eaefe4c5b3faab" + }, + { + "url": "https://git.kernel.org/linus/5f0e4aede01cb01fa633171f0533affd25328c3a(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35828" + } + ], + "bom-ref": "vuln-391", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35828" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\n\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35828", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35828" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/333fe86968482ca701c609af590003bcea450e8f" + }, + { + "url": "https://git.kernel.org/stable/c/81e921fd321614c2ad8ac333b041aae1da7a1c6d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27079" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/81e921fd321614c2ad8ac333b041aae1da7a1c6d(6.9-rc1)" + } + ], + "bom-ref": "vuln-392", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27079" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix NULL domain on device release\n\nIn the kdump kernel, the IOMMU operates in deferred_attach mode. In this\nmode, info->domain may not yet be assigned by the time the release_device\nfunction is called. It leads to the following crash in the crash kernel:\n\n BUG: kernel NULL pointer dereference, address: 000000000000003c\n ...\n RIP: 0010:do_raw_spin_lock+0xa/0xa0\n ...\n _raw_spin_lock_irqsave+0x1b/0x30\n intel_iommu_release_device+0x96/0x170\n iommu_deinit_device+0x39/0xf0\n __iommu_group_remove_device+0xa0/0xd0\n iommu_bus_notifier+0x55/0xb0\n notifier_call_chain+0x5a/0xd0\n blocking_notifier_call_chain+0x41/0x60\n bus_notify+0x34/0x50\n device_del+0x269/0x3d0\n pci_remove_bus_device+0x77/0x100\n p2sb_bar+0xae/0x1d0\n ...\n i801_probe+0x423/0x740\n\nUse the release_domain mechanism to fix it. The scalable mode context\nentry which is not part of release domain should be cleared in\nrelease_device().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27079", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27079" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7" + }, + { + "url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d" + }, + { + "url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac" + }, + { + "url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0" + }, + { + "url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d" + }, + { + "url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5" + }, + { + "url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85" + }, + { + "url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35888" + }, + { + "url": "https://git.kernel.org/linus/17af420545a750f763025149fa7b833a4fc8b8f0(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-393", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35888" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35888", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35888" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a" + }, + { + "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7" + }, + { + "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4" + }, + { + "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865" + }, + { + "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d" + }, + { + "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807" + }, + { + "url": "https://git.kernel.org/linus/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35791" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-394", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35791" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35791", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35791" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6" + }, + { + "url": "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + }, + { + "url": "https://git.kernel.org/linus/86a1471d7cde792941109b93b558b5dc078b9ee9(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27011" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-395", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27011" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27011", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27011" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + }, + { + "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" + }, + { + "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" + }, + { + "url": "https://git.kernel.org/linus/52f671db18823089a02f07efc04efdb2272ddc17(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26740" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-396", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26740" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26740", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0fbcf2366ba9888cf02eda23e35fde7f7fcc07c3" + }, + { + "url": "https://git.kernel.org/stable/c/f0b5225a7dfc1bf53c98215db8c2f0b4efd3f108" + }, + { + "url": "https://git.kernel.org/stable/c/b2bb19114c079dcfec1ea46e761f510e30505e70" + }, + { + "url": "https://git.kernel.org/stable/c/23ec1cec24293f9799c725941677d4e167997265" + }, + { + "url": "https://git.kernel.org/stable/c/11b998360d96f6c76f04a95f54b49f24d3c858e4" + }, + { + "url": "https://git.kernel.org/stable/c/b3cf70472a600bcb2efe24906bc9bc6014d4c6f6" + }, + { + "url": "https://git.kernel.org/linus/0fbcf2366ba9888cf02eda23e35fde7f7fcc07c3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26881" + } + ], + "bom-ref": "vuln-397", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26881" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\n\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\n\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26881", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:37:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-588.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2515.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-605.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0450" + } + ], + "bom-ref": "vuln-398", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0450" + } + } + ], + "created": "2024-03-19T16:15:09Z", + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "affects": [ + { + "ref": "comp-41" + } + ], + "id": "CVE-2024-0450", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450" + }, + "cwes": [ + 405 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T22:15:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426" + }, + { + "url": "https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4" + }, + { + "url": "https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9" + }, + { + "url": "https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be" + }, + { + "url": "https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0" + }, + { + "url": "https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26843" + }, + { + "url": "https://git.kernel.org/linus/de1034b38a346ef6be25fe8792f5d1e0684d5ff4(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-399", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26843" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: Fix potential overflow of soft-reserved region size\n\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26843", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26843" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c" + }, + { + "url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672" + }, + { + "url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e" + }, + { + "url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26723" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/15faa1f67ab405d47789d4702f587ec7df7ef03e(6.8-rc5)" + } + ], + "bom-ref": "vuln-400", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26723" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26723", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26723" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0" + }, + { + "url": "https://git.kernel.org/stable/c/230e89b5ad0a33f530a2a976b3e5e4385cb27882" + }, + { + "url": "https://git.kernel.org/stable/c/0c09912dd8387e228afcc5e34ac5d79b1e3a1058" + }, + { + "url": "https://git.kernel.org/stable/c/0516c06b19dc64807c10e01bb99b552bdf2d7dbe" + }, + { + "url": "https://git.kernel.org/stable/c/2738e0aa2fb24a7ab9c878d912dc2b239738c6c6" + }, + { + "url": "https://git.kernel.org/stable/c/70ef2ba1f4286b2b73675aeb424b590c92d57b25" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26712" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-401", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26712" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix addr error caused by page alignment\n\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\n\nAs a result, memory overwriting occurs.\n\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\n\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26712", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26712" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a2e706841488f474c06e9b33f71afc947fb3bf56" + }, + { + "url": "https://git.kernel.org/stable/c/89aa78a34340e9dbc3248095f44d81d0e1c23193" + }, + { + "url": "https://git.kernel.org/stable/c/db006d7edbf0b4800390ece3727a82f4ae764043" + }, + { + "url": "https://git.kernel.org/stable/c/0d43a58900e5a2bfcc9de47e16c6c501c0bef853" + }, + { + "url": "https://git.kernel.org/stable/c/489e05c614dbeb1a1148959f02bdb788891819e6" + }, + { + "url": "https://git.kernel.org/stable/c/46803b776d869b0c36041828a83c4f7da2dfa03b" + }, + { + "url": "https://git.kernel.org/stable/c/4f2efa17c3ec5e4be0567b47439b9713c0dc6550" + }, + { + "url": "https://git.kernel.org/stable/c/652b0b35819610a42b8a90d21acb12f69943b397" + }, + { + "url": "https://git.kernel.org/linus/a2e706841488f474c06e9b33f71afc947fb3bf56(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27423" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-402", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27423" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_requested_window_size\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27423", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27423" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/90029b9c979b60de5cb2b70ade4bbf61d561bc5d" + }, + { + "url": "https://git.kernel.org/stable/c/afd2a82fe300032f63f8be5d6cd6981e75f8bbf2" + }, + { + "url": "https://git.kernel.org/stable/c/3dd8abb0ed0e0a7c66d6d677c86ccb188cc39333" + }, + { + "url": "https://git.kernel.org/stable/c/0c9550b032de48d6a7fa6a4ddc09699d64d9300d" + }, + { + "url": "https://git.kernel.org/stable/c/9c23ef30e840fedc66948299509f6c2777c9cf4f" + }, + { + "url": "https://git.kernel.org/stable/c/0175f2d34c85744f9ad6554f696cf0afb5bd04e4" + }, + { + "url": "https://git.kernel.org/stable/c/dc866b69cc51af9b8509b4731b8ce2a4950cd0ef" + }, + { + "url": "https://git.kernel.org/stable/c/8f94b49a5b5d386c038e355bef6347298aabd211" + }, + { + "url": "https://git.kernel.org/stable/c/5dc319cc3c4f7b74f7dfba349aa26f87efb52458" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27077" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8f94b49a5b5d386c038e355bef6347298aabd211(6.9-rc1)" + } + ], + "bom-ref": "vuln-403", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27077" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\n\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27077", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27077" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe" + }, + { + "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280" + }, + { + "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd" + }, + { + "url": "https://git.kernel.org/linus/4551b30525cf3d2f026b92401ffe241eb04dfebe(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26768" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-404", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26768" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94\n[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250\n[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c\n[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670\n[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26768", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26768" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198" + }, + { + "url": "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b" + }, + { + "url": "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6" + }, + { + "url": "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb" + }, + { + "url": "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26970" + }, + { + "url": "https://git.kernel.org/linus/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d(6.9-rc1)" + } + ], + "bom-ref": "vuln-405", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26970" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26970", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26970" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0841" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256490" + }, + { + "url": "https://lore.kernel.org/all/20240130210418.3771-1-osalvador@suse.de/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0841" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-406", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0841" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + } + } + ], + "created": "2024-01-28T12:15:52Z", + "description": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-0841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:15:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dab75b433ed2480d57ae4f8f725186a46223e42" + }, + { + "url": "https://git.kernel.org/stable/c/3a6a32b31a111f6e66526fb2d3cb13a876465076" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35881" + }, + { + "url": "https://git.kernel.org/linus/3a6a32b31a111f6e66526fb2d3cb13a876465076(6.9-rc1)" + } + ], + "bom-ref": "vuln-407", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35881" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/display: Send DTBCLK disable message on first commit\"\n\nThis reverts commit f341055b10bd8be55c3c995dff5f770b236b8ca9.\n\nSystem hang observed, this commit is thought to be the\nregression point.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35881", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35881" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63" + }, + { + "url": "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + }, + { + "url": "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26952" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da(6.9-rc1)" + } + ], + "bom-ref": "vuln-408", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26952" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26952", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f860595512ff5c05a29fa4d64169c3fd1186b8cf" + }, + { + "url": "https://git.kernel.org/stable/c/20a915154ccb88da08986ab6c9fc4c1cf6259de2" + }, + { + "url": "https://git.kernel.org/stable/c/32223b0b60d53f49567fc501f91ca076ae96be6b" + }, + { + "url": "https://git.kernel.org/stable/c/f5e65b782f3e07324b9a8fa3cdaee422f057c758" + }, + { + "url": "https://git.kernel.org/stable/c/976b1b2680fb4c01aaf05a0623288d87619a6c93" + }, + { + "url": "https://git.kernel.org/stable/c/3ddf944b32f88741c303f0b21459dbb3872b8bc5" + }, + { + "url": "https://git.kernel.org/stable/c/5a02df3e92470efd589712925b5c722e730276a0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35876" + }, + { + "url": "https://git.kernel.org/linus/3ddf944b32f88741c303f0b21459dbb3872b8bc5(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-409", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35876" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mce: Make sure to grab mce_sysfs_mutex in set_bank()\n\nModifying a MCA bank's MCA_CTL bits which control which error types to\nbe reported is done over\n\n /sys/devices/system/machinecheck/\n ??? machinecheck0\n ?   ??? bank0\n ?   ??? bank1\n ?   ??? bank10\n ?   ??? bank11\n ...\n\nsysfs nodes by writing the new bit mask of events to enable.\n\nWhen the write is accepted, the kernel deletes all current timers and\nreinits all banks.\n\nDoing that in parallel can lead to initializing a timer which is already\narmed and in the timer wheel, i.e., in use already:\n\n ODEBUG: init active (active state 0) object: ffff888063a28000 object\n type: timer_list hint: mce_timer_fn+0x0/0x240 arch/x86/kernel/cpu/mce/core.c:2642\n WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514\n debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514\n\nFix that by grabbing the sysfs mutex as the rest of the MCA sysfs code\ndoes.\n\nReported by: Yue Sun \nReported by: xingwei lee ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35876", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35876" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + }, + { + "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5" + }, + { + "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa" + }, + { + "url": "https://git.kernel.org/linus/24a9799aa8efecd0eb55a75e35f9d8e6400063aa(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35870" + } + ], + "bom-ref": "vuln-410", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35870" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35870", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35870" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589" + }, + { + "url": "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" + }, + { + "url": "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27062" + }, + { + "url": "https://git.kernel.org/linus/b7cc4ff787a572edf2c55caeffaa88cd801eb135(6.8)" + } + ], + "bom-ref": "vuln-411", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27062" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27062", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27062" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + }, + { + "url": "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682" + }, + { + "url": "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35866" + }, + { + "url": "https://git.kernel.org/linus/58acd1f497162e7d282077f816faa519487be045(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-412", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35866" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35866", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/" + }, + { + "url": "https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3864" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-413", + "ratings": [ + { + "severity": "high", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3864" + } + } + ], + "created": "2022-08-26T16:15:09Z", + "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2021-3864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + }, + "cwes": [ + 284 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-02-12T23:42:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-10T01:20:18Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834" + }, + { + "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034" + }, + { + "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899" + }, + { + "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c" + }, + { + "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d" + }, + { + "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3" + }, + { + "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e" + }, + { + "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26812" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-414", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26812" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5af385f5f4cddf908f663974847a4083b2ff2c79" + }, + { + "url": "https://git.kernel.org/stable/c/ebfe41889b762f1933c6762f6624b9724a25bee0" + }, + { + "url": "https://git.kernel.org/stable/c/66297b2ceda841f809637731d287bda3a93b49d8" + }, + { + "url": "https://git.kernel.org/stable/c/93ba36238db6a74a82feb3dc476e25ea424ad630" + }, + { + "url": "https://git.kernel.org/stable/c/d34a516f2635090d36a306f84573e8de3d7374ce" + }, + { + "url": "https://git.kernel.org/stable/c/9b7c5004d7c5ae062134052a85290869a015814c" + }, + { + "url": "https://git.kernel.org/stable/c/15aa09d6d84629eb5296de30ac0aa19a33512f16" + }, + { + "url": "https://git.kernel.org/linus/5af385f5f4cddf908f663974847a4083b2ff2c79(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35983" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-415", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35983" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS\n\nbits_per() rounds up to the next power of two when passed a power of\ntwo. This causes crashes on some machines and configurations.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35983", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35983" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054" + }, + { + "url": "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + }, + { + "url": "https://git.kernel.org/linus/262534ddc88dfea7474ed18adfecf856e4fbe054(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35926" + } + ], + "bom-ref": "vuln-416", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35926" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35926", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35926" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + }, + { + "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" + }, + { + "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" + }, + { + "url": "https://git.kernel.org/linus/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26739" + } + ], + "bom-ref": "vuln-417", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26739" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26739", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a585faf0591548fe0920641950ebfa8a6eefe1cd" + }, + { + "url": "https://git.kernel.org/stable/c/52fff5799e3d1b5803ecd2f5f19c13c65f4f7b23" + }, + { + "url": "https://git.kernel.org/stable/c/731ab1f9828800df871c5a7ab9ffe965317d3f15" + }, + { + "url": "https://git.kernel.org/stable/c/6ed6cdbe88334ca3430c5aee7754dc4597498dfb" + }, + { + "url": "https://git.kernel.org/stable/c/0830c5cf19bdec50d0ede4755ddc463663deb21c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52640" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/731ab1f9828800df871c5a7ab9ffe965317d3f15(6.8-rc4)" + } + ], + "bom-ref": "vuln-418", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52640" + } + } + ], + "created": "2024-04-03T17:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix oob in ntfs_listxattr\n\nThe length of name cannot exceed the space occupied by ea.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52640", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52640" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c" + }, + { + "url": "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951" + }, + { + "url": "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c" + }, + { + "url": "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82" + }, + { + "url": "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a" + }, + { + "url": "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35879" + }, + { + "url": "https://git.kernel.org/linus/8917e7385346bd6584890ed362985c219fe6ae84(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-419", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35879" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35879", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8" + }, + { + "url": "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983" + }, + { + "url": "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e" + }, + { + "url": "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf" + }, + { + "url": "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d" + }, + { + "url": "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a" + }, + { + "url": "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced" + }, + { + "url": "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797" + }, + { + "url": "https://git.kernel.org/linus/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27025" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-420", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27025" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27025", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27025" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082" + }, + { + "url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c" + }, + { + "url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2" + }, + { + "url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d" + }, + { + "url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491" + }, + { + "url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e" + }, + { + "url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec" + }, + { + "url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26722" + }, + { + "url": "https://git.kernel.org/linus/6ef5d5b92f7117b324efaac72b3db27ae8bb3082(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-421", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26722" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26722", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26722" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/967d3c27127e71a10ff5c083583a038606431b61" + }, + { + "url": "https://git.kernel.org/stable/c/e64148635509bf13eea851986f5a0b150e5bd066" + }, + { + "url": "https://git.kernel.org/stable/c/987c3ed7297e5661bc7f448f06fc366e497ac9b2" + }, + { + "url": "https://git.kernel.org/stable/c/2dba5774e8ed326a78ad4339d921a4291281ea6e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27404" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/967d3c27127e71a10ff5c083583a038606431b61(6.8-rc6)" + } + ], + "bom-ref": "vuln-422", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27404" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data races on remote_id\n\nSimilar to the previous patch, address the data race on\nremote_id, adding the suitable ONCE annotations.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27404", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27404" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5" + }, + { + "url": "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c" + }, + { + "url": "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123" + }, + { + "url": "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469" + }, + { + "url": "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc" + }, + { + "url": "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034" + }, + { + "url": "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27004" + }, + { + "url": "https://git.kernel.org/linus/e581cf5d216289ef292d1a4036d53ce90e122469(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-423", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27004" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0160" + }, + { + "url": "https://lore.kernel.org/bpf/000000000000f1db9605f939720e@google.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0160" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-184.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/all/20230406122622.109978-1-liuxin350@huawei.com/" + } + ], + "bom-ref": "vuln-424", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0160" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" + } + } + ], + "created": "2023-07-18T17:15:11Z", + "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-0160", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" + }, + "cwes": [ + 667, + 833 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T03:59:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T08:32:01Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397" + }, + { + "url": "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f" + }, + { + "url": "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9" + }, + { + "url": "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a" + }, + { + "url": "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430" + }, + { + "url": "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3" + }, + { + "url": "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03" + }, + { + "url": "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec" + }, + { + "url": "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/584c2a9184a33a40fceee838f856de3cffa19be3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35806" + } + ], + "bom-ref": "vuln-425", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35806" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35806", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35806" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99" + }, + { + "url": "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d" + }, + { + "url": "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2" + }, + { + "url": "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f" + }, + { + "url": "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38" + }, + { + "url": "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0" + }, + { + "url": "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03" + }, + { + "url": "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9" + }, + { + "url": "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26966" + }, + { + "url": "https://git.kernel.org/linus/a903cfd38d8dee7e754fb89fd1bebed99e28003d(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-426", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26966" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26966", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26966" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-427", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-254" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + }, + { + "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + }, + { + "url": "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3" + }, + { + "url": "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26605" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1e560864159d002b453da42bd2c13a1805515a20(6.8-rc3)" + } + ], + "bom-ref": "vuln-428", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26605" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26605", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + }, + "cwes": [ + 667 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-28T12:15:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f" + }, + { + "url": "https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500" + }, + { + "url": "https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451" + }, + { + "url": "https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f" + }, + { + "url": "https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26940" + }, + { + "url": "https://git.kernel.org/linus/4be9075fec0a639384ed19975634b662bfab938f(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-429", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26940" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed\n\nThe driver creates /sys/kernel/debug/dri/0/mob_ttm even when the\ncorresponding ttm_resource_manager is not allocated.\nThis leads to a crash when trying to read from this file.\n\nAdd a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file\nonly when the corresponding ttm_resource_manager is allocated.\n\ncrash> bt\nPID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: \"grep\"\n #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3\n #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a\n #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1\n #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1\n #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913\n #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c\n #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887\n #7 [ffffb954506b3d40] page_fault at ffffffffb360116e\n [exception RIP: ttm_resource_manager_debug+0x11]\n RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246\n RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940\n RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000\n RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000\n R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff\n R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]\n #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3\n RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985\n RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003\n RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000\n R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003\n ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26940", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26940" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb4f56f3ff5799ca754ae6d811803a63fe25a4a2" + }, + { + "url": "https://git.kernel.org/stable/c/7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52" + }, + { + "url": "https://git.kernel.org/stable/c/79592a6e7bdc1d05460c95f891f5e5263a107af8" + }, + { + "url": "https://git.kernel.org/stable/c/fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17" + }, + { + "url": "https://git.kernel.org/linus/7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26667" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-430", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26667" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup\n\nThe commit 8b45a26f2ba9 (\"drm/msm/dpu: reserve cdm blocks for writeback\nin case of YUV output\") introduced a smatch warning about another\nconditional block in dpu_encoder_helper_phys_cleanup() which had assumed\nhw_pp will always be valid which may not necessarily be true.\n\nLets fix the other conditional block by making sure hw_pp is valid\nbefore dereferencing it.\n\nPatchwork: https://patchwork.freedesktop.org/patch/574878/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26667", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26667" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5" + }, + { + "url": "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d" + }, + { + "url": "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + }, + { + "url": "https://git.kernel.org/linus/e96fddb32931d007db12b1fce9b5e8e4c080401b(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26662" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-431", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26662" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26662", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf" + }, + { + "url": "https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131" + }, + { + "url": "https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39" + }, + { + "url": "https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26741" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f(6.8-rc6)" + } + ], + "bom-ref": "vuln-432", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26741" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);\n\nHowever, the syzkaller's log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n \n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26741", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26741" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1" + }, + { + "url": "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3" + }, + { + "url": "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11" + }, + { + "url": "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48" + }, + { + "url": "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e" + }, + { + "url": "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8" + }, + { + "url": "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a" + }, + { + "url": "https://git.kernel.org/linus/3a38a829c8bc27d78552c28e582eb1d885d07d11(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35796" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-433", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35796" + } + } + ], + "created": "2024-05-17T14:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35796", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35796" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68" + }, + { + "url": "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f" + }, + { + "url": "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + }, + { + "url": "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26866" + }, + { + "url": "https://git.kernel.org/linus/2ae0ab0143fcc06190713ed81a6486ed0ad3c861(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-434", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26866" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26866", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26866" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e4308bc22b9d46cf33165c9dfaeebcf29cd56f04" + }, + { + "url": "https://git.kernel.org/stable/c/610f175d2e16fb2436ba7974b990563002c20d07" + }, + { + "url": "https://git.kernel.org/stable/c/976df695f579bbb2914114b4e9974fe4ed1eb813" + }, + { + "url": "https://git.kernel.org/stable/c/40406dfbc060503d2e0a9e637e98493c54997b3d" + }, + { + "url": "https://git.kernel.org/linus/e4308bc22b9d46cf33165c9dfaeebcf29cd56f04(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35992" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-435", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35992" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: marvell: a3700-comphy: Fix out of bounds read\n\nThere is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'\nevery iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.\n\nMake sure 'gbe_phy_init[addr]' is used when all elements of\n'gbe_phy_init_fix' array are handled.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35992", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35992" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" + }, + { + "url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-436", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52760", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + } + ], + "bom-ref": "vuln-437", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + } + }, + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" + } + } + ], + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "affects": [ + { + "ref": "comp-235" + } + ], + "id": "CVE-2023-5678", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a" + }, + { + "url": "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751" + }, + { + "url": "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91" + }, + { + "url": "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7" + }, + { + "url": "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a" + }, + { + "url": "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0" + }, + { + "url": "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3TH6JK7ZZMSXSVHOJKIMSSOC6EQM4WV/" + }, + { + "url": "https://git.kernel.org/linus/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26817" + } + ], + "bom-ref": "vuln-438", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26817" + } + } + ], + "created": "2024-04-13T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26817", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26817" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + }, + { + "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" + }, + { + "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" + }, + { + "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" + }, + { + "url": "https://git.kernel.org/linus/0a9bab391e336489169b95cb0d4553d921302189(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26718" + } + ], + "bom-ref": "vuln-439", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26718" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26718", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0" + }, + { + "url": "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f" + }, + { + "url": "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611" + }, + { + "url": "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16" + }, + { + "url": "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1" + }, + { + "url": "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8" + }, + { + "url": "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9" + }, + { + "url": "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243" + }, + { + "url": "https://git.kernel.org/linus/c4a7dc9523b59b3e73fd522c73e95e072f876b16(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26981" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-440", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26981" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26981", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26981" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" + }, + { + "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" + }, + { + "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + }, + { + "url": "https://git.kernel.org/linus/10c02aad111df02088d1a81792a709f6a7eca6cc(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26691" + } + ], + "bom-ref": "vuln-441", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26691" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26691", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7" + }, + { + "url": "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" + }, + { + "url": "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c" + }, + { + "url": "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + }, + { + "url": "https://git.kernel.org/linus/f7b94bdc1ec107c92262716b073b3e816d4784fb(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26886" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-442", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26886" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26886", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26886" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1" + }, + { + "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288" + }, + { + "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4" + }, + { + "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13" + }, + { + "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1" + }, + { + "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01" + }, + { + "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24" + }, + { + "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26778" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288(6.8-rc2)" + } + ], + "bom-ref": "vuln-443", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26778" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26778", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a6fa75b5096c0f9826a4fabe22d907b0a5bb1016" + }, + { + "url": "https://git.kernel.org/stable/c/a83fdaeaea3677b83a53f72ace2d73a19bcd6d93" + }, + { + "url": "https://git.kernel.org/stable/c/3b08cfc65f07b1132c1979d73f014ae6e04de55d" + }, + { + "url": "https://git.kernel.org/stable/c/d817f0d34d927f2deb17dadbfe212c9a6a32ac3e" + }, + { + "url": "https://git.kernel.org/stable/c/64f00b4df0597590b199b62a37a165473bf658a6" + }, + { + "url": "https://git.kernel.org/stable/c/6787d916c2cf9850c97a0a3f73e08c43e7d973b1" + }, + { + "url": "https://git.kernel.org/stable/c/33ec04cadb77605b71d9298311919303d390c4d5" + }, + { + "url": "https://git.kernel.org/stable/c/8435f0961bf3dc65e204094349bd9aeaac1f8868" + }, + { + "url": "https://git.kernel.org/stable/c/92c81fbb3ed2e0dfc33a4183a67135e1ab566ace" + }, + { + "url": "https://git.kernel.org/linus/6787d916c2cf9850c97a0a3f73e08c43e7d973b1(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26884" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-444", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26884" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix hashtab overflow check on 32-bit arches\n\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26884", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T20:03:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba" + }, + { + "url": "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + }, + { + "url": "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3" + }, + { + "url": "https://git.kernel.org/linus/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27408" + } + ], + "bom-ref": "vuln-445", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27408" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27408", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27408" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + }, + { + "url": "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be" + }, + { + "url": "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e" + }, + { + "url": "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b" + }, + { + "url": "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35989" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be(6.9-rc6)" + } + ], + "bom-ref": "vuln-446", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35989" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35989", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773" + }, + { + "url": "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + }, + { + "url": "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d" + }, + { + "url": "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4" + }, + { + "url": "https://git.kernel.org/linus/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26893" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-447", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26893" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26893", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26893" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b" + }, + { + "url": "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957" + }, + { + "url": "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c" + }, + { + "url": "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + }, + { + "url": "https://git.kernel.org/linus/2a3cfb9a24a28da9cc13d2c525a76548865e182c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27041" + } + ], + "bom-ref": "vuln-448", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27041" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27041", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27041" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c" + }, + { + "url": "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5" + }, + { + "url": "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a" + }, + { + "url": "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183" + }, + { + "url": "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229" + }, + { + "url": "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9" + }, + { + "url": "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501" + }, + { + "url": "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3" + }, + { + "url": "https://git.kernel.org/linus/3c6ee34c6f9cd12802326da26631232a61743501(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35935" + } + ], + "bom-ref": "vuln-449", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35935" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35935", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35935" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f" + }, + { + "url": "https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d" + }, + { + "url": "https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171" + }, + { + "url": "https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb" + }, + { + "url": "https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a" + }, + { + "url": "https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf" + }, + { + "url": "https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d" + }, + { + "url": "https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26845" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/83ab68168a3d990d5ff39ab030ad5754cbbccb25(6.8-rc1)" + } + ], + "bom-ref": "vuln-450", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26845" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Add TMF to tmr_list handling\n\nAn abort that is responded to by iSCSI itself is added to tmr_list but does\nnot go to target core. A LUN_RESET that goes through tmr_list takes a\nrefcounter on the abort and waits for completion. However, the abort will\nbe never complete because it was not started in target core.\n\n Unable to locate ITT: 0x05000000 on CID: 0\n Unable to locate RefTaskTag: 0x05000000 on CID: 0.\n wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n...\n INFO: task kworker/0:2:49 blocked for more than 491 seconds.\n task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800\n Workqueue: events target_tmr_work [target_core_mod]\nCall Trace:\n __switch_to+0x2c4/0x470\n _schedule+0x314/0x1730\n schedule+0x64/0x130\n schedule_timeout+0x168/0x430\n wait_for_completion+0x140/0x270\n target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]\n core_tmr_lun_reset+0x30/0xa0 [target_core_mod]\n target_tmr_work+0xc8/0x1b0 [target_core_mod]\n process_one_work+0x2d4/0x5d0\n worker_thread+0x78/0x6c0\n\nTo fix this, only add abort to tmr_list if it will be handled by target\ncore.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26845", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26845" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19" + }, + { + "url": "https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf" + }, + { + "url": "https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34" + }, + { + "url": "https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27022" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/35e351780fa9d8240dd6f7e4f245f9ea37e96c19(6.9-rc5)" + } + ], + "bom-ref": "vuln-451", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27022" + } + } + ], + "created": "2024-05-01T06:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: defer linking file vma until vma is fully initialized\n\nThorvald reported a WARNING [1]. And the root cause is below race:\n\n CPU 1\t\t\t\t\tCPU 2\n fork\t\t\t\t\thugetlbfs_fallocate\n dup_mmap\t\t\t\t hugetlbfs_punch_hole\n i_mmap_lock_write(mapping);\n vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\n i_mmap_unlock_write(mapping);\n hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t i_mmap_lock_write(mapping);\n \t\t\t\t\t hugetlb_vmdelete_list\n\t\t\t\t\t vma_interval_tree_foreach\n\t\t\t\t\t hugetlb_vma_trylock_write -- Vma_lock is cleared.\n tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\n\t\t\t\t\t i_mmap_unlock_write(mapping);\n\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\ni_mmap_rwsem lock while vma lock can be used in the same time. Fix this\nby deferring linking file vma until vma is fully initialized. Those vmas\nshould be initialized first before they can be used.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27022", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27022" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7874ab3105ca4657102fee1cc14b0af70883c484" + }, + { + "url": "https://git.kernel.org/stable/c/e019d87e02f1e539ae48b99187f253847744ca7a" + }, + { + "url": "https://git.kernel.org/stable/c/330caa061af53ea6d287d7c43d0703714e510e08" + }, + { + "url": "https://git.kernel.org/stable/c/2d9fe7787af01188dc470a649bdbb842d6511fd7" + }, + { + "url": "https://git.kernel.org/stable/c/9ccfe80d022df7c595f1925afb31de2232900656" + }, + { + "url": "https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7" + }, + { + "url": "https://git.kernel.org/stable/c/6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb" + }, + { + "url": "https://git.kernel.org/stable/c/29fde8895b2fcc33f44aea28c644ce2d9b62f9e0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27044" + }, + { + "url": "https://git.kernel.org/linus/9ccfe80d022df7c595f1925afb31de2232900656(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-452", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27044" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\n\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27044", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27044" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fba268ac36ab19f9763ff90d276cde0ce6cd5f31" + }, + { + "url": "https://git.kernel.org/stable/c/c3df637266df29edee85e94cab5fd7041e5753ba" + }, + { + "url": "https://git.kernel.org/stable/c/30a5e812f78e3d1cced90e1ed750bf027599205f" + }, + { + "url": "https://git.kernel.org/stable/c/8e2758cc25891d2b76717aaf89b40ed215de188c" + }, + { + "url": "https://git.kernel.org/stable/c/afec8f772296dd8e5a2a6f83bbf99db1b9ca877f" + }, + { + "url": "https://git.kernel.org/stable/c/79820a7e1e057120c49be07cbe10643d0706b259" + }, + { + "url": "https://git.kernel.org/stable/c/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865" + }, + { + "url": "https://git.kernel.org/stable/c/df193568d61234c81de7ed4d540c01975de60277" + }, + { + "url": "https://git.kernel.org/linus/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27416" + } + ], + "bom-ref": "vuln-453", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27416" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST\n\nIf we received HCI_EV_IO_CAPA_REQUEST while\nHCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote\ndoes support SSP since otherwise this event shouldn't be generated.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27416", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27416" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ce8bc22e948634a5c0a3fa58a179177d0e3f3950" + }, + { + "url": "https://git.kernel.org/stable/c/fa5492ee89463a7590a1449358002ff7ef63529f" + }, + { + "url": "https://git.kernel.org/stable/c/1c40ca3d39d769931b28295b3145c25f1decf5a6" + }, + { + "url": "https://git.kernel.org/stable/c/cab0c265ba182fd266c2aa3c69d7e40640a7f612" + }, + { + "url": "https://git.kernel.org/stable/c/1b9d6828589d57f94a23fb1c46112cda39d7efdb" + }, + { + "url": "https://git.kernel.org/stable/c/7110650b85dd2f1cee819acd1345a9013a1a62f7" + }, + { + "url": "https://git.kernel.org/stable/c/6c6a96c3d74df185ee344977d46944d6f33bb4dd" + }, + { + "url": "https://git.kernel.org/stable/c/bff9d4078a232c01e42e9377d005fb2f4d31a472" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52602" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/fa5492ee89463a7590a1449358002ff7ef63529f(6.8-rc1)" + } + ], + "bom-ref": "vuln-454", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52602" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds Read in dtSearch\n\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\n\nDave:\nSet return code to -EIO", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52602" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50" + }, + { + "url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91" + }, + { + "url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0" + }, + { + "url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667" + }, + { + "url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587" + }, + { + "url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a" + }, + { + "url": "https://git.kernel.org/linus/a7d6027790acea24446ddd6632d394096c0f4667(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26733" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-455", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26733" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it's\nnot a problem.\n\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let's limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26733", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26733" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9" + }, + { + "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b" + }, + { + "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-456", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52751" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73" + }, + { + "url": "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + }, + { + "url": "https://git.kernel.org/linus/29b359cf6d95fd60730533f7f10464e95bd17c73(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27017" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-457", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27017" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27017", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7" + }, + { + "url": "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26945" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/5a7e89d3315d1be86aff8a8bf849023cda6547f7(6.9-rc2)" + } + ], + "bom-ref": "vuln-458", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26945" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26945", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26945" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + }, + { + "url": "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587" + }, + { + "url": "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c" + }, + { + "url": "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69" + }, + { + "url": "https://git.kernel.org/linus/eb4f139888f636614dab3bcce97ff61cefc4b3a7(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35928" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-459", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35928" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35928" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98" + }, + { + "url": "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + }, + { + "url": "https://git.kernel.org/linus/334b56cea5d9df5989be6cf1a5898114fa70ad98(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26948" + } + ], + "bom-ref": "vuln-460", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26948" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26948", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26948" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6fc6233f6db1579b69b54b44571f1a7fde8186e6" + }, + { + "url": "https://git.kernel.org/stable/c/83e0f220d1e992fa074157fcf14945bf170ffbc5" + }, + { + "url": "https://git.kernel.org/stable/c/d1e546ab91c670e536a274a75481034ab7534876" + }, + { + "url": "https://git.kernel.org/stable/c/89709105a6091948ffb6ec2427954cbfe45358ce" + }, + { + "url": "https://git.kernel.org/stable/c/40624af6674745e174c754a20d7c53c250e65e7a" + }, + { + "url": "https://git.kernel.org/stable/c/03b1072616a8f7d6e8594f643b416a9467c83fbf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52662" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/89709105a6091948ffb6ec2427954cbfe45358ce(6.9-rc1)" + } + ], + "bom-ref": "vuln-461", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52662" + } + } + ], + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node\n\nWhen ida_alloc_max fails, resources allocated before should be freed,\nincluding *res allocated by kmalloc and ttm_resource_init.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52662", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52662" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952" + }, + { + "url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b" + }, + { + "url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916" + }, + { + "url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596" + }, + { + "url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d" + }, + { + "url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573" + }, + { + "url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861" + }, + { + "url": "https://git.kernel.org/linus/743edc8547a92b6192aa1f1b6bb78233fa21dc9b(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36007" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-462", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36007" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-36007", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36007" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc" + }, + { + "url": "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76" + }, + { + "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40" + }, + { + "url": "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15" + }, + { + "url": "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c" + }, + { + "url": "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12" + }, + { + "url": "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26926" + }, + { + "url": "https://git.kernel.org/linus/aaef73821a3b0194a01bd23ca77774f704a04d40(6.9-rc5)" + } + ], + "bom-ref": "vuln-463", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26926" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26926", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26926" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8" + }, + { + "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5" + }, + { + "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8" + }, + { + "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2" + }, + { + "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26826" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/b6c620dc43ccb4e802894e54b651cf81495e9598(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-464", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26826" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26826", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26826" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0de693d68b0a18d5e256556c7c62d92cca35ad52" + }, + { + "url": "https://git.kernel.org/stable/c/e83bebb718fd1f42549358730e1206164e0861d6" + }, + { + "url": "https://git.kernel.org/stable/c/71809805b95052ff551922f11660008fb3666025" + }, + { + "url": "https://git.kernel.org/stable/c/89d72d4125e94aa3c2140fedd97ce07ba9e37674" + }, + { + "url": "https://git.kernel.org/stable/c/e46274df1100fb0c06704195bfff5bfbd418bf64" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26856" + }, + { + "url": "https://git.kernel.org/linus/89d72d4125e94aa3c2140fedd97ce07ba9e37674(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-465", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26856" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sparx5: Fix use after free inside sparx5_del_mact_entry\n\nBased on the static analyzis of the code it looks like when an entry\nfrom the MAC table was removed, the entry was still used after being\nfreed. More precise the vid of the mac_entry was used after calling\ndevm_kfree on the mac_entry.\nThe fix consists in first using the vid of the mac_entry to delete the\nentry from the HW and after that to free it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26856", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26856" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25741" + }, + { + "url": "https://lore.kernel.org/all/CALGdzurBnMztPW1Q8mujfYaopVQ8MkSUXUvnAqJcLGu5ROSU4Q@mail.gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-466", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25741" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-25741", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-12T14:20:03Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2402845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-467", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-87" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6901" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + }, + { + "url": "https://lore.kernel.org/lkml/Yz/mfJ1gjgshF19t@hirez.programming.kicks-ass.net/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6235-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0597" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6206-1" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0597" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1188" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6300-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6311-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6332-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7077" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6583" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6347-1" + } + ], + "bom-ref": "vuln-468", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0597" + } + } + ], + "created": "2023-02-23T20:15:12Z", + "description": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-0597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + }, + "cwes": [ + 401, + 200 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-07-28T15:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:26:23Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee" + }, + { + "url": "https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b" + }, + { + "url": "https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26799" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-469", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26799" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26799", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26799" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26" + }, + { + "url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54" + }, + { + "url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949" + }, + { + "url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8" + }, + { + "url": "https://git.kernel.org/linus/4cd12c6065dfcdeba10f49949bffcf383b3952d8(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26731" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-470", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26731" + } + } + ], + "created": "2024-04-03T17:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock->saved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk->sk_callback_lock.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26731", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26731" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51" + }, + { + "url": "https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb" + }, + { + "url": "https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8" + }, + { + "url": "https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e" + }, + { + "url": "https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a" + }, + { + "url": "https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0" + }, + { + "url": "https://git.kernel.org/linus/37e8c97e539015637cb920d3e6f1e404f707a06e(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26707" + } + ], + "bom-ref": "vuln-471", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26707" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\n\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\n\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\n\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n \n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\n\nThis issue is also found in older kernels (at least up to 5.10).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26707", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26707" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6547-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-317.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7024" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6494" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-41105" + } + ], + "bom-ref": "vuln-472", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105" + } + }, + { + "severity": "none", + "score": 0.00055, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41105" + } + } + ], + "created": "2023-08-23T07:15:08Z", + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "affects": [ + { + "ref": "comp-41" + } + ], + "id": "CVE-2023-41105", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105" + }, + "cwes": [ + 426 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:20:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T13:59:51Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d" + }, + { + "url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51" + }, + { + "url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1" + }, + { + "url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90" + }, + { + "url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a" + }, + { + "url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda" + }, + { + "url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f" + }, + { + "url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35823" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1581dafaf0d34bc9c428a794a22110d7046d186d(6.8)" + } + ], + "bom-ref": "vuln-473", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35823" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35823", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35823" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97a4d8b9f67cc7efe9a0c137e12f6d9e40795bf1" + }, + { + "url": "https://git.kernel.org/stable/c/bc76645ebdd01be9b9994dac39685a3d0f6f7985" + }, + { + "url": "https://git.kernel.org/stable/c/db364859ce68fb3a52d42cd87a54da3dc42dc1c8" + }, + { + "url": "https://git.kernel.org/stable/c/0b8eb369c182814d817b9449bc9e86bfae4310f9" + }, + { + "url": "https://git.kernel.org/stable/c/07bbccd1adb56b39eef982b8960d59e3c005c6a1" + }, + { + "url": "https://git.kernel.org/stable/c/cfe0f73fb38a01bce86fe15ef5f750f850f7d3fe" + }, + { + "url": "https://git.kernel.org/stable/c/cfedde3058bf976f2f292c0a236edd43afcdab57" + }, + { + "url": "https://git.kernel.org/stable/c/c558e54f7712b086fbcb611723272a0a4b0d451c" + }, + { + "url": "https://git.kernel.org/linus/bc76645ebdd01be9b9994dac39685a3d0f6f7985(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27420" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-474", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27420" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_link_fails_count\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27420", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27420" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/17c2650de14842c25c569cbb2126c421489a3a24" + }, + { + "url": "https://git.kernel.org/stable/c/c915c46a25c3efb084c4f5e69a053d7f7a635496" + }, + { + "url": "https://git.kernel.org/stable/c/b8505a1aee8f1edc9d16d72ae09c93de086e2a1a" + }, + { + "url": "https://git.kernel.org/stable/c/4f1490a5d7a0472ee5d9f36547bc4ba46be755c7" + }, + { + "url": "https://git.kernel.org/stable/c/610f20e5cf35ca9c0992693cae0dd8643ce932e7" + }, + { + "url": "https://git.kernel.org/stable/c/87399f1ff92203d65f1febf5919429f4bb613a02" + }, + { + "url": "https://git.kernel.org/stable/c/edbb3226c985469a2f8eb69885055c9f5550f468" + }, + { + "url": "https://git.kernel.org/stable/c/daf21394f9898fb9f0698c3e50de08132d2164e6" + }, + { + "url": "https://git.kernel.org/stable/c/8ba8db9786b55047df5ad3db3e01dd886687a77d" + }, + { + "url": "https://git.kernel.org/linus/87399f1ff92203d65f1febf5919429f4bb613a02(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35830" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-475", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35830" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tc358743: register v4l2 async device only after successful setup\n\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35830", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35830" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f860c8407470baff2beb9982ad6b172c94f1d0a" + }, + { + "url": "https://git.kernel.org/stable/c/e8ca3e73301e23e8c0ac0ce2e6bac4545cd776e0" + }, + { + "url": "https://git.kernel.org/stable/c/7a96d85bf196c170dcf1b47a82e9bb97cca69aa6" + }, + { + "url": "https://git.kernel.org/stable/c/69c7eeb4f622c2a28da965f970f982db171f3dc6" + }, + { + "url": "https://git.kernel.org/stable/c/c430e6bb43955c6bf573665fcebf31694925b9f7" + }, + { + "url": "https://git.kernel.org/stable/c/31b62908693c90d4d07db597e685d9f25a120073" + }, + { + "url": "https://git.kernel.org/stable/c/fece80a2a6718ed58487ce397285bb1b83a3e54e" + }, + { + "url": "https://git.kernel.org/stable/c/f8cf4dabbdcb8bef85335b0ed7ad5b25fd82ff56" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52623" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/31b62908693c90d4d07db597e685d9f25a120073(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-476", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52623" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a suspicious RCU usage warning\n\nI received the following warning while running cthon against an ontap\nserver running pNFS:\n\n[ 57.202521] =============================\n[ 57.202522] WARNING: suspicious RCU usage\n[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[ 57.202525] -----------------------------\n[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[ 57.202527]\n other info that might help us debug this:\n\n[ 57.202528]\n rcu_scheduler_active = 2, debug_locks = 1\n[ 57.202529] no locks held by test5/3567.\n[ 57.202530]\n stack backtrace:\n[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[ 57.202536] Call Trace:\n[ 57.202537] \n[ 57.202540] dump_stack_lvl+0x77/0xb0\n[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0\n[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202866] write_cache_pages+0x265/0x450\n[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202913] do_writepages+0xd2/0x230\n[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80\n[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80\n[ 57.202924] filemap_write_and_wait_range+0xd9/0x170\n[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202969] __se_sys_close+0x46/0xd0\n[ 57.202972] do_syscall_64+0x68/0x100\n[ 57.202975] ? do_syscall_64+0x77/0x100\n[ 57.202976] ? do_syscall_64+0x77/0x100\n[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 57.202982] RIP: 0033:0x7fe2b12e4a94\n[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[ 57.202993] R10: 00007f\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52623", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52623" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6c6a45645a2e6a272dfde14eddbb6706de63c25d" + }, + { + "url": "https://git.kernel.org/stable/c/629b534c42d04f0797980f2d1ed105fdb8906975" + }, + { + "url": "https://git.kernel.org/stable/c/3895780fabd120d0fbd54354014e85207b25687c" + }, + { + "url": "https://git.kernel.org/stable/c/7dfed9855397d0df4c6f748d1f66547ab3bad766" + }, + { + "url": "https://git.kernel.org/stable/c/6661befe41009c210efa2c1bcd16a5cc4cff8a06" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26963" + }, + { + "url": "https://git.kernel.org/linus/6661befe41009c210efa2c1bcd16a5cc4cff8a06(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-477", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26963" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-am62: fix module unload/reload behavior\n\nAs runtime PM is enabled, the module can be runtime\nsuspended when .remove() is called.\n\nDo a pm_runtime_get_sync() to make sure module is active\nbefore doing any register operations.\n\nDoing a pm_runtime_put_sync() should disable the refclk\nso no need to disable it again.\n\nFixes the below warning at module removel.\n\n[ 39.705310] ------------[ cut here ]------------\n[ 39.710004] clk:162:3 already disabled\n[ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8\n\nWe called of_platform_populate() in .probe() so call the\ncleanup function of_platform_depopulate() in .remove().\nGet rid of the now unnnecessary dwc3_ti_remove_core().\nWithout this, module re-load doesn't work properly.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26963", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26963" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + }, + { + "url": "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b" + }, + { + "url": "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774" + }, + { + "url": "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04" + }, + { + "url": "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525" + }, + { + "url": "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e" + }, + { + "url": "https://git.kernel.org/linus/82f522ae0d97119a43da53e0f729275691b9c525(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26929" + } + ], + "bom-ref": "vuln-478", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26929" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26929", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26929" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59" + }, + { + "url": "https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f" + }, + { + "url": "https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87" + }, + { + "url": "https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12" + }, + { + "url": "https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1" + }, + { + "url": "https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6" + }, + { + "url": "https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95" + }, + { + "url": "https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/3871aa01e1a779d866fa9dfdd5a836f342f4eb87(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26663" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-479", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26663" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\n\nsyzbot reported the following general protection fault [1]:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n \n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\n\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\n\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26663", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26663" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6" + }, + { + "url": "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + }, + { + "url": "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1" + }, + { + "url": "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f" + }, + { + "url": "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629" + }, + { + "url": "https://git.kernel.org/linus/037965402a010898d34f4e35327d22c0a95cd51f(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27393" + } + ], + "bom-ref": "vuln-480", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27393" + } + } + ], + "created": "2024-05-14T15:12:26Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27393", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27393" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed" + }, + { + "url": "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637" + }, + { + "url": "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f" + }, + { + "url": "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8" + }, + { + "url": "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6" + }, + { + "url": "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26977" + }, + { + "url": "https://git.kernel.org/linus/7626913652cc786c238e2dd7d8740b17d41b2637(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-481", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26977" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26977", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26977" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e" + }, + { + "url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c" + }, + { + "url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c" + }, + { + "url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26656" + }, + { + "url": "https://git.kernel.org/linus/22207fd5c80177b860279653d017474b2812af5e(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-482", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26656" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26656", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T14:15:17Z" + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + } + ], + "bom-ref": "vuln-483", + "ratings": [ + { + "severity": "none", + "score": 0.00194, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + } + } + ], + "created": "2024-01-09T17:15:12Z", + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "affects": [ + { + "ref": "comp-235" + } + ], + "id": "CVE-2023-6129", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" + }, + { + "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" + }, + { + "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + }, + { + "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26775" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86(6.8-rc2)" + } + ], + "bom-ref": "vuln-484", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26775" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26775", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/752cd08da320a667a833803a8fd6bb266114cce5" + }, + { + "url": "https://git.kernel.org/stable/c/0d862db64d26c2905ba1a6a8561466b215b664c2" + }, + { + "url": "https://git.kernel.org/stable/c/b1ec3d6b86fdd057559a5908e6668279bf770e0e" + }, + { + "url": "https://git.kernel.org/linus/752cd08da320a667a833803a8fd6bb266114cce5(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26841" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-485", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26841" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Update cpu_sibling_map when disabling nonboot CPUs\n\nUpdate cpu_sibling_map when disabling nonboot CPUs by defining & calling\nclear_cpu_sibling_map(), otherwise we get such errors on SMT systems:\n\njump label: negative count!\nWARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\npc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20\na0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280\na4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001\nt0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000\nt4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964\nt8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8\ns1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040\ns5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006\n ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\nStack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000\n 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0\n 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001\n 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0\n 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f\n 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000\n 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000\n 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4\n 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n ...\nCall Trace:\n[<9000000000224528>] show_stack+0x48/0x1a0\n[<900000000179afc8>] dump_stack_lvl+0x78/0xa0\n[<9000000000263ed0>] __warn+0x90/0x1a0\n[<90000000017419b8>] report_bug+0x1b8/0x280\n[<900000000179c564>] do_bp+0x264/0x420\n[<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100\n[<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300\n[<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0\n[<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240\n[<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0\n[<900000000029a720>] kthread+0x140/0x160\n[<9000000000222288>] ret_from_kernel_thread+0xc/0xa4", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26841" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-21803" + } + ], + "bom-ref": "vuln-486", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21803" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + } + } + ], + "created": "2024-01-30T08:15:41Z", + "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-21803", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-08T01:57:53Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f" + }, + { + "url": "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" + }, + { + "url": "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549" + }, + { + "url": "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6" + }, + { + "url": "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac" + }, + { + "url": "https://git.kernel.org/linus/32e39bab59934bfd3f37097d4dd85ac5eb0fd549(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26938" + } + ], + "bom-ref": "vuln-487", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26938" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26938", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26938" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3397" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-043.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1883.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2340.html" + }, + { + "url": "https://lore.kernel.org/lkml/20230515095956.17898-1-zyytlz.wz@163.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3397" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2023-056.html" + } + ], + "bom-ref": "vuln-488", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3397" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + } + } + ], + "created": "2023-11-01T20:15:08Z", + "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-3397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + }, + "cwes": [ + 416, + 362 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-09T15:09:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:17:16Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719" + }, + { + "url": "https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8" + }, + { + "url": "https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3" + }, + { + "url": "https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982" + }, + { + "url": "https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed" + }, + { + "url": "https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8" + }, + { + "url": "https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16" + }, + { + "url": "https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26675" + }, + { + "url": "https://git.kernel.org/linus/cb88cb53badb8aeb3955ad6ce80b07b598e310b8(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-489", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26675" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp_async: limit MRU to 64K\n\nsyzbot triggered a warning [1] in __alloc_pages():\n\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\n\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\n\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\n\n[1]:\n\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26675", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26675" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52" + }, + { + "url": "https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e" + }, + { + "url": "https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207" + }, + { + "url": "https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1" + }, + { + "url": "https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb" + }, + { + "url": "https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b" + }, + { + "url": "https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99" + }, + { + "url": "https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313" + }, + { + "url": "https://git.kernel.org/linus/e421946be7d9bf545147bea8419ef8239cb7ca52(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26777" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-490", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26777" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26777", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26777" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc" + }, + { + "url": "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + }, + { + "url": "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a" + }, + { + "url": "https://git.kernel.org/linus/062a7f0ff46eb57aff526897bd2bebfdb1d3046a(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35869" + } + ], + "bom-ref": "vuln-491", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35869" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35869", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35869" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/62b71cd73d41ddac6b1760402bbe8c4932e23531" + }, + { + "url": "https://git.kernel.org/stable/c/7784135f134c13af17d9ffb39a57db8500bc60ff" + }, + { + "url": "https://git.kernel.org/stable/c/9114ba9987506bcfbb454f6e68558d68cb1abbde" + }, + { + "url": "https://git.kernel.org/stable/c/090d2b4515ade379cd592fbc8931344945978210" + }, + { + "url": "https://git.kernel.org/stable/c/b9d103aca85f082a343b222493f3cab1219aaaf4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35800" + }, + { + "url": "https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-492", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35800" + } + } + ], + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix panic in kdump kernel\n\nCheck if get_next_variable() is actually valid pointer before\ncalling it. In kdump kernel this method is set to NULL that causes\npanic during the kexec-ed kernel boot.\n\nTested with QEMU and OVMF firmware.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35800", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35800" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + }, + { + "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + }, + { + "url": "https://git.kernel.org/linus/8892780834ae294bc3697c7d0e056d7743900b39(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52485" + } + ], + "bom-ref": "vuln-493", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52485" + } + } + ], + "created": "2024-02-29T15:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52485", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-29T18:06:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311" + }, + { + "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb" + }, + { + "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84" + }, + { + "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1" + }, + { + "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d" + }, + { + "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9" + }, + { + "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4" + }, + { + "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26791" + } + ], + "bom-ref": "vuln-494", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26791" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26791", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26791" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T08:35:30Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" + }, + { + "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" + }, + { + "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + }, + { + "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26726" + }, + { + "url": "https://git.kernel.org/linus/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-495", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26726" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26726", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273" + }, + { + "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e03418abde871314e1a3a550f4c8afb7b89cb273(6.9)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35949" + } + ], + "bom-ref": "vuln-496", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35949" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35949", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35949" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde" + }, + { + "url": "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec" + }, + { + "url": "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f" + }, + { + "url": "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23" + }, + { + "url": "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d" + }, + { + "url": "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620" + }, + { + "url": "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83" + }, + { + "url": "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35984" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f(6.9-rc6)" + } + ], + "bom-ref": "vuln-497", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35984" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35984", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" + }, + { + "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + }, + { + "url": "https://git.kernel.org/linus/46806e59a87790760870d216f54951a5b4d545bc(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26699" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-498", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26699" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26699", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c" + }, + { + "url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22" + }, + { + "url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd" + }, + { + "url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c" + }, + { + "url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e" + }, + { + "url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f" + }, + { + "url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0" + }, + { + "url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36004" + }, + { + "url": "https://git.kernel.org/linus/2cc7d150550cc981aceedf008f5459193282425c(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-499", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36004" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-36004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e601ae81910ce6a3797876e190a2d8ef6cf828bc" + }, + { + "url": "https://git.kernel.org/stable/c/083686474e7c97b0f8b66df37fcb64e432e8b771" + }, + { + "url": "https://git.kernel.org/stable/c/d4d813c0a14d6bf52d810a55db06a2e7e3d98eaa" + }, + { + "url": "https://git.kernel.org/stable/c/2df70149e73e79783bcbc7db4fa51ecef0e2022c" + }, + { + "url": "https://git.kernel.org/stable/c/fbca8bae1ba79d443a58781b45e92a73a24ac8f8" + }, + { + "url": "https://git.kernel.org/stable/c/cefe18e9ec84f8fe3e198ccebb815cc996eb9797" + }, + { + "url": "https://git.kernel.org/stable/c/7394abc8926adee6a817bab10797e0adc898af77" + }, + { + "url": "https://git.kernel.org/stable/c/d7acc4a569f5f4513120c85ea2b9f04909b7490f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27412" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2df70149e73e79783bcbc7db4fa51ecef0e2022c(6.8-rc7)" + } + ], + "bom-ref": "vuln-500", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27412" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx-i2c: Do not free non existing IRQ\n\nThe bq27xxx i2c-client may not have an IRQ, in which case\nclient->irq will be 0. bq27xxx_battery_i2c_probe() already has\nan if (client->irq) check wrapping the request_threaded_irq().\n\nBut bq27xxx_battery_i2c_remove() unconditionally calls\nfree_irq(client->irq) leading to:\n\n[ 190.310742] ------------[ cut here ]------------\n[ 190.310843] Trying to free already-free IRQ 0\n[ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310\n\nFollowed by a backtrace when unbinding the driver. Add\nan if (client->irq) to bq27xxx_battery_i2c_remove() mirroring\nprobe() to fix this.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27412", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27412" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb" + }, + { + "url": "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb" + }, + { + "url": "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83" + }, + { + "url": "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652" + }, + { + "url": "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1" + }, + { + "url": "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129" + }, + { + "url": "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70" + }, + { + "url": "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35969" + }, + { + "url": "https://git.kernel.org/linus/7633c4da919ad51164acbf1aa322cc1a3ead6129(6.9-rc4)" + } + ], + "bom-ref": "vuln-501", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35969" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35969", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" + }, + { + "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" + }, + { + "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + }, + { + "url": "https://git.kernel.org/linus/b6eda11c44dc89a681e1c105f0f4660e69b1e183(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26770" + } + ], + "bom-ref": "vuln-502", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26770" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26770", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89" + }, + { + "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2" + }, + { + "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a" + }, + { + "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9" + }, + { + "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18" + }, + { + "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34" + }, + { + "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90" + }, + { + "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/4f973e211b3b1c6d36f7c6a19239d258856749f9(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52587" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-503", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52587" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)\n -----------------------------------+-----------------------------------\n ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)\n spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)\n list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)\n &priv->multicast_list, list) |\n ipoib_mcast_join(dev, mcast) |\n spin_unlock_irq(&priv->lock) |\n | spin_lock_irqsave(&priv->lock, flags)\n | list_for_each_entry_safe(mcast, tmcast,\n | &priv->multicast_list, list)\n | list_del(&mcast->list);\n | list_add_tail(&mcast->list, &remove_list)\n | spin_unlock_irqrestore(&priv->lock, flags)\n spin_lock_irq(&priv->lock) |\n | ipoib_mcast_remove_list(&remove_list)\n (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,\n `priv->multicast_list` and we keep | remove_list, list)\n spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)\n the other thread which is blocked |\n and the list is still valid on |\n it's stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash> bc 31\nPID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: \"kworker/u72:2\"\n--\n [exception RIP: ipoib_mcast_join_task+0x1b1]\n RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002\n RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000\n work (&priv->mcast_task{,.work})\n RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000\n &mcast->list\n RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000\n R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00\n mcast\n R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8\n dev priv (&priv->lock) &priv->multicast_list (aka head)\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n--- ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\n\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n mcast_task.work.func = 0xffffffffc0944910 ,\n mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash> b 8\nPID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52587", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52587" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48" + }, + { + "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd" + }, + { + "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75" + }, + { + "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec" + }, + { + "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86" + }, + { + "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058" + }, + { + "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35895" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ff91059932401894e6c86341915615c5eb0eca48(6.9-rc3)" + } + ], + "bom-ref": "vuln-504", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35895" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35895", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35895" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199" + }, + { + "url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724" + }, + { + "url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4" + }, + { + "url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26590" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-505", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26590" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + } + } + ], + "created": "2024-02-22T17:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26590", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T17:54:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1" + }, + { + "url": "https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0" + }, + { + "url": "https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25" + }, + { + "url": "https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5" + }, + { + "url": "https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754" + }, + { + "url": "https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7" + }, + { + "url": "https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f" + }, + { + "url": "https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877" + }, + { + "url": "https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0" + }, + { + "url": "https://git.kernel.org/linus/d0aa72604fbd80c8aabb46eda00535ed35570f1f(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26878" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-506", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26878" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix potential NULL pointer dereference\n\nBelow race may cause NULL pointer dereference\n\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t drop_dquot_ref\n\t\t\t\t\t remove_dquot_ref\n\t\t\t\t\t dquots = i_dquot(inode)\n dquots = i_dquot(inode)\n srcu_read_lock\n dquots[cnt]) != NULL (1)\n\t\t\t\t\t dquots[type] = NULL (2)\n spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n ....\n\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\n\nSo let's fix it by using a temporary pointer to avoid this issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26878", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26878" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484" + }, + { + "url": "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73" + }, + { + "url": "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e" + }, + { + "url": "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920" + }, + { + "url": "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + }, + { + "url": "https://git.kernel.org/linus/d78d867dcea69c328db30df665be5be7d0148484(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27019" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-507", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27019" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27019", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7" + }, + { + "url": "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2" + }, + { + "url": "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99" + }, + { + "url": "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9" + }, + { + "url": "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d" + }, + { + "url": "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385" + }, + { + "url": "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89" + }, + { + "url": "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da" + }, + { + "url": "https://git.kernel.org/linus/7411055db5ce64f836aaffd422396af0075fdc99(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35936" + } + ], + "bom-ref": "vuln-508", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35936" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35936", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35936" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2" + }, + { + "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6" + }, + { + "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a" + }, + { + "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9" + }, + { + "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790" + }, + { + "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39" + }, + { + "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b" + }, + { + "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26766" + }, + { + "url": "https://git.kernel.org/linus/e6f57c6881916df39db7d95981a8ad2b9c3458d6(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-509", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26766" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 ,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26766", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253" + }, + { + "url": "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65" + }, + { + "url": "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + }, + { + "url": "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26869" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65(6.9-rc1)" + } + ], + "bom-ref": "vuln-510", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26869" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26869", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26869" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248755" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6039" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6628-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6628-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6039" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-1" + }, + { + "url": "https://git.kernel.org/linus/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3(6.5-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6706-1" + } + ], + "bom-ref": "vuln-511", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6039" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + } + } + ], + "created": "2023-11-09T15:15:09Z", + "description": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-6039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-16T17:59:48Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe" + }, + { + "url": "https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24" + }, + { + "url": "https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda" + }, + { + "url": "https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18" + }, + { + "url": "https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a" + }, + { + "url": "https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab" + }, + { + "url": "https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e" + }, + { + "url": "https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136" + }, + { + "url": "https://git.kernel.org/linus/685f7d531264599b3f167f1e94bbd22f120e5fab(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26852" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-512", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26852" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\n\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\n\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\n\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\n\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\n\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x167/0x540 mm/kasan/report.c:488\n kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n \n\nAllocated by task 23037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3981 [inline]\n __kmalloc+0x22e/0x490 mm/slub.c:3994\n kmalloc include/linux/slab.h:594 [inline]\n kzalloc include/linux/slab.h:711 [inline]\n fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nFreed by task 16:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n poison_slab_object+0xa6/0xe0 m\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26852", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26852" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c" + }, + { + "url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a" + }, + { + "url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895" + }, + { + "url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f" + }, + { + "url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62" + }, + { + "url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703" + }, + { + "url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3" + }, + { + "url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325" + }, + { + "url": "https://git.kernel.org/linus/4a3859ea5240365d21f6053ee219bb240d520895(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26937" + } + ], + "bom-ref": "vuln-513", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26937" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26937", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf" + }, + { + "url": "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9" + }, + { + "url": "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7" + }, + { + "url": "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + }, + { + "url": "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27016" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf(6.9-rc5)" + } + ], + "bom-ref": "vuln-514", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27016" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27016", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32002" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32002" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-515", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32002" + } + } + ], + "created": "2024-05-14T19:15:10Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", + "affects": [ + { + "ref": "comp-113" + } + ], + "id": "CVE-2024-32002", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32002" + }, + "cwes": [ + 434, + 22 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:50:23Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32020" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-516", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32020" + } + } + ], + "created": "2024-05-14T19:15:12Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.", + "affects": [ + { + "ref": "comp-113" + } + ], + "id": "CVE-2024-32020", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32020" + }, + "cwes": [ + 281 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9c33663af9ad115f90c076a1828129a3fbadea98" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210780" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6520-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6464-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6466-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6439-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6439-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-31083" + }, + { + "url": "https://git.kernel.org/bluetooth/bluetooth-next/c/ff1b86784849" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6516-1" + } + ], + "bom-ref": "vuln-517", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31083" + } + } + ], + "created": "2023-04-24T06:15:07Z", + "description": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-31083", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T04:12:02Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8983397951b4b0bd51bb4b4ba9749424e1ccbb70" + }, + { + "url": "https://git.kernel.org/stable/c/7330256268664ea0a7dd5b07a3fed363093477dd" + }, + { + "url": "https://git.kernel.org/stable/c/9a9d00c23d170d4ef5a1b28e6b69f5c85dd12bc1" + }, + { + "url": "https://git.kernel.org/stable/c/a28f4d1e0bed85943d309ac243fd1c200f8af9a2" + }, + { + "url": "https://git.kernel.org/stable/c/2827633c9dab6304ec4cdbf369363219832e605d" + }, + { + "url": "https://git.kernel.org/linus/7330256268664ea0a7dd5b07a3fed363093477dd(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26915" + } + ], + "bom-ref": "vuln-518", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26915" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Reset IH OVERFLOW_CLEAR bit\n\nAllows us to detect subsequent IH ring buffer overflows as well.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26915", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26915" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a" + }, + { + "url": "https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53" + }, + { + "url": "https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f" + }, + { + "url": "https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26765" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1001db6c42e4012b55e5ee19405490f23e033b5a(6.8-rc6)" + } + ], + "bom-ref": "vuln-519", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26765" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[<90000000047a4828>] show_stack+0x48/0x1a0\n[<9000000005b61874>] dump_stack_lvl+0x84/0xcc\n[<90000000047f60ac>] __warn+0x8c/0x1e0\n[<9000000005b0ab34>] report_bug+0x1b4/0x280\n[<9000000005b63110>] do_bp+0x2d0/0x480\n[<90000000047a2e20>] handle_bp+0x120/0x1c0\n[<90000000048e3334>] rcu_cpu_starting+0x214/0x280\n[<90000000047bd568>] tlb_init+0x248/0x528\n[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160\n[<90000000047a19f4>] cpu_probe+0x494/0xa00\n[<90000000047b551c>] start_secondary+0x3c/0xc0\n[<9000000005b66134>] smpboot_entry+0x50/0x58", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26765", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26765" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48" + }, + { + "url": "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38" + }, + { + "url": "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + }, + { + "url": "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35799" + }, + { + "url": "https://git.kernel.org/linus/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-520", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35799" + } + } + ], + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35799", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35799" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb" + }, + { + "url": "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157" + }, + { + "url": "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26822" + }, + { + "url": "https://git.kernel.org/linus/4508ec17357094e2075f334948393ddedbb75157(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-521", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26822" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26822", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26822" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24ec7504a08a67247fbe798d1de995208a8c128a" + }, + { + "url": "https://git.kernel.org/stable/c/50fb4e17df319bb33be6f14e2a856950c1577dee" + }, + { + "url": "https://git.kernel.org/stable/c/b6a2a9cbb67545c825ec95f06adb7ff300a2ad71" + }, + { + "url": "https://git.kernel.org/stable/c/3cd139875e9a7688b3fc715264032620812a5fa3" + }, + { + "url": "https://git.kernel.org/stable/c/2441a64070b85c14eecc3728cc87e883f953f265" + }, + { + "url": "https://git.kernel.org/stable/c/944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://git.kernel.org/stable/c/c5b2063c65d05e79fad8029324581d86cfba7eea" + }, + { + "url": "https://git.kernel.org/stable/c/db896bbe4a9c67cee377e5f6a743350d3ae4acf6" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26602" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1250" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1765" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1249" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2525.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1332" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1653" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1532" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1533" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2006" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2008" + } + ], + "bom-ref": "vuln-522", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26602" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:01:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:26:36Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e2d45f467096e931044f0ab7634499879d851a5c" + }, + { + "url": "https://git.kernel.org/stable/c/291cca35818bd52a407bc37ab45a15816039e363" + }, + { + "url": "https://git.kernel.org/stable/c/5224afbc30c3ca9ba23e752f0f138729b2c48dd8" + }, + { + "url": "https://git.kernel.org/stable/c/edcf1a3f182ecf8b6b805f0ce90570ea98c5f6bf" + }, + { + "url": "https://git.kernel.org/stable/c/552705a3650bbf46a22b1adedc1b04181490fc36" + }, + { + "url": "https://git.kernel.org/stable/c/b2d6f9a5b1cf968f1eaa71085ceeb09c2cb276b1" + }, + { + "url": "https://git.kernel.org/stable/c/406b0241d0eb598a0b330ab20ae325537d8d8163" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26643" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-523", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26643" + } + } + ], + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout\n\nWhile the rhashtable set gc runs asynchronously, a race allows it to\ncollect elements from anonymous sets with timeouts while it is being\nreleased from the commit path.\n\nMingi Cho originally reported this issue in a different path in 6.1.x\nwith a pipapo set with low timeouts which is not possible upstream since\n7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set\nelement timeout\").\n\nFix this by setting on the dead flag for anonymous sets to skip async gc\nin this case.\n\nAccording to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on\ntransaction abort\"), Florian plans to accelerate abort path by releasing\nobjects via workqueue, therefore, this sets on the dead flag for abort\npath too.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26643", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26643" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" + }, + { + "url": "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe" + }, + { + "url": "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26842" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b513d30d59bb383a6a5d6b533afcab2cee99a8f8(6.8-rc4)" + } + ], + "bom-ref": "vuln-524", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26842" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26842", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26842" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/47635b112a64b7b208224962471e7e42f110e723" + }, + { + "url": "https://git.kernel.org/stable/c/a4e7ff1a74274e59a2de9bb57236542aa990d20a" + }, + { + "url": "https://git.kernel.org/stable/c/ae7079238f6faf1b94accfccf334e98b46a0c0aa" + }, + { + "url": "https://git.kernel.org/stable/c/c7cff9780297d55d97ad068b68b703cfe53ef9af" + }, + { + "url": "https://git.kernel.org/stable/c/13edb509abc91c72152a11baaf0e7c060a312e03" + }, + { + "url": "https://git.kernel.org/stable/c/aaa8736370db1a78f0e8434344a484f9fd20be3b" + }, + { + "url": "https://git.kernel.org/stable/c/af2a9f98d884205145fd155304a6955822ccca1c" + }, + { + "url": "https://git.kernel.org/stable/c/5cb59db49c9c0fccfd33b2209af4f7ae3c6ddf40" + }, + { + "url": "https://git.kernel.org/stable/c/52018aa146e3cf76569a9b1e6e49a2b7c8d4a088" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/aaa8736370db1a78f0e8434344a484f9fd20be3b(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26816" + } + ], + "bom-ref": "vuln-525", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26816" + } + } + ], + "created": "2024-04-10T14:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86, relocs: Ignore relocations in .notes section\n\nWhen building with CONFIG_XEN_PV=y, .text symbols are emitted into\nthe .notes section so that Xen can find the \"startup_xen\" entry point.\nThis information is used prior to booting the kernel, so relocations\nare not useful. In fact, performing relocations against the .notes\nsection means that the KASLR base is exposed since /sys/kernel/notes\nis world-readable.\n\nTo avoid leaking the KASLR base without breaking unprivileged tools that\nare expecting to read /sys/kernel/notes, skip performing relocations in\nthe .notes section. The values readable in .notes are then identical to\nthose found in System.map.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26816", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26816" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-10T19:49:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + }, + { + "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + }, + { + "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26595" + } + ], + "bom-ref": "vuln-526", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26595" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + } + } + ], + "created": "2024-02-23T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26595", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T19:55:31Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2309b369fae2d9cdc3c945cd3eaec84eb1958ca3" + }, + { + "url": "https://git.kernel.org/stable/c/498f1d6da11ed6d736d655a2db14ee2d9569eecb" + }, + { + "url": "https://git.kernel.org/stable/c/73426c32e259c767d40613b956d5b80d0c28a9a9" + }, + { + "url": "https://git.kernel.org/stable/c/4eacb242e22e31385a50a393681d0fe4b55ed1e9" + }, + { + "url": "https://git.kernel.org/stable/c/01d4e3afe257768cd2a45f15a0e57bacf932b140" + }, + { + "url": "https://git.kernel.org/stable/c/6f254abae02abd4a0aca062c1b3812d7e2d8ea94" + }, + { + "url": "https://git.kernel.org/stable/c/f99b494b40431f0ca416859f2345746199398e2b" + }, + { + "url": "https://git.kernel.org/stable/c/cbba77abb4a553c1f5afac1ba2a0861aa1f13549" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27422" + }, + { + "url": "https://git.kernel.org/linus/f99b494b40431f0ca416859f2345746199398e2b(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-527", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27422" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27422", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27422" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5" + }, + { + "url": "https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6" + }, + { + "url": "https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f" + }, + { + "url": "https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346" + }, + { + "url": "https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090" + }, + { + "url": "https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217" + }, + { + "url": "https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1e2cd456" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c21a8870c98611e8f892511825c9607f1e2cd456(6.9-rc1)" + } + ], + "bom-ref": "vuln-528", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26872" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Do not register event handler until srpt device is fully setup\n\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\n\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\n\nInstead, only register the event handler after srpt device initialization\nis complete.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26872", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26872" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f87884e0dffd61b47e58bc6e1e2f6843c212b0cc" + }, + { + "url": "https://git.kernel.org/stable/c/d691be84ab898cf136a35176eaf2f8fc116563f0" + }, + { + "url": "https://git.kernel.org/stable/c/78739d72f16b2d7d549f713f1dfebd678d32484b" + }, + { + "url": "https://git.kernel.org/stable/c/45a83b220c83e3c326513269afbf69ae6fc65cce" + }, + { + "url": "https://git.kernel.org/stable/c/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3" + }, + { + "url": "https://git.kernel.org/stable/c/fdf16de078a97bf14bb8ee2b8d47cc3d3ead09ed" + }, + { + "url": "https://git.kernel.org/stable/c/3f94da807fe1668b9830f0eefbbf7e887b0a7bc6" + }, + { + "url": "https://git.kernel.org/linus/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-529", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26861" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: receive: annotate data-race around receiving_counter.counter\n\nSyzkaller with KCSAN identified a data-race issue when accessing\nkeypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()\nannotations to mark the data race as intentional.\n\n BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll\n\n write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:\n counter_validate drivers/net/wireguard/receive.c:321 [inline]\n wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461\n __napi_poll+0x60/0x3b0 net/core/dev.c:6536\n napi_poll net/core/dev.c:6605 [inline]\n net_rx_action+0x32b/0x750 net/core/dev.c:6738\n __do_softirq+0xc4/0x279 kernel/softirq.c:553\n do_softirq+0x5e/0x90 kernel/softirq.c:454\n __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]\n wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499\n process_one_work kernel/workqueue.c:2633 [inline]\n ...\n\n read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:\n decrypt_packet drivers/net/wireguard/receive.c:252 [inline]\n wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706\n worker_thread+0x525/0x730 kernel/workqueue.c:2787\n ...", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26861" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9" + }, + { + "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb" + }, + { + "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c" + }, + { + "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447" + }, + { + "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f" + }, + { + "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208" + }, + { + "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1" + }, + { + "url": "https://git.kernel.org/linus/cb5942b77c05d54310a0420cac12935e9b6aa21c(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26895" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-530", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26895" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26895", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26895" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" + }, + { + "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" + }, + { + "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" + }, + { + "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + }, + { + "url": "https://git.kernel.org/linus/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26742" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-531", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26742" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26742", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/996997d1fb2126feda550d6adcedcbd94911fc69" + }, + { + "url": "https://git.kernel.org/stable/c/934212a623cbab851848b6de377eb476718c3e4c" + }, + { + "url": "https://git.kernel.org/stable/c/5e6013ae2c8d420faea553d363935f65badd32c3" + }, + { + "url": "https://git.kernel.org/stable/c/bb336cd8d5ecb69c430ebe3e7bcff68471d93fa8" + }, + { + "url": "https://git.kernel.org/stable/c/3cfcfc102a5e57b021b786a755a38935e357797d" + }, + { + "url": "https://git.kernel.org/stable/c/dd292e884c649f9b1c18af0ec75ca90b390cd044" + }, + { + "url": "https://git.kernel.org/stable/c/9806c2393cd2ab0a8e7bb9ffae02ce20e3112ec4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa9d86d39a0fe4685f90c3529aa9bd62a9d97a8" + }, + { + "url": "https://git.kernel.org/stable/c/b97c37978ca825557d331c9012e0c1ddc0e42364" + }, + { + "url": "https://git.kernel.org/linus/3cfcfc102a5e57b021b786a755a38935e357797d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27388" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-532", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27388" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix some memleaks in gssx_dec_option_array\n\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27388", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27388" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15" + }, + { + "url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + }, + { + "url": "https://git.kernel.org/linus/def054b01a867822254e1dda13d587f5c7a99e2a(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35843" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-533", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35843" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35843", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35843" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/CALGdzuo6awWdau3X=8XK547x2vX_-VoFmH1aPsqosRTQ5WzJVA@mail.gmail.com/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + }, + { + "url": "https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu@suse.com/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23850" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-534", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23850" + } + } + ], + "created": "2024-01-23T09:15:36Z", + "description": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-23850", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-28T03:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + }, + { + "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40" + }, + { + "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd" + }, + { + "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35932" + }, + { + "url": "https://git.kernel.org/linus/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-535", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35932" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35932", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35932" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" + }, + { + "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf" + }, + { + "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928" + }, + { + "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d" + }, + { + "url": "https://git.kernel.org/linus/b3cb7a830a24527877b0bc900b9bd74a96aea928(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52664" + } + ], + "bom-ref": "vuln-536", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52664" + } + } + ], + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52664", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085" + }, + { + "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20" + }, + { + "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248" + }, + { + "url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" + }, + { + "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1" + }, + { + "url": "https://git.kernel.org/linus/c119f4ede3fa90a9463f50831761c28f989bfb20(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26980" + } + ], + "bom-ref": "vuln-537", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26980" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26980", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26980" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c" + }, + { + "url": "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545" + }, + { + "url": "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd" + }, + { + "url": "https://git.kernel.org/linus/5abffb66d12bcac84bf7b66389c571b8bb6e82bd(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35927" + } + ], + "bom-ref": "vuln-538", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35927" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35927", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35927" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + }, + { + "url": "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a" + }, + { + "url": "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674" + }, + { + "url": "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6" + }, + { + "url": "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26936" + }, + { + "url": "https://git.kernel.org/linus/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-539", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26936" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26936", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26936" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3@huawei.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25740" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-540", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25740" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-25740", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + }, + "cwes": [ + 401 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-26T21:11:27Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2" + }, + { + "url": "https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c" + }, + { + "url": "https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef" + }, + { + "url": "https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418" + }, + { + "url": "https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7" + }, + { + "url": "https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366" + }, + { + "url": "https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135" + }, + { + "url": "https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26820" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2(6.8-rc4)" + } + ], + "bom-ref": "vuln-541", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26820" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed\n\nIf hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER\nhandler cannot perform VF register successfully as the register call\nis received before netvsc_probe is finished. This is because we\nregister register_netdevice_notifier() very early( even before\nvmbus_driver_register()).\nTo fix this, we try to register each such matching VF( if it is visible\nas a netdevice) at the end of netvsc_probe.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26820", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26820" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4" + }, + { + "url": "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd" + }, + { + "url": "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8" + }, + { + "url": "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19" + }, + { + "url": "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f" + }, + { + "url": "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35884" + }, + { + "url": "https://git.kernel.org/linus/3d010c8031e39f5fa1e8b13ada77e0321091011f(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-542", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35884" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35884", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0564" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-543", + "ratings": [ + { + "severity": "none", + "score": 0.00052, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0564" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + } + } + ], + "created": "2024-01-30T15:15:08Z", + "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-0564", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-08T16:36:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:01:50Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6" + }, + { + "url": "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f" + }, + { + "url": "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947" + }, + { + "url": "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a" + }, + { + "url": "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9" + }, + { + "url": "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5" + }, + { + "url": "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384" + }, + { + "url": "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26934" + }, + { + "url": "https://git.kernel.org/linus/80ba43e9f799cbdd83842fc27db667289b3150f5(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-544", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26934" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26934", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + }, + { + "url": "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a" + }, + { + "url": "https://git.kernel.org/linus/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52673" + } + ], + "bom-ref": "vuln-545", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52673" + } + } + ], + "created": "2024-05-17T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52673", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0" + }, + { + "url": "https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9" + }, + { + "url": "https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5" + }, + { + "url": "https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01" + }, + { + "url": "https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315" + }, + { + "url": "https://git.kernel.org/linus/62e7151ae3eb465e0ab52a20c941ff33bb6332e9(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27415" + } + ], + "bom-ref": "vuln-546", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27415" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: confirm multicast packets before passing them up the stack\n\nconntrack nf_confirm logic cannot handle cloned skbs referencing\nthe same nf_conn entry, which will happen for multicast (broadcast)\nframes on bridges.\n\n Example:\n macvlan0\n |\n br0\n / \\\n ethX ethY\n\n ethX (or Y) receives a L2 multicast or broadcast packet containing\n an IP packet, flow is not yet in conntrack table.\n\n 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.\n -> skb->_nfct now references a unconfirmed entry\n 2. skb is broad/mcast packet. bridge now passes clones out on each bridge\n interface.\n 3. skb gets passed up the stack.\n 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb\n and schedules a work queue to send them out on the lower devices.\n\n The clone skb->_nfct is not a copy, it is the same entry as the\n original skb. The macvlan rx handler then returns RX_HANDLER_PASS.\n 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.\n\nThe Macvlan broadcast worker and normal confirm path will race.\n\nThis race will not happen if step 2 already confirmed a clone. In that\ncase later steps perform skb_clone() with skb->_nfct already confirmed (in\nhash table). This works fine.\n\nBut such confirmation won't happen when eb/ip/nftables rules dropped the\npackets before they reached the nf_confirm step in postrouting.\n\nPablo points out that nf_conntrack_bridge doesn't allow use of stateful\nnat, so we can safely discard the nf_conn entry and let inet call\nconntrack again.\n\nThis doesn't work for bridge netfilter: skb could have a nat\ntransformation. Also bridge nf prevents re-invocation of inet prerouting\nvia 'sabotage_in' hook.\n\nWork around this problem by explicit confirmation of the entry at LOCAL_IN\ntime, before upper layer has a chance to clone the unconfirmed entry.\n\nThe downside is that this disables NAT and conntrack helpers.\n\nAlternative fix would be to add locking to all code parts that deal with\nunconfirmed packets, but even if that could be done in a sane way this\nopens up other problems, for example:\n\n-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4\n-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5\n\nFor multicast case, only one of such conflicting mappings will be\ncreated, conntrack only handles 1:1 NAT mappings.\n\nUsers should set create a setup that explicitly marks such traffic\nNOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass\nthem, ruleset might have accept rules for untracked traffic already,\nso user-visible behaviour would change.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27415", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27415" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" + }, + { + "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + }, + { + "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" + }, + { + "url": "https://git.kernel.org/linus/7601df8031fd67310af891897ef6cc0df4209305(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26686" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-547", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26686" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26686", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6" + }, + { + "url": "https://git.kernel.org/stable/c/26fde0ea40dda1b08fad3bc0a43f122f6dd8bddf" + }, + { + "url": "https://git.kernel.org/stable/c/75bf5e78b2a27cb1bca6fa826e3ab685015165e1" + }, + { + "url": "https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8" + }, + { + "url": "https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c" + }, + { + "url": "https://git.kernel.org/stable/c/257d313e37d66c3bcc87197fb5b8549129c45dfe" + }, + { + "url": "https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816" + }, + { + "url": "https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26997" + }, + { + "url": "https://git.kernel.org/linus/eed04fa96c48790c1cce73c8a248e9d460b088f8(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-548", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26997" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: host: Fix dereference issue in DDMA completion flow.\n\nFixed variable dereference issue in DDMA completion flow.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26997", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26997" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + }, + { + "url": "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27072" + }, + { + "url": "https://git.kernel.org/linus/65e6a2773d655172143cc0b927cdc89549842895(6.9-rc1)" + } + ], + "bom-ref": "vuln-549", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27072" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27072", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27072" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6" + }, + { + "url": "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f" + }, + { + "url": "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee" + }, + { + "url": "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c" + }, + { + "url": "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688" + }, + { + "url": "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63" + }, + { + "url": "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb" + }, + { + "url": "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375" + }, + { + "url": "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6" + }, + { + "url": "https://git.kernel.org/linus/fde2497d2bc3a063d8af88b258dbadc86bd7b57c(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26973" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-550", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26973" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26973", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26973" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a" + }, + { + "url": "https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705" + }, + { + "url": "https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4" + }, + { + "url": "https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26789" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-551", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26789" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26789", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26789" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14" + }, + { + "url": "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe" + }, + { + "url": "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02" + }, + { + "url": "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854" + }, + { + "url": "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c" + }, + { + "url": "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68" + }, + { + "url": "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7" + }, + { + "url": "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8" + }, + { + "url": "https://git.kernel.org/linus/93f52fbeaf4b676b21acfe42a5152620e6770d02(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35925" + } + ], + "bom-ref": "vuln-552", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35925" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35925", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35925" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f" + }, + { + "url": "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49" + }, + { + "url": "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964" + }, + { + "url": "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133" + }, + { + "url": "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa" + }, + { + "url": "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325" + }, + { + "url": "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34" + }, + { + "url": "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27059" + }, + { + "url": "https://git.kernel.org/linus/014bcf41d946b36a8f0b8e9b5d9529efbb822f49(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-553", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27059" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27059", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/855678ed8534518e2b428bcbcec695de9ba248e8" + }, + { + "url": "https://git.kernel.org/stable/c/02dad157ba11064d073f5499dc33552b227d5d3a" + }, + { + "url": "https://git.kernel.org/stable/c/11f81438927f84edfaaeb5d5f10856c3a1c1fc82" + }, + { + "url": "https://git.kernel.org/stable/c/6b2ff10390b19a2364af622b6666b690443f9f3f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27023" + }, + { + "url": "https://git.kernel.org/linus/855678ed8534518e2b428bcbcec695de9ba248e8(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-554", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27023" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Fix missing release of 'active_io' for flush\n\nsubmit_flushes\n atomic_set(&mddev->flush_pending, 1);\n rdev_for_each_rcu(rdev, mddev)\n atomic_inc(&mddev->flush_pending);\n bi->bi_end_io = md_end_flush\n submit_bio(bi);\n /* flush io is done first */\n md_end_flush\n if (atomic_dec_and_test(&mddev->flush_pending))\n percpu_ref_put(&mddev->active_io)\n -> active_io is not released\n\n if (atomic_dec_and_test(&mddev->flush_pending))\n -> missing release of active_io\n\nFor consequence, mddev_suspend() will wait for 'active_io' to be zero\nforever.\n\nFix this problem by releasing 'active_io' in submit_flushes() if\n'flush_pending' is decreased to zero.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27023", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27023" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5d5c14efc987900509cec465af26608e39ac607c" + }, + { + "url": "https://git.kernel.org/stable/c/eadec8da4451c2c0897199691184602e4ee497d1" + }, + { + "url": "https://git.kernel.org/stable/c/7d1e00fc2af3b7c30835d643a3655b7e9ff7cb20" + }, + { + "url": "https://git.kernel.org/stable/c/fed835d415766a94fc0246dcebc3af4c03fe9941" + }, + { + "url": "https://git.kernel.org/stable/c/60a7a152abd494ed4f69098cf0f322e6bb140612" + }, + { + "url": "https://git.kernel.org/stable/c/b8006cb0a34aaf85cdd8741f4148fd9c76b351d3" + }, + { + "url": "https://git.kernel.org/stable/c/500936692ccca8617a955652d1929f079b17a201" + }, + { + "url": "https://git.kernel.org/stable/c/291d36d772f5ea5c68a263ee440f2c9eade371c9" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27427" + }, + { + "url": "https://git.kernel.org/linus/60a7a152abd494ed4f69098cf0f322e6bb140612(6.8)" + } + ], + "bom-ref": "vuln-555", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27427" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_timeout\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27427", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27427" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/15641007df0f0d35fa28742b25c2a7db9dcd6895" + }, + { + "url": "https://git.kernel.org/stable/c/43f798b9036491fb014b55dd61c4c5c3193267d0" + }, + { + "url": "https://git.kernel.org/stable/c/7070b274c7866a4c5036f8d54fcaf315c64ac33a" + }, + { + "url": "https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b24232f75c1d" + }, + { + "url": "https://git.kernel.org/stable/c/ca1f06e72dec41ae4f76e7b1a8a97265447b46ae" + }, + { + "url": "https://git.kernel.org/stable/c/f06899582ccee09bd85d0696290e3eaca9aa042d" + }, + { + "url": "https://git.kernel.org/stable/c/0971126c8164abe2004b8536b49690a0d6005b0a" + }, + { + "url": "https://git.kernel.org/stable/c/7a4b21250bf79eef26543d35bd390448646c536b" + }, + { + "url": "https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26883" + }, + { + "url": "https://git.kernel.org/linus/7a4b21250bf79eef26543d35bd390448646c536b(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-556", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26883" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check on 32-bit arches\n\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\n\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26883", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T20:03:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7" + }, + { + "url": "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01" + }, + { + "url": "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c" + }, + { + "url": "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315" + }, + { + "url": "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35967" + }, + { + "url": "https://git.kernel.org/linus/51eda36d33e43201e7a4fd35232e069b2c850b01(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-557", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35967" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35967", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35967" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49" + }, + { + "url": "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e" + }, + { + "url": "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6" + }, + { + "url": "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31" + }, + { + "url": "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86" + }, + { + "url": "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7" + }, + { + "url": "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35899" + }, + { + "url": "https://git.kernel.org/linus/24cea9677025e0de419989ecb692acd4bb34cac2(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-558", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35899" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35899", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35899" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1bc44a505a229bb1dd4957e11aa594edeea3690e" + }, + { + "url": "https://git.kernel.org/stable/c/c9e44111da221246efb2e623ae1be40a5cf6542c" + }, + { + "url": "https://git.kernel.org/stable/c/79527c21a3ce04cffc35ea54f74ee087e532be57" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-559", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()\n\nlen is extracted from HTT message and could be an unexpected value in\ncase errors happen, so add validation before using to avoid possible\nout-of-bound read in the following message iteration and parsing.\n\nThe same issue also applies to ppdu_info->ppdu_stats.common.num_users,\nso validate it before using too.\n\nThese are found during code review.\n\nCompile test only.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52827", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52827" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538" + }, + { + "url": "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e" + }, + { + "url": "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48" + }, + { + "url": "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + }, + { + "url": "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49" + }, + { + "url": "https://git.kernel.org/linus/2d8527f2f911fab84aec04df4788c0c23af3df48(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27009" + } + ], + "bom-ref": "vuln-560", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27009" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27009", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27009" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239" + }, + { + "url": "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5" + }, + { + "url": "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + }, + { + "url": "https://git.kernel.org/linus/e7b2b108cdeab76a7e7324459e50b0c1214c0386(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52671" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-561", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52671" + } + } + ], + "created": "2024-05-17T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52671", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52671" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + }, + { + "url": "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4" + }, + { + "url": "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6" + }, + { + "url": "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971" + }, + { + "url": "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4" + }, + { + "url": "https://git.kernel.org/linus/09ba28e1cd3cf715daab1fca6e1623e22fd754a6(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35885" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-562", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35885" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35885", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35885" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67" + }, + { + "url": "https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2" + }, + { + "url": "https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c" + }, + { + "url": "https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17" + }, + { + "url": "https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9" + }, + { + "url": "https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26846" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/70fbfc47a392b98e5f8dba70c6efc6839205c982(6.8-rc3)" + } + ], + "bom-ref": "vuln-563", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26846" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26846", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26846" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d" + }, + { + "url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645" + }, + { + "url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01" + }, + { + "url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35862" + }, + { + "url": "https://git.kernel.org/linus/63981561ffd2d4987807df4126f96a11e18b0c1d(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-564", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35862" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35862", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35862" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518" + }, + { + "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11" + }, + { + "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b" + }, + { + "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd" + }, + { + "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f" + }, + { + "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26698" + }, + { + "url": "https://git.kernel.org/linus/e0526ec5360a48ad3ab2e26e802b0532302a7e11(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-565", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26698" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002\n[ 654.568030] Call Trace:\n[ 654.571221] \n[ 654.573790] __schedule+0x2d6/0x960\n[ 654.577733] schedule+0x69/0xf0\n[ 654.581214] schedule_timeout+0x87/0x140\n[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20\n[ 654.590291] msleep+0x2d/0x40\n[ 654.593625] napi_disable+0x2b/0x80\n[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[ 654.611101] ? do_wait_intr+0xb0/0xb0\n[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]\n[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26698", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26698" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d964dd1bc1452594b4207d9229c157d9386e5d8a" + }, + { + "url": "https://git.kernel.org/stable/c/d75abeec401f8c86b470e7028a13fcdc87e5dd06" + }, + { + "url": "https://git.kernel.org/stable/c/e77bf828f1ca1c47fcff58bdc26b60a9d3dfbe1d" + }, + { + "url": "https://git.kernel.org/stable/c/510c869ffa4068c5f19ff4df51d1e2f3a30aaac1" + }, + { + "url": "https://git.kernel.org/stable/c/7dc9feb8b1705cf00de20563b6bc4831f4c99dab" + }, + { + "url": "https://git.kernel.org/stable/c/e37cde7a5716466ff2a76f7f27f0a29b05b9a732" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26665" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d75abeec401f8c86b470e7028a13fcdc87e5dd06(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-566", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26665" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix out of bounds access when building IPv6 PMTU error\n\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\n\n BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n Read of size 4 at addr ffff88811d402c80 by task netperf/820\n CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n ...\n kasan_report+0xd8/0x110\n do_csum+0x220/0x240\n csum_partial+0xc/0x20\n skb_tunnel_check_pmtu+0xeb9/0x3280\n vxlan_xmit_one+0x14c2/0x4080\n vxlan_xmit+0xf61/0x5c00\n dev_hard_start_xmit+0xfb/0x510\n __dev_queue_xmit+0x7cd/0x32a0\n br_dev_queue_push_xmit+0x39d/0x6a0\n\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26665", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26665" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f" + }, + { + "url": "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351" + }, + { + "url": "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9" + }, + { + "url": "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a" + }, + { + "url": "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12" + }, + { + "url": "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199" + }, + { + "url": "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7" + }, + { + "url": "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26642" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-567", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26642" + } + } + ], + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26642", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://android.googlesource.com/kernel/common/+/b35a06182451f" + }, + { + "url": "https://source.android.com/security/bulletin/2023-08-01" + }, + { + "url": "https://android.googlesource.com/kernel/common/+/53625a846a7b4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-21264" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6383-1" + }, + { + "url": "https://git.kernel.org/linus/09cce60bddd6461a93a5bf434265a47827d1bc6f" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-349.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6466-1" + }, + { + "url": "https://source.android.com/docs/security/bulletin/2023-08-01" + } + ], + "bom-ref": "vuln-568", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-21264" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + } + } + ], + "created": "2023-08-14T21:15:11Z", + "description": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-21264", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-08-24T15:31:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-07T22:43:01Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a" + }, + { + "url": "https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3" + }, + { + "url": "https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4" + }, + { + "url": "https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b" + }, + { + "url": "https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26774" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/993bf0f4c393b3667830918f9247438a8f6fdb5b(6.8-rc3)" + } + ], + "bom-ref": "vuln-569", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26774" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26774", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26774" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + }, + { + "url": "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27056" + }, + { + "url": "https://git.kernel.org/linus/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-570", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27056" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27056", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27056" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f" + }, + { + "url": "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + }, + { + "url": "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b" + }, + { + "url": "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26837" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/dc489f86257cab5056e747344f17a164f63bff4b(6.8-rc6)" + } + ], + "bom-ref": "vuln-571", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26837" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26837", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26837" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e8c9ae40adda2be1ba41c05fd3cd1e61cce3207" + }, + { + "url": "https://git.kernel.org/stable/c/d2f1b7fe74afd66298dbb3c7b39e7b62e4df1724" + }, + { + "url": "https://git.kernel.org/stable/c/e622502c310f1069fd9f41cd38210553115f610a" + }, + { + "url": "https://git.kernel.org/stable/c/dcaafdba6c6162bb49f1192850bc3bbc3707738c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26626" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e622502c310f1069fd9f41cd38210553115f610a(6.8-rc3)" + } + ], + "bom-ref": "vuln-572", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26626" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: fix kernel panic when forwarding mcast packets\n\nThe stacktrace was:\n[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092\n[ 86.306815] #PF: supervisor read access in kernel mode\n[ 86.307717] #PF: error_code(0x0000) - not-present page\n[ 86.308624] PGD 0 P4D 0\n[ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1\n[ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014\n[ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f\n[ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246\n[ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000\n[ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80\n[ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000\n[ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0\n[ 86.326589] Call Trace:\n[ 86.327036] \n[ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479)\n[ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434)\n[ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707)\n[ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264)\n[ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1))\n[ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563)\n[ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570)\n[ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273)\n[ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363)\n[ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944)\n[ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862)\n[ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181)\n[ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415)\n[ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836)\n[ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13))\n[ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716)\n[ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313)\n[ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/kn\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26626", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26626" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/954a4a87814465ad61cc97c1cd3de1525baaaf07" + }, + { + "url": "https://git.kernel.org/stable/c/fe272b61506bb1534922ef07aa165fd3c37a6a90" + }, + { + "url": "https://git.kernel.org/stable/c/1c811d403afd73f04bde82b83b24c754011bd0e8" + }, + { + "url": "https://git.kernel.org/stable/c/66fa3fcb474b2b892fe42d455a6f7ec5aaa98fb9" + }, + { + "url": "https://git.kernel.org/stable/c/0982fd6bf0b822876f2e93ec782c4c28a3f85535" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35802" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1c811d403afd73f04bde82b83b24c754011bd0e8(6.9-rc1)" + } + ], + "bom-ref": "vuln-573", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35802" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Fix position dependent variable references in startup code\n\nThe early startup code executes from a 1:1 mapping of memory, which\ndiffers from the mapping that the code was linked and/or relocated to\nrun at. The latter mapping is not active yet at this point, and so\nsymbol references that rely on it will fault.\n\nGiven that the core kernel is built without -fPIC, symbol references are\ntypically emitted as absolute, and so any such references occuring in\nthe early startup code will therefore crash the kernel.\n\nWhile an attempt was made to work around this for the early SEV/SME\nstartup code, by forcing RIP-relative addressing for certain global\nSEV/SME variables via inline assembly (see snp_cpuid_get_table() for\nexample), RIP-relative addressing must be pervasively enforced for\nSEV/SME global variables when accessed prior to page table fixups.\n\n__startup_64() already handles this issue for select non-SEV/SME global\nvariables using fixup_pointer(), which adjusts the pointer relative to a\n`physaddr` argument. To avoid having to pass around this `physaddr`\nargument across all functions needing to apply pointer fixups, introduce\na macro RIP_RELATIVE_REF() which generates a RIP-relative reference to\na given global variable. It is used where necessary to force\nRIP-relative accesses to global variables.\n\nFor backporting purposes, this patch makes no attempt at cleaning up\nother occurrences of this pattern, involving either inline asm or\nfixup_pointer(). Those will be addressed later.\n\n [ bp: Call it \"rip_rel_ref\" everywhere like other code shortens\n \"rIP-relative reference\" and make the asm wrapper __always_inline. ]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35802", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35802" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/87632bc9ecff5ded93433bc0fca428019bdd1cfe" + }, + { + "url": "https://git.kernel.org/stable/c/4ef9ad19e17676b9ef071309bc62020e2373705d" + }, + { + "url": "https://git.kernel.org/stable/c/7432376c913381c5f24d373a87ff629bbde94b47" + }, + { + "url": "https://git.kernel.org/linus/4ef9ad19e17676b9ef071309bc62020e2373705d(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26621" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024149" + } + ], + "bom-ref": "vuln-574", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26621" + } + } + ], + "created": "2024-03-02T22:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: don't force huge page alignment on 32 bit\n\ncommit efa7df3e3bb5 (\"mm: align larger anonymous mappings on THP\nboundaries\") caused two issues [1] [2] reported on 32 bit system or compat\nuserspace.\n\nIt doesn't make too much sense to force huge page alignment on 32 bit\nsystem due to the constrained virtual address space.\n\n[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/\n[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26621", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26621" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6" + }, + { + "url": "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b" + }, + { + "url": "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc" + }, + { + "url": "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525" + }, + { + "url": "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5" + }, + { + "url": "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0c83842df40f86e529db6842231154772c20edcc(6.9-rc3)" + } + ], + "bom-ref": "vuln-575", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35896" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35896", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35896" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b" + }, + { + "url": "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + }, + { + "url": "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e" + }, + { + "url": "https://git.kernel.org/linus/37801a36b4d68892ce807264f784d818f8d0d39b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35904" + } + ], + "bom-ref": "vuln-576", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35904" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35904", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9" + }, + { + "url": "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912" + }, + { + "url": "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e" + }, + { + "url": "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b" + }, + { + "url": "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645" + }, + { + "url": "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b" + }, + { + "url": "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28" + }, + { + "url": "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35933" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b79e040910101b020931ba0c9a6b77e81ab7f645(6.9-rc1)" + } + ], + "bom-ref": "vuln-577", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35933" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35933", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35933" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c6d19c8cbf6abcea2c8fca2db26abca2cbf0363" + }, + { + "url": "https://git.kernel.org/stable/c/359f220d0e753bba840eac19ffedcdc816b532f2" + }, + { + "url": "https://git.kernel.org/stable/c/95a0d596bbd0552a78e13ced43f2be1038883c81" + }, + { + "url": "https://git.kernel.org/stable/c/b90126c86d83912688501826643ea698f0df1728" + }, + { + "url": "https://git.kernel.org/stable/c/3db312e06851996e7fb27cb5a8ccab4c0f9cdb93" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/95a0d596bbd0552a78e13ced43f2be1038883c81(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52643" + } + ], + "bom-ref": "vuln-578", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52643" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix memleak in iio_device_register_sysfs\n\nWhen iio_device_register_sysfs_group() fails, we should\nfree iio_dev_opaque->chan_attr_group.attrs to prevent\npotential memleak.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52643", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52643" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12" + }, + { + "url": "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + }, + { + "url": "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887" + }, + { + "url": "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2e7d3b67630dfd8f178c41fa2217aa00e79a5887(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26680" + } + ], + "bom-ref": "vuln-579", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26680" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26680", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c" + }, + { + "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f" + }, + { + "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5" + }, + { + "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33" + }, + { + "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26737" + }, + { + "url": "https://git.kernel.org/linus/0281b919e175bb9c3128bd3872ac2903e9436e3f(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-580", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26737" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer->timer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer->time;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer->timer;\n\t\t\t\t\t\ttimer->timer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t->timer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t->timer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer->timer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer->timer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer->timer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer->timer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t->flag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer->timer after\na rcu grace period.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26737", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26737" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d" + }, + { + "url": "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" + }, + { + "url": "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3" + }, + { + "url": "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe" + }, + { + "url": "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb" + }, + { + "url": "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3" + }, + { + "url": "https://git.kernel.org/linus/6c6064cbe58b43533e3451ad6a8ba9736c109ac3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35817" + } + ], + "bom-ref": "vuln-581", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35817" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35817", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35817" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + }, + { + "url": "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58" + }, + { + "url": "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67" + }, + { + "url": "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c" + }, + { + "url": "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27032" + }, + { + "url": "https://git.kernel.org/linus/21ec68234826b1b54ab980a8df6e33c74cfbee58(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-582", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27032" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27032", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27032" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178" + }, + { + "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93" + }, + { + "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249" + }, + { + "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014" + }, + { + "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5" + }, + { + "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53" + }, + { + "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546" + }, + { + "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27398" + }, + { + "url": "https://git.kernel.org/linus/483bc08181827fc475643272ffb69c533007e546(6.9)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-583", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27398" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/64c6a38136b74a2f18c42199830975edd9fbc379" + }, + { + "url": "https://git.kernel.org/stable/c/3f8445f1c746fda180a7f75372ed06b24e9cefe2" + }, + { + "url": "https://git.kernel.org/stable/c/2cc572e0085ebd4b662b74a0f43222bc00df9a00" + }, + { + "url": "https://git.kernel.org/stable/c/d575765b1b62e8bdb00af11caa1aabeb01763d9f" + }, + { + "url": "https://git.kernel.org/stable/c/95d1f1228c1bb54803ae57525b76db60e99b37e4" + }, + { + "url": "https://git.kernel.org/stable/c/e0b0d1c46a2ce1e46b79d004a7270fdef872e097" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27039" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/64c6a38136b74a2f18c42199830975edd9fbc379(6.9-rc1)" + } + ], + "bom-ref": "vuln-584", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27039" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: hisilicon: hi3559a: Fix an erroneous devm_kfree()\n\n'p_clk' is an array allocated just before the for loop for all clk that\nneed to be registered.\nIt is incremented at each loop iteration.\n\nIf a clk_register() call fails, 'p_clk' may point to something different\nfrom what should be freed.\n\nThe best we can do, is to avoid this wrong release of memory.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27039" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1" + }, + { + "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5" + }, + { + "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb" + }, + { + "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35864" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/705c76fbf726c7a2f6ff9143d4013b18daaaebf1(6.9-rc3)" + } + ], + "bom-ref": "vuln-585", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35864" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35864" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/810fa7d5e5202fcfb22720304b755f1bdfd4c174" + }, + { + "url": "https://git.kernel.org/stable/c/33a1b6bfef6def2068c8703403759024ce17053e" + }, + { + "url": "https://git.kernel.org/stable/c/10bfd453da64a057bcfd1a49fb6b271c48653cdb" + }, + { + "url": "https://git.kernel.org/stable/c/9d4ffb5b9d879a75e4f7460e8b10e756b4dfb132" + }, + { + "url": "https://git.kernel.org/stable/c/1b0998fdd85776775d975d0024bca227597e836a" + }, + { + "url": "https://git.kernel.org/stable/c/44112bc5c74e64f28f5a9127dc34066c7a09bd0f" + }, + { + "url": "https://git.kernel.org/stable/c/8a54834c03c30e549c33d5da0975f3e1454ec906" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/10bfd453da64a057bcfd1a49fb6b271c48653cdb(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27417" + } + ], + "bom-ref": "vuln-586", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27417" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\n\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27417", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27417" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d5a7dd5a35876f0ecc286f3602a88887a788217" + }, + { + "url": "https://git.kernel.org/stable/c/beaf0e7996b79e06ccc2bdcb4442fbaeccc31200" + }, + { + "url": "https://git.kernel.org/stable/c/b4fdb3c197e35f655b2d9b6759ce29440eacdfda" + }, + { + "url": "https://git.kernel.org/stable/c/2e22c9cb618716b8e557fe17c3d4958171288082" + }, + { + "url": "https://git.kernel.org/linus/7d5a7dd5a35876f0ecc286f3602a88887a788217(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35909" + } + ], + "bom-ref": "vuln-587", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35909" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Split 64bit accesses to fix alignment issues\n\nSome of the registers are aligned on a 32bit boundary, causing\nalignment faults on 64bit platforms.\n\n Unable to handle kernel paging request at virtual address ffffffc084a1d004\n Mem abort info:\n ESR = 0x0000000096000061\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x21: alignment fault\n Data abort info:\n ISV = 0, ISS = 0x00000061, ISS2 = 0x00000000\n CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000046ad6000\n [ffffffc084a1d004] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013ffff003, pmd=0068000020a00711\n Internal error: Oops: 0000000096000061 [#1] SMP\n Modules linked in: mtk_t7xx(+) qcserial pppoe ppp_async option nft_fib_inet nf_flow_table_inet mt7921u(O) mt7921s(O) mt7921e(O) mt7921_common(O) iwlmvm(O) iwldvm(O) usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7996e(O) mt792x_usb(O) mt792x_lib(O) mt7915e(O) mt76_usb(O) mt76_sdio(O) mt76_connac_lib(O) mt76(O) mac80211(O) iwlwifi(O) huawei_cdc_ncm cfg80211(O) cdc_ncm cdc_ether wwan usbserial usbnet slhc sfp rtc_pcf8563 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mt6577_auxadc mdio_i2c libcrc32c compat(O) cdc_wdm cdc_acm at24 crypto_safexcel pwm_fan i2c_gpio i2c_smbus industrialio i2c_algo_bit i2c_mux_reg i2c_mux_pca954x i2c_mux_pca9541 i2c_mux_gpio i2c_mux dummy oid_registry tun sha512_arm64 sha1_ce sha1_generic seqiv\n md5 geniv des_generic libdes cbc authencesn authenc leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd nvme nvme_core gpio_button_hotplug(O) dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax usbcore usb_common ptp aquantia pps_core mii tpm encrypted_keys trusted\n CPU: 3 PID: 5266 Comm: kworker/u9:1 Tainted: G O 6.6.22 #0\n Hardware name: Bananapi BPI-R4 (DT)\n Workqueue: md_hk_wq t7xx_fsm_uninit [mtk_t7xx]\n pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n lr : t7xx_cldma_start+0xac/0x13c [mtk_t7xx]\n sp : ffffffc085d63d30\n x29: ffffffc085d63d30 x28: 0000000000000000 x27: 0000000000000000\n x26: 0000000000000000 x25: ffffff80c804f2c0 x24: ffffff80ca196c05\n x23: 0000000000000000 x22: ffffff80c814b9b8 x21: ffffff80c814b128\n x20: 0000000000000001 x19: ffffff80c814b080 x18: 0000000000000014\n x17: 0000000055c9806b x16: 000000007c5296d0 x15: 000000000f6bca68\n x14: 00000000dbdbdce4 x13: 000000001aeaf72a x12: 0000000000000001\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffffff80ca1ef6b4 x7 : ffffff80c814b818 x6 : 0000000000000018\n x5 : 0000000000000870 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000010a947000 x1 : ffffffc084a1d004 x0 : ffffffc084a1d004\n Call trace:\n t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n t7xx_fsm_uninit+0x578/0x5ec [mtk_t7xx]\n process_one_work+0x154/0x2a0\n worker_thread+0x2ac/0x488\n kthread+0xe0/0xec\n ret_from_fork+0x10/0x20\n Code: f9400800 91001000 8b214001 d50332bf (f9000022)\n ---[ end trace 0000000000000000 ]---\n\nThe inclusion of io-64-nonatomic-lo-hi.h indicates that all 64bit\naccesses can be replaced by pairs of nonatomic 32bit access. Fix\nalignment by forcing all accesses to be 32bit on 64bit platforms.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35909", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35909" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea" + }, + { + "url": "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4" + }, + { + "url": "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a" + }, + { + "url": "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034" + }, + { + "url": "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8" + }, + { + "url": "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9" + }, + { + "url": "https://git.kernel.org/linus/46dad3c1e57897ab9228332f03e1c14798d2d3b9(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26988" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-588", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26988" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26988", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26988" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb" + }, + { + "url": "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4" + }, + { + "url": "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518" + }, + { + "url": "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827" + }, + { + "url": "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78" + }, + { + "url": "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927" + }, + { + "url": "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362" + }, + { + "url": "https://git.kernel.org/linus/1bc83a019bbe268be3526406245ec28c2458a518(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35897" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-589", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35897" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35897", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35897" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef" + }, + { + "url": "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729" + }, + { + "url": "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3" + }, + { + "url": "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907" + }, + { + "url": "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce" + }, + { + "url": "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928" + }, + { + "url": "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7" + }, + { + "url": "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26999" + }, + { + "url": "https://git.kernel.org/linus/1be3226445362bfbf461c92a5bcdb1723f2e4907(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-590", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26999" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26999", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26999" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566" + }, + { + "url": "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e" + }, + { + "url": "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f" + }, + { + "url": "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3" + }, + { + "url": "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f" + }, + { + "url": "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310" + }, + { + "url": "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3" + }, + { + "url": "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e" + }, + { + "url": "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35821" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/723012cab779eee8228376754e22c6594229bf8f(6.9-rc1)" + } + ], + "bom-ref": "vuln-591", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35821" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35821", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35821" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce" + }, + { + "url": "https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97" + }, + { + "url": "https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35860" + }, + { + "url": "https://git.kernel.org/linus/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce(6.9-rc3)" + } + ], + "bom-ref": "vuln-592", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35860" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support deferring bpf_link dealloc to after RCU grace period\n\nBPF link for some program types is passed as a \"context\" which can be\nused by those BPF programs to look up additional information. E.g., for\nmulti-kprobes and multi-uprobes, link is used to fetch BPF cookie values.\n\nBecause of this runtime dependency, when bpf_link refcnt drops to zero\nthere could still be active BPF programs running accessing link data.\n\nThis patch adds generic support to defer bpf_link dealloc callback to\nafter RCU GP, if requested. This is done by exposing two different\ndeallocation callbacks, one synchronous and one deferred. If deferred\none is provided, bpf_link_free() will schedule dealloc_deferred()\ncallback to happen after RCU GP.\n\nBPF is using two flavors of RCU: \"classic\" non-sleepable one and RCU\ntasks trace one. The latter is used when sleepable BPF programs are\nused. bpf_link_free() accommodates that by checking underlying BPF\nprogram's sleepable flag, and goes either through normal RCU GP only for\nnon-sleepable, or through RCU tasks trace GP *and* then normal RCU GP\n(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF\nprogram is sleepable.\n\nWe use this for multi-kprobe and multi-uprobe links, which dereference\nlink during program run. We also preventively switch raw_tp link to use\ndeferred dealloc callback, as upcoming changes in bpf-next tree expose\nraw_tp link data (specifically, cookie value) to BPF program at runtime\nas well.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35860", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35860" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/93f0f4e846fcb682c3ec436e3b2e30e5a3a8ee6a" + }, + { + "url": "https://git.kernel.org/stable/c/f0da068c75c20ffc5ba28243ff577531dc2af1fd" + }, + { + "url": "https://git.kernel.org/stable/c/3a7753bda55985dc26fae17795cb10d825453ad1" + }, + { + "url": "https://git.kernel.org/stable/c/4e440abc894585a34c2904a32cd54af1742311b3" + }, + { + "url": "https://git.kernel.org/stable/c/a16afec8e83c56b14a4a73d2e3fb8eec3a8a057e" + }, + { + "url": "https://git.kernel.org/stable/c/1eb74c00c9c3b13cb65e508c5d5a2f11afb96b8b" + }, + { + "url": "https://git.kernel.org/stable/c/9bce69419271eb8b2b3ab467387cb59c99d80deb" + }, + { + "url": "https://git.kernel.org/stable/c/853a6503c586a71abf27e60a7f8c4fb28092976d" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26664" + }, + { + "url": "https://git.kernel.org/linus/4e440abc894585a34c2904a32cd54af1742311b3(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-593", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26664" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Fix out-of-bounds memory access\n\nFix a bug that pdata->cpu_map[] is set before out-of-bounds check.\nThe problem might be triggered on systems with more than 128 cores per\npackage.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26664", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26664" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69" + }, + { + "url": "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d" + }, + { + "url": "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69" + }, + { + "url": "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8" + }, + { + "url": "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1" + }, + { + "url": "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103" + }, + { + "url": "https://git.kernel.org/linus/ecc6a2101840177e57c925c102d2d29f260d37c8(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35905" + } + ], + "bom-ref": "vuln-594", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35905" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35905", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35905" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd" + }, + { + "url": "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + }, + { + "url": "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b" + }, + { + "url": "https://git.kernel.org/linus/b0ad381fa7690244802aed119b478b4bdafc31dd(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35784" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-595", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35784" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35784", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35784" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3" + }, + { + "url": "https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279" + }, + { + "url": "https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500" + }, + { + "url": "https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6" + }, + { + "url": "https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24" + }, + { + "url": "https://git.kernel.org/linus/2a750d6a5b365265dbda33330a6188547ddb5c24(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26865" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-596", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26865" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n 18:26:22 executing program 1:\n r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n ...\n connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n rds_tcp_listen_init().\n 2. syz-executor connect()s to it and creates a reqsk.\n 3. syz-executor exit()s immediately.\n 4. netns is dismantled. [0]\n 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]\n 6. listener is freed after RCU grace period. [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet's apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n __sock_create (net/socket.c:1572)\n rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n rds_tcp_init_net (net/rds/tcp.c:577)\n ops_init (net/core/net_namespace.c:137)\n setup_net (net/core/net_namespace.c:340)\n copy_net_ns (net/core/net_namespace.c:497)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n ksys_unshare (kernel/fork.c:3429)\n __x64_sys_unshare (kernel/fork.c:3496)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n \n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26865", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26865" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b" + }, + { + "url": "https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa" + }, + { + "url": "https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-597", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix delete_endpoint() vs parent unregistration race\n\nThe CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of\nports (struct cxl_port objects) between an endpoint and the root of a\nCXL topology. Each port including the endpoint port is attached to the\ncxl_port driver.\n\nGiven that setup, it follows that when either any port in that lineage\ngoes through a cxl_port ->remove() event, or the memdev goes through a\ncxl_mem ->remove() event. The hierarchy below the removed port, or the\nentire hierarchy if the memdev is removed needs to come down.\n\nThe delete_endpoint() callback is careful to check whether it is being\ncalled to tear down the hierarchy, or if it is only being called to\nteardown the memdev because an ancestor port is going through\n->remove().\n\nThat care needs to take the device_lock() of the endpoint's parent.\nWhich requires 2 bugs to be fixed:\n\n1/ A reference on the parent is needed to prevent use-after-free\n scenarios like this signature:\n\n BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\n Workqueue: cxl_port detach_memdev [cxl_core]\n RIP: 0010:spin_bug+0x65/0xa0\n Call Trace:\n do_raw_spin_lock+0x69/0xa0\n __mutex_lock+0x695/0xb80\n delete_endpoint+0xad/0x150 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n detach_memdev+0x15/0x20 [cxl_core]\n process_one_work+0x1e3/0x4c0\n worker_thread+0x1dd/0x3d0\n\n2/ In the case of RCH topologies, the parent device that needs to be\n locked is not always @port->dev as returned by cxl_mem_find_port(), use\n endpoint->dev.parent instead.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52771", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52771" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083" + }, + { + "url": "https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58" + }, + { + "url": "https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3" + }, + { + "url": "https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec590e25a" + }, + { + "url": "https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579" + }, + { + "url": "https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285" + }, + { + "url": "https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8" + }, + { + "url": "https://git.kernel.org/stable/c/e21a2f17566cbd64926fb8f16323972f7a064444" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26840" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e21a2f17566cbd64926fb8f16323972f7a064444(6.8-rc6)" + } + ], + "bom-ref": "vuln-598", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26840" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix memory leak in cachefiles_add_cache()\n\nThe following memory leak was reported after unbinding /dev/cachefiles:\n\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n comm \"cachefilesd2\", pid 680, jiffies 4294881224\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc ea38a44b):\n [] kmem_cache_alloc+0x2d5/0x370\n [] prepare_creds+0x26/0x2e0\n [] cachefiles_determine_cache_security+0x1f/0x120\n [] cachefiles_add_cache+0x13c/0x3a0\n [] cachefiles_daemon_write+0x146/0x1c0\n [] vfs_write+0xcb/0x520\n [] ksys_write+0x69/0xf0\n [] do_syscall_64+0x72/0x140\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\n\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26840", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26840" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/all/20231222161317.6255-1-2045gemini@gmail.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24858" + } + ], + "bom-ref": "vuln-599", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24858" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-24858", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7" + }, + { + "url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc" + }, + { + "url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff" + }, + { + "url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26947" + }, + { + "url": "https://git.kernel.org/linus/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-600", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26947" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26947" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f" + }, + { + "url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783" + }, + { + "url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776" + }, + { + "url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3" + }, + { + "url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/00aab7dcb2267f2aef59447602f34501efe1a07f(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26717" + } + ], + "bom-ref": "vuln-601", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26717" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26717", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26717" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b" + }, + { + "url": "https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1" + }, + { + "url": "https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7" + }, + { + "url": "https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418" + }, + { + "url": "https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26815" + }, + { + "url": "https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-602", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26815" + } + } + ], + "created": "2024-04-10T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check\n\ntaprio_parse_tc_entry() is not correctly checking\nTCA_TAPRIO_TC_ENTRY_INDEX attribute:\n\n\tint tc; // Signed value\n\n\ttc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);\n\tif (tc >= TC_QOPT_MAX_QUEUE) {\n\t\tNL_SET_ERR_MSG_MOD(extack, \"TC entry index out of range\");\n\t\treturn -ERANGE;\n\t}\n\nsyzbot reported that it could fed arbitary negative values:\n\nUBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18\nshift exponent -2147418108 is negative\nCPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386\n taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]\n taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]\n taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877\n taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134\n qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355\n tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f1b2dea3759\nCode: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004\nRBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340\nR13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26815", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26815" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-10T13:23:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272" + }, + { + "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325" + }, + { + "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981" + }, + { + "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + }, + { + "url": "https://git.kernel.org/linus/18685451fc4e546fc0e718580d32df3c0e5c8272(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26921" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-603", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26921" + } + } + ], + "created": "2024-04-18T10:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26921", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26921" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-18T13:04:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f83b9abee9faa4868a6fac4669b86f4c215dae25" + }, + { + "url": "https://git.kernel.org/stable/c/475426ad1ae0bfdfd8f160ed9750903799392438" + }, + { + "url": "https://git.kernel.org/stable/c/339ddc983bc1622341d95f244c361cda3da3a4ff" + }, + { + "url": "https://git.kernel.org/stable/c/c41336f4d69057cbf88fed47951379b384540df5" + }, + { + "url": "https://git.kernel.org/stable/c/3cd1d92ee1dbf3e8f988767eb75f26207397792b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52645" + }, + { + "url": "https://git.kernel.org/linus/c41336f4d69057cbf88fed47951379b384540df5(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-604", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52645" + } + } + ], + "created": "2024-04-17T16:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: mediatek: fix race conditions with genpd\n\nIf the power domains are registered first with genpd and *after that*\nthe driver attempts to power them on in the probe sequence, then it is\npossible that a race condition occurs if genpd tries to power them on\nin the same time.\nThe same is valid for powering them off before unregistering them\nfrom genpd.\nAttempt to fix race conditions by first removing the domains from genpd\nand *after that* powering down domains.\nAlso first power up the domains and *after that* register them\nto genpd.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52645", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:13:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b" + }, + { + "url": "https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d" + }, + { + "url": "https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520" + }, + { + "url": "https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f" + }, + { + "url": "https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26798" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-605", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26798" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n \n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26798", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26798" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cdbe0be8874c63bca85b8c38e5b1eecbdd18df31" + }, + { + "url": "https://git.kernel.org/stable/c/faf51b201bc42adf500945732abb6220c707d6f3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26913" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/faf51b201bc42adf500945732abb6220c707d6f3(6.8-rc3)" + } + ], + "bom-ref": "vuln-606", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26913" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue\n\n[why]\nodm calculation is missing for pipe split policy determination\nand cause Underflow/Corruption issue.\n\n[how]\nAdd the odm calculation.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26913", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913" + }, + "cwes": [ + 191 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:29:54Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd410dbd5" + }, + { + "url": "https://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a" + }, + { + "url": "https://git.kernel.org/stable/c/ca914f1cdee8a85799942c9b0ce5015bbd6844e1" + }, + { + "url": "https://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80" + }, + { + "url": "https://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b" + }, + { + "url": "https://git.kernel.org/stable/c/b0ec2abf98267f14d032102551581c833b0659d3" + }, + { + "url": "https://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0" + }, + { + "url": "https://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a" + }, + { + "url": "https://git.kernel.org/linus/b0ec2abf98267f14d032102551581c833b0659d3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26882" + } + ], + "bom-ref": "vuln-607", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26882" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n netif_receive_skb_internal net/core/dev.c:5734 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n tun_build_skb drivers/net/tun.c:1686 [inline]\n tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26882", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:38:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a" + }, + { + "url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39" + }, + { + "url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e" + }, + { + "url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d" + }, + { + "url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e" + }, + { + "url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a" + }, + { + "url": "https://git.kernel.org/linus/82b1c07a0af603e3c47b906c8e991dc96f01688e(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26960" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-608", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26960" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26960", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-609", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-131" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-131", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + }, + { + "url": "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c" + }, + { + "url": "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207" + }, + { + "url": "https://git.kernel.org/linus/3bb9b1f958c3d986ed90a3ff009f1e77e9553207(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26647" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-610", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26647" + } + } + ], + "created": "2024-03-26T18:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26647", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a5d9b1aa61b401867b9066d54086b3e4ee91f8ed" + }, + { + "url": "https://git.kernel.org/stable/c/a8b2b26fdd011ebe36d68a9a321ca45801685959" + }, + { + "url": "https://git.kernel.org/stable/c/d7ae7d1265686b55832a445b1db8cdd69738ac07" + }, + { + "url": "https://git.kernel.org/stable/c/c554badcae9c45b737a22d23454170c6020b90e6" + }, + { + "url": "https://git.kernel.org/stable/c/e97fe4901e0f59a0bfd524578fe3768f8ca42428" + }, + { + "url": "https://git.kernel.org/stable/c/0efb9ef6fb95384ba631d6819e66f10392aabfa2" + }, + { + "url": "https://git.kernel.org/stable/c/239174535dba11f7b83de0eaaa27909024f8c185" + }, + { + "url": "https://git.kernel.org/stable/c/6f073b24a9e2becd25ac4505a9780a87e621bb51" + }, + { + "url": "https://git.kernel.org/linus/e97fe4901e0f59a0bfd524578fe3768f8ca42428(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27038" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-611", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27038" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_core_get NULL dereference\n\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\n\nclk_core_get()\n of_clk_get_hw_from_clkspec()\n __of_clk_get_hw_from_provider()\n __clk_get_hw()\n\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw->core.\n\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\n\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\n\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27038", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27038" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32004" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32004" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-612", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32004" + } + } + ], + "created": "2024-05-14T19:15:11Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.", + "affects": [ + { + "ref": "comp-113" + } + ], + "id": "CVE-2024-32004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32004" + }, + "cwes": [ + 114 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/" + }, + { + "url": "https://security.gentoo.org/glsa/202312-17" + }, + { + "url": "https://security.gentoo.org/glsa/202312-16" + }, + { + "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html" + }, + { + "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" + }, + { + "url": "https://support.apple.com/kb/HT214084" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" + }, + { + "url": "https://access.redhat.com/security/cve/cve-2023-48795" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html" + }, + { + "url": "https://filezilla-project.org/versions.php" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" + }, + { + "url": "https://www.openssh.com/openbsd.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/" + }, + { + "url": "https://www.paramiko.org/changelog.html" + }, + { + "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" + }, + { + "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/" + }, + { + "url": "https://ubuntu.com/security/CVE-2023-48795" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5588" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5586" + }, + { + "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/" + }, + { + "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" + }, + { + "url": "https://www.openssh.com/txt/release-9.6" + }, + { + "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" + }, + { + "url": "https://crates.io/crates/thrussh/versions" + }, + { + "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" + }, + { + "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" + }, + { + "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" + }, + { + "url": "https://bugs.gentoo.org/920280" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" + }, + { + "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1192" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1150" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1194" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1193" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1196" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1130" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1898.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1197" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0954" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0538" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-462.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6560-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6561-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6560-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0594" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2024:1136" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6585-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2376.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0499" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7198" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0455" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6589-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6738-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7197" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-48795" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0625" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059001" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1859" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0429" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0628" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0606" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-468.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0880" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1210" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1675" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1674" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7201" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2024:1127" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1677" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1676" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6598-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0843" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1557" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0766" + } + ], + "bom-ref": "vuln-613", + "references": [ + { + "id": "GHSA-45x7-px36-x8w8", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" + } + } + ], + "created": "2023-12-18T16:15:10Z", + "description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", + "affects": [ + { + "ref": "comp-297" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795" + }, + "cwes": [ + 354 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "none", + "score": 0.96225, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48795" + } + }, + { + "severity": "medium", + "score": 5.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795" + } + } + ], + "id": "CVE-2023-48795", + "updated": "2024-05-01T18:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:41:21Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-297", + "value": "0.17.0" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484" + }, + { + "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000" + }, + { + "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6" + }, + { + "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55" + }, + { + "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d" + }, + { + "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058" + }, + { + "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c" + }, + { + "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca" + }, + { + "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26957" + }, + { + "url": "https://git.kernel.org/linus/50ed48c80fecbe17218afed4f8bed005c802976c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-614", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26957" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26957", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3ede8e94de6b834b48b0643385e66363e7a04be9" + }, + { + "url": "https://git.kernel.org/stable/c/9f599ba3b9cc4bdb8ec1e3f0feddd41bf9d296d6" + }, + { + "url": "https://git.kernel.org/stable/c/34b567868777e9fd39ec5333969728a7f0cf179c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26902" + }, + { + "url": "https://git.kernel.org/linus/34b567868777e9fd39ec5333969728a7f0cf179c(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-615", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26902" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISCV: Fix panic on pmu overflow handler\n\n(1 << idx) of int is not desired when setting bits in unsigned long\noverflowed_ctrs, use BIT() instead. This panic happens when running\n'perf record -e branches' on sophgo sg2042.\n\n[ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n[ 273.320851] Oops [#1]\n[ 273.323179] Modules linked in:\n[ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9\n[ 273.332521] Hardware name: Sophgo Mango (DT)\n[ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e\n[ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0\n[ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978\n[ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70\n[ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000\n[ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015\n[ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a\n[ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0\n[ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210\n[ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098\n[ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca\n[ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8\n[ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d\n[ 273.434512] [] riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.441169] [] handle_percpu_devid_irq+0x98/0x1ee\n[ 273.447562] [] generic_handle_domain_irq+0x28/0x36\n[ 273.454151] [] riscv_intc_irq+0x36/0x4e\n[ 273.459659] [] handle_riscv_irq+0x4a/0x74\n[ 273.465442] [] do_irq+0x62/0x92\n[ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783\n[ 273.477921] ---[ end trace 0000000000000000 ]---\n[ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26902", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:40:05Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a" + }, + { + "url": "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + }, + { + "url": "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-616", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e" + }, + { + "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582" + }, + { + "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc" + }, + { + "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c" + }, + { + "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85" + }, + { + "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26782" + } + ], + "bom-ref": "vuln-617", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26782" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n \n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n \n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n \n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26782", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26782" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a04410b0bc7e056e0843ac598825dd359246d18" + }, + { + "url": "https://git.kernel.org/stable/c/0671f42a9c1084db10d68ac347d08dbf6689ecb3" + }, + { + "url": "https://git.kernel.org/stable/c/2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7" + }, + { + "url": "https://git.kernel.org/stable/c/b988b1bb0053c0dcd26187d29ef07566a565cf55" + }, + { + "url": "https://git.kernel.org/stable/c/c87d7d910775a025e230fd6359b60627e392460f" + }, + { + "url": "https://git.kernel.org/stable/c/150a3a3871490e8c454ffbac2e60abeafcecff99" + }, + { + "url": "https://git.kernel.org/stable/c/732a3bea7aba5b15026ea42d14953c3425cc7dc2" + }, + { + "url": "https://git.kernel.org/stable/c/5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b988b1bb0053c0dcd26187d29ef07566a565cf55(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52597" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-618", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52597" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: fix setting of fpc register\n\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\n\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\n\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\n\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\n\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52597" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f" + }, + { + "url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685" + }, + { + "url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb" + }, + { + "url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921" + }, + { + "url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b" + }, + { + "url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc" + }, + { + "url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7" + }, + { + "url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e" + }, + { + "url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35789" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4f2bdb3c5e3189297e156b3ff84b140423d64685(6.9-rc2)" + } + ], + "bom-ref": "vuln-619", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35789" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35789", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35789" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/42442f74314d41ddc68227047036fa3e78940054" + }, + { + "url": "https://git.kernel.org/stable/c/a938eab9586eea31cfd129a507f552efae14d738" + }, + { + "url": "https://git.kernel.org/stable/c/efdd665ce1a1634b8c1dad5e7f6baaef3e131d0a" + }, + { + "url": "https://git.kernel.org/stable/c/58fca355ad37dcb5f785d9095db5f748b79c5dc2" + }, + { + "url": "https://git.kernel.org/stable/c/cd9bd10c59e3c1446680514fd3097c5b00d3712d" + }, + { + "url": "https://git.kernel.org/linus/58fca355ad37dcb5f785d9095db5f748b79c5dc2(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26660" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-620", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26660" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN301\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn301_stream_encoder_create\nreported by Smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26660", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26660" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" + }, + { + "url": "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40" + }, + { + "url": "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f" + }, + { + "url": "https://git.kernel.org/linus/b3db266fb031fba88c423d4bb8983a73a3db6527(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35924" + } + ], + "bom-ref": "vuln-621", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35924" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35924", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35924" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50e60de381c342008c0956fd762e1c26408f372c" + }, + { + "url": "https://git.kernel.org/stable/c/ad6759e233db6fcc131055f8e23b4eafbe81053c" + }, + { + "url": "https://git.kernel.org/stable/c/772f18ded0e240cc1fa2b7020cc640e3e5c32b70" + }, + { + "url": "https://git.kernel.org/stable/c/dc29dd00705a62c77de75b6d752259b869aac49d" + }, + { + "url": "https://git.kernel.org/stable/c/29d2550d79a8cbd31e0fbaa5c0e2a2efdc444e44" + }, + { + "url": "https://git.kernel.org/stable/c/4fedae8f9eafa2ac8cdaca58e315f52a7e2a8701" + }, + { + "url": "https://git.kernel.org/stable/c/94cb17e5cf3a3c484063abc0ce4b8a2b2e8c1cb2" + }, + { + "url": "https://git.kernel.org/stable/c/766c2627acb2d9d1722cce2e24837044d52d888a" + }, + { + "url": "https://git.kernel.org/linus/50e60de381c342008c0956fd762e1c26408f372c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27030" + } + ], + "bom-ref": "vuln-622", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27030" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Use separate handlers for interrupts\n\nFor PF to AF interrupt vector and VF to AF vector same\ninterrupt handler is registered which is causing race condition.\nWhen two interrupts are raised to two CPUs at same time\nthen two cores serve same event corrupting the data.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27030", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27030" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/db6338f45971b4285ea368432a84033690eaf53c" + }, + { + "url": "https://git.kernel.org/stable/c/d37c1c81419fdef66ebd0747cf76fb8b7d979059" + }, + { + "url": "https://git.kernel.org/stable/c/f5944853f7a961fedc1227dc8f60393f8936d37c" + }, + { + "url": "https://git.kernel.org/stable/c/4373534a9850627a2695317944898eb1283a2db0" + }, + { + "url": "https://git.kernel.org/stable/c/65ead8468c21c2676d4d06f50b46beffdea69df1" + }, + { + "url": "https://git.kernel.org/stable/c/07e3ca0f17f579491b5f54e9ed05173d6c1d6fcb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26627" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/4373534a9850627a2695317944898eb1283a2db0(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-623", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26627" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\n\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\n\nThis can be too heavy in case of recovery, such as:\n\n - N hardware queues\n\n - queue depth is M for each hardware queue\n\n - each scsi_host_busy() iterates over (N * M) tag/requests\n\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\n\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\n\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\n\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart]", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26627", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2f6d721e14b69d6e1251f69fa238b48e8374e25f" + }, + { + "url": "https://git.kernel.org/stable/c/569c198c9e2093fd29cc071856a4e548fda506bc" + }, + { + "url": "https://git.kernel.org/stable/c/f0bf89e84c3afb79d7a3a9e4bc853ad6a3245c0a" + }, + { + "url": "https://git.kernel.org/stable/c/fa3ac8b1a227d9b470b87972494293348b5839ee" + }, + { + "url": "https://git.kernel.org/stable/c/889846dfc8ee2cf31148a44bfd2faeb2faadc685" + }, + { + "url": "https://git.kernel.org/stable/c/fc0aed88afbf6f606205129a7466eebdf528e3f3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35844" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2f6d721e14b69d6e1251f69fa238b48e8374e25f(6.9-rc1)" + } + ], + "bom-ref": "vuln-624", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35844" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix reserve_cblocks counting error when out of space\n\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\n\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\n\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\n\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\n\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\n\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\n\nAfter this patch, the fsck flag will be set to fix this problem.\n\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot then fsck will be executed\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35844", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35844" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c" + }, + { + "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79" + }, + { + "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae" + }, + { + "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4" + }, + { + "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0" + }, + { + "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33" + }, + { + "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c" + }, + { + "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9" + }, + { + "url": "https://git.kernel.org/linus/adf0398cee86643b8eacde95f17d073d022f782c(6.9)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27399" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-625", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27399" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27399", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27399" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6" + }, + { + "url": "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42" + }, + { + "url": "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27005" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/de1bf25b6d771abdb52d43546cf57ad775fb68a1(6.9-rc5)" + } + ], + "bom-ref": "vuln-626", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27005" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27005", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27005" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a5e31bdd3c1702b520506d9cf8c41085f75c7f2" + }, + { + "url": "https://git.kernel.org/stable/c/307fa8a75ab7423fa5c73573ec3d192de5027830" + }, + { + "url": "https://git.kernel.org/stable/c/54538752216bf89ee88d47ad07802063a498c299" + }, + { + "url": "https://git.kernel.org/stable/c/eef00a82c568944f113f2de738156ac591bbd5cd" + }, + { + "url": "https://git.kernel.org/stable/c/3266e638ba5cc1165f5e6989eb8c0720f1cc4b41" + }, + { + "url": "https://git.kernel.org/stable/c/caa064c3c2394d03e289ebd6b0be5102eb8a5b40" + }, + { + "url": "https://git.kernel.org/stable/c/88081ba415224cf413101def4343d660f56d082b" + }, + { + "url": "https://git.kernel.org/stable/c/5993f121fbc01dc2d734f0ff2628009b258fb1dd" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26679" + }, + { + "url": "https://git.kernel.org/linus/eef00a82c568944f113f2de738156ac591bbd5cd(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-627", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26679" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: read sk->sk_family once in inet_recv_error()\n\ninet_recv_error() is called without holding the socket lock.\n\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-26679", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26679" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667" + }, + { + "url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a" + }, + { + "url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26661" + }, + { + "url": "https://git.kernel.org/linus/66951d98d9bf45ba25acf37fe0747253fafdf298(6.8-rc4)" + } + ], + "bom-ref": "vuln-628", + "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26661" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24859", + "id": "CVE-2024-26661", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:05Z" + "updated": "2024-04-02T12:50:42Z" }, { "advisories": [ { - "url": "https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/" + "url": "https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/" + "url": "https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353" }, { - "url": "https://security.gentoo.org/glsa/202312-17" + "url": "https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f" }, { - "url": "https://security.gentoo.org/glsa/202312-16" + "url": "https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7" }, { - "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc" + "url": "https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/" + "url": "https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/" + "url": "https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/" + "url": "https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6" }, { - "url": "https://forum.netgate.com/topic/184941/terrapin-ssh-attack" + "url": "https://git.kernel.org/linus/b820de741ae48ccf50dd95e297889c286ff4f760(6.8-rc6)" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26764" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-629", + "ratings": [ { - "url": "https://access.redhat.com/security/cve/cve-2023-48795" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26764" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.", + "affects": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2024-26764", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26764" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ { - "url": "https://filezilla-project.org/versions.php" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/" + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html" + "url": "https://www.openssl.org/news/secadv/20240125.txt" }, { - "url": "https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ" + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { - "url": "https://www.openssh.com/openbsd.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/" + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" }, { - "url": "https://www.paramiko.org/changelog.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" }, { - "url": "https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg" + "url": "https://ubuntu.com/security/notices/USN-6632-1" }, { - "url": "https://twitter.com/TrueSkrillor/status/1736774389725565005" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/" + "url": "https://ubuntu.com/security/notices/USN-6709-1" }, { - "url": "https://ubuntu.com/security/CVE-2023-48795" + "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254210" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/" - }, + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + } + ], + "bom-ref": "vuln-630", + "ratings": [ { - "url": "https://www.debian.org/security/2023/dsa-5588" + "severity": "none", + "score": 0.00228, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" + } }, { - "url": "https://www.debian.org/security/2023/dsa-5586" - }, + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + } + } + ], + "created": "2024-01-26T09:15:07Z", + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "affects": [ { - "url": "https://security-tracker.debian.org/tracker/source-package/libssh2" - }, + "ref": "comp-235" + } + ], + "id": "CVE-2024-0727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:13Z" + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/" + "url": "https://git.kernel.org/stable/c/4c86c772fef06f5d7a66151bac42366825db0941" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/" + "url": "https://git.kernel.org/stable/c/6bf5c2fade8ed53b2d26fa9875e5b04f36c7145d" }, { - "url": "https://gitlab.com/libssh/libssh-mirror/-/tags" + "url": "https://git.kernel.org/stable/c/8cf9c5051076e0eb958f4361d50d8b0c3ee6691c" }, { - "url": "https://www.openssh.com/txt/release-9.6" + "url": "https://git.kernel.org/stable/c/770a57922ce36a8476c43f7400b6501c554ea511" }, { - "url": "https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6" + "url": "https://git.kernel.org/stable/c/8269ab16415f2065cd792c49b0475543936cbd79" }, { - "url": "https://crates.io/crates/thrussh/versions" + "url": "https://git.kernel.org/stable/c/94303a06e1852a366e9671fff46d19459f88cb28" }, { - "url": "https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg" + "url": "https://git.kernel.org/stable/c/0de691ff547d86dd54c24b40a81f9c925df8dd77" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/" + "url": "https://git.kernel.org/stable/c/622b1cf38521569869c8f7b9fbe9e4f1a289add7" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1217950" + "url": "https://git.kernel.org/stable/c/31096da07933598da8522c54bd007376fb152a09" }, { - "url": "https://security-tracker.debian.org/tracker/CVE-2023-48795" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27078" }, { - "url": "https://security-tracker.debian.org/tracker/source-package/trilead-ssh2" + "url": "https://git.kernel.org/linus/8cf9c5051076e0eb958f4361d50d8b0c3ee6691c(6.9-rc1)" }, { - "url": "https://bugs.gentoo.org/920280" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-631", + "ratings": [ { - "url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27078" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-tpg: fix some memleaks in tpg_alloc\n\nIn tpg_alloc, resources should be deallocated in each and every\nerror-handling paths, since they are allocated in for statements.\nOtherwise there would be memleaks because tpg_free is called only when\ntpg_alloc return 0.", + "affects": [ { - "url": "https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2024-27078", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27078" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/" + "url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1898.html" + "url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795" + "url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0954" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-632", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof().", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2023-52767", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52767" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5@xs4all.nl/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0538" + "url": "https://lore.kernel.org/lkml/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/T/" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-462.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6560-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23848" + } + ], + "bom-ref": "vuln-633", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23848" + } }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0594" + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" + } + } + ], + "created": "2024-01-23T09:15:35Z", + "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-23848", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-30T02:04:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4" }, { - "url": "https://ubuntu.com/security/notices/USN-6561-1" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" }, { - "url": "https://ubuntu.com/security/notices/USN-6560-2" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2376.html" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" }, { - "url": "https://ubuntu.com/security/notices/USN-6585-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52429" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0499" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7198" + "url": "https://ubuntu.com/security/notices/USN-6740-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0455" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2475.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7197" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" }, { - "url": "https://ubuntu.com/security/notices/USN-6589-1" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0789" + "url": "https://ubuntu.com/security/notices/USN-6726-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0625" + "url": "https://ubuntu.com/security/notices/USN-6725-2" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059001" + "url": "https://ubuntu.com/security/notices/USN-6725-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0429" + "url": "https://ubuntu.com/security/notices/USN-6724-2" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0628" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0606" + "url": "https://ubuntu.com/security/notices/USN-6724-1" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-468.html" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0880" + "url": "https://git.kernel.org/linus/bd504bcfec41a503b32054da5472904b404341a4(6.8-rc3)" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7201" + "url": "https://ubuntu.com/security/notices/USN-6726-3" }, { - "url": "https://ubuntu.com/security/notices/USN-6598-1" + "url": "https://ubuntu.com/security/notices/USN-6739-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0843" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0766" - } - ], - "bom-ref": "vuln-11", - "references": [ - { - "id": "GHSA-45x7-px36-x8w8", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-45x7-px36-x8w8" - } - } - ], - "created": "2023-12-18T16:15:10Z", - "description": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.", - "affects": [ - { - "ref": "comp-297" + "url": "https://ubuntu.com/security/notices/USN-6726-2" } ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795" - }, - "cwes": [ - 354 - ], - "analysis": { - "state": "exploitable" - }, + "bom-ref": "vuln-634", "ratings": [ { "severity": "none", - "score": 0.71637, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52429" } }, { "severity": "medium", - "score": 5.9, + "score": 5.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" } } ], - "id": "CVE-2023-48795", - "updated": "2024-01-29T09:15:42Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, + "created": "2024-02-12T03:15:32Z", + "description": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", + "affects": [ { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-04T02:24:04Z" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2023-52429", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-26T21:15:57Z", + "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-297", - "value": "0.17.0" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4" - }, - { - "url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326" + "url": "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" }, { - "url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e" + "url": "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c" }, { - "url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581" + "url": "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4" }, { - "url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a" + "url": "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340" }, { - "url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26601" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/2a9de42e8d3c82c6990d226198602be44f43f340(6.8-rc1)" }, { - "url": "https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e(6.8-rc3)" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52632" } ], - "bom-ref": "vuln-12", + "bom-ref": "vuln-635", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52632" } } ], - "created": "2024-02-26T16:27:59Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26601", + "id": "CVE-2023-52632", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-01T14:15:54Z", + "updated": "2024-04-02T12:50:42Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24855" + "url": "https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - } - ], - "bom-ref": "vuln-13", - "ratings": [ + "url": "https://git.kernel.org/stable/c/d49270a04623ce3c0afddbf3e984cb245aa48e9c" + }, { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" - } + "url": "https://git.kernel.org/stable/c/2a37905d47bffec61e95d99f0c1cc5dc6377956c" }, { - "severity": "none", - "score": 0.00043, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", - "affects": [ + "url": "https://git.kernel.org/stable/c/a63e48cd835c34c38ef671d344cc029b1ea5bf10" + }, { - "ref": "comp-24" - } - ], - "id": "CVE-2024-24855", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" - }, - "cwes": [ - 362, - 476 - ], - "analysis": { - "state": "in_triage" - }, - "updated": "2024-02-10T04:06:40Z" - }, - { - "advisories": [ + "url": "https://git.kernel.org/stable/c/cd40e43f870cf21726b22487a95ed223790b3542" + }, { - "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2" + "url": "https://git.kernel.org/stable/c/0593cfd321df9001142a9d2c58d4144917dff7ee" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208844" + "url": "https://git.kernel.org/stable/c/75b0f71b26b3ad833c5c0670109c0af6e021e86a" + }, + { + "url": "https://git.kernel.org/stable/c/e9f6ac50890104fdf8194f2865680689239d30fb" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/d49270a04623ce3c0afddbf3e984cb245aa48e9c(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52619" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-14", + "bom-ref": "vuln-636", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52619" } } ], - "created": "2023-03-01T20:15:15Z", - "description": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Fix crash when setting number of cpus to an odd number\n\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n addr of zone0 = BASE\n addr of zone1 = BASE + zone_size\n addr of zone2 = BASE + zone_size*2\n ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\n\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-23005", + "id": "CVE-2023-52619", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52619" }, - "cwes": [ - 476 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:07:38Z", + "updated": "2024-03-18T12:38:25Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96" - }, - { - "url": "https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5" + "url": "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" }, { - "url": "https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9" }, { - "url": "https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f" + "url": "https://git.kernel.org/linus/165376f6b23e9a779850e750fb2eb06622e5a531(6.8)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26582" - }, - { - "url": "https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f(6.8-rc5)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35790" } ], - "bom-ref": "vuln-15", + "bom-ref": "vuln-637", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35790" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26582", + "id": "CVE-2024-35790", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" - }, - "analysis": { - "state": "exploitable" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35790" }, - "updated": "2024-02-28T03:15:08Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7" + }, + { + "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4010" + "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" + }, + { + "url": "https://git.kernel.org/linus/6334b8e4553cc69f51e383c9de545082213d785e(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26996" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-16", + "bom-ref": "vuln-638", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.6, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26996" } } ], - "created": "2023-07-31T17:15:10Z", - "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-4010", + "id": "CVE-2024-26996", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996" }, - "cwes": [ - 835 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-07T04:22:02Z" + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24860" + "url": "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4" + }, + { + "url": "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + }, + { + "url": "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822" + }, + { + "url": "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e67b652d8e8591d3b1e569dbcdfcee15993e91fa(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52653" } ], - "bom-ref": "vuln-17", + "bom-ref": "vuln-639", "ratings": [ - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" - } - }, { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52653" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24860", + "id": "CVE-2023-52653", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-14T19:50:10Z" + "updated": "2024-05-01T19:50:25Z" }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54PLF5J33IRSLSR4UU6LQSMXX6FI5AOQ/" + "url": "https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255497" + "url": "https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29" }, { - "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20231208043433.271449-1-hdthky0@gmail.com/" + "url": "https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C25BK2YH5MZ6VNQXKF2NAJBTGXVEPKGC/" + "url": "https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-7042" + "url": "https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7042" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=ad25ee36f00172f7d53242dc77c69fff7ced0755" + "url": "https://access.redhat.com/errata/RHSA-2024:2394" }, { - "url": "https://lore.kernel.org/all/20231208043433.271449-1-hdthky0@gmail.com/" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-052.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/?h=ath-next" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://git.kernel.org/linus/af1689a9b7701d9907dfc84d2a4b57c4bc907144(6.7-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52434" } ], - "bom-ref": "vuln-18", + "bom-ref": "vuln-640", "ratings": [ { - "severity": "none", - "score": 0.00042, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "high", + "score": 8.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" } }, { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52434" } } ], - "created": "2023-12-21T20:15:09Z", - "description": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", + "created": "2024-02-20T18:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-7042", + "id": "CVE-2023-52434", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" }, "cwes": [ - 476 + 119 ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-22T05:15:08Z" + "updated": "2024-03-15T14:21:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" + "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254052" + "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6536" + "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6536" + "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35877" + }, + { + "url": "https://git.kernel.org/linus/04c35ab3bdae7fefbd7c7a7355f29fa03a035221(6.9-rc3)" }, { - "url": "https://lore.kernel.org/linux-nvme/69e7bbe4-b454-4941-90e2-2e6a4cf0f182@grimberg.me/T/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-19", + "bom-ref": "vuln-641", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" - } - }, { "severity": "none", - "score": 0.00144, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35877" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6536", + "id": "CVE-2024-35877", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35877" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:09Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://access.redhat.com/errata/RHSA-2024:2627" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/errata/RHSA-2024:2758" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://access.redhat.com/errata/RHSA-2024:2628" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25742" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-642", + "created": "2024-05-17T22:15:07Z", + "description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "affects": [ { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2024-25742", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25742" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-20T13:00:34Z", + "properties": [ { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" - }, + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T00:41:59Z" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52590" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://git.kernel.org/linus/9d618d19b29c2943527e3a43da0a35aea91062fc(6.8-rc1)" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-643", + "ratings": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52590" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "affects": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2023-52590", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://git.kernel.org/stable/c/83ada89e4a86e2b28ea2b5113c76d6dc7560a4d0" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://git.kernel.org/stable/c/2c077fdfd09dffb31a890e5095c8ab205138a42e" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://git.kernel.org/stable/c/b457105309d388e4081c716cf7b81d517ff74db4" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://git.kernel.org/stable/c/9d1e795f754db1ac3344528b7af0b17b8146f321" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27003" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://git.kernel.org/linus/9d1e795f754db1ac3344528b7af0b17b8146f321(6.9-rc5)" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-644", + "ratings": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" - }, + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27003" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree for clk_summary\n\nSimilar to the previous commit, we should make sure that all devices are\nruntime resumed before printing the clk_summary through debugfs. Failure\nto do so would result in a deadlock if the thread is resuming a device\nto print clk state and that device is also runtime resuming in another\nthread, e.g the screen is turning on and the display driver is starting\nup. We remove the calls to clk_pm_runtime_{get,put}() in this path\nbecause they're superfluous now that we know the devices are runtime\nresumed. This also squashes a bug where the return value of\nclk_pm_runtime_get() wasn't checked, leading to an RPM count underflow\non error paths.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27003", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27003" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52c" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://git.kernel.org/linus/281d464a34f540de166cee74b723e97ac2515ec3(6.9-rc1)" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26885" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-20", + "bom-ref": "vuln-645", "ratings": [ { "severity": "high", - "score": 7.5, + "score": 7.8, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885" } }, { "severity": "none", - "score": 0.0366, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26885" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\n\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\n\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.", "affects": [ { - "ref": "comp-147" + "ref": "comp-24" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-26885", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885" }, "cwes": [ - 770 + 119 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-04-29T20:02:49Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "url": "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9" + }, + { + "url": "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35965" + }, + { + "url": "https://git.kernel.org/linus/4f3951242ace5efc7131932e2e01e6ac6baed846(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-646", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35965" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-35965", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35965" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" + "url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + "url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb" }, { - "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/" + "url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146" }, { - "url": "https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/" + "url": "https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d" }, { - "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" }, { - "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { - "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com" + "url": "https://access.redhat.com/errata/RHSA-2024:2394" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3864" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26585" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb(6.8-rc5)" } ], - "bom-ref": "vuln-21", + "bom-ref": "vuln-647", "ratings": [ { "severity": "none", "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26585" } }, { - "severity": "high", - "score": 7.0, + "severity": "medium", + "score": 4.7, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" } } ], - "created": "2022-08-26T16:15:09Z", - "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2021-3864", + "id": "CVE-2024-26585", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" }, "cwes": [ - 284 + 362 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-02-12T23:42:51Z", + "updated": "2024-04-03T14:15:15Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-27T19:33:24Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815" + "url": "https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170" + }, + { + "url": "https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e" + }, + { + "url": "https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf" + }, + { + "url": "https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d" + }, + { + "url": "https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/6cdedc18ba7b9dacc36466e27e3267d201948c8d(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52638" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-22", + "bom-ref": "vuln-648", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52638" } } ], - "created": "2024-03-04T07:15:11Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\n\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\n\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\n\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\n\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\n\n[mkl: remove unrelated newline change]", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26622", + "id": "CVE-2023-52638", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52638" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-04T13:58:23Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-1192" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154178" + "url": "https://git.kernel.org/stable/c/4961acdd65c956e97c1a000c82d91a8c1cdbe44b" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0448" + "url": "https://git.kernel.org/stable/c/417b8a91f4e8831cadaf85c3f15c6991c1f54dde" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7749" + "url": "https://git.kernel.org/stable/c/7ea0f29d9fd84905051be020c0df7d557e286136" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0439" + "url": "https://git.kernel.org/stable/c/7c972c89457511007dfc933814c06786905e515c" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7549" + "url": "https://git.kernel.org/stable/c/b8094c0f1aae329b1c60a275a780d6c2c9ff7aa3" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7539" + "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1192" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7548" + "url": "https://ubuntu.com/security/notices/USN-6688-1" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1192" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0562" + "url": "https://git.kernel.org/linus/4961acdd65c956e97c1a000c82d91a8c1cdbe44b(6.8-rc1)" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://ubuntu.com/security/notices/USN-6766-3" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0563" + "url": "https://ubuntu.com/security/notices/USN-6766-2" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0412" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52588" } ], - "bom-ref": "vuln-23", + "bom-ref": "vuln-649", "ratings": [ - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192" - } - }, { "severity": "none", - "score": 0.0005, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52588" } } ], - "created": "2023-11-01T20:15:08Z", - "description": "A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.", + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to tag gcing flag on page during block migration\n\nIt needs to add missing gcing flag on page during block migration,\nin order to garantee migrated data be persisted during checkpoint,\notherwise out-of-order persistency between data and node may cause\ndata corruption after SPOR.\n\nSimilar issue was fixed by commit 2d1fe8a86bf5 (\"f2fs: fix to tag\ngcing flag on page during file defragment\").", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-1192", + "id": "CVE-2023-52588", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52588" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-09T15:24:11Z" + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009704" + "url": "https://lore.kernel.org/lkml/5kn47peabxjrptkqa6dwtyus35ahf4pcj4qm4pumse33kxqpjw@mec4se5relrc/T/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0340" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257406" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-3" + }, + { + "url": "https://git.kernel.org/linus/4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9(6.4-rc6)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-5" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3847" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6705-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6716-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0340" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" } ], - "bom-ref": "vuln-24", + "bom-ref": "vuln-650", "ratings": [ { "severity": "none", "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0340" } }, { - "severity": "high", - "score": 7.8, + "severity": "medium", + "score": 5.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" } } ], - "created": "2022-04-01T23:15:10Z", - "description": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", + "created": "2024-01-09T18:15:47Z", + "description": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2021-3847", + "id": "CVE-2024-0340", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" }, "cwes": [ - 281 + 200 ], "analysis": { "state": "exploitable" }, - "updated": "2022-04-11T20:31:06Z", + "updated": "2024-01-16T18:49:46Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", "value": "true" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] - }, - { - "advisories": [ + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T15:55:59Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00003.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-28746" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035885" + }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28746" }, { - "url": "https://www.openssl.org/news/secadv/20240125.txt" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035920" }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035854" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035930" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035853" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035845" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035856" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" - } - ], - "bom-ref": "vuln-25", - "ratings": [ + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035933" + }, { - "severity": "none", - "score": 0.00228, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035855" }, { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" - } - } - ], - "created": "2024-01-26T09:15:07Z", - "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", - "affects": [ + "url": "https://support.microsoft.com/help/5035920" + }, { - "ref": "comp-235" - } - ], - "id": "CVE-2024-0727", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2024-02-08T10:15:13Z" - }, - { - "advisories": [ + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035888" + }, { - "url": "https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035858" }, { - "url": "https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066108" }, { - "url": "https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035857" }, { - "url": "https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2" + "url": "https://support.microsoft.com/help/5035845" }, { - "url": "https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835" + "url": "https://support.microsoft.com/help/5035933" }, { - "url": "https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835(6.8-rc4)" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035849" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035959" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26603" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035919" } ], - "bom-ref": "vuln-26", + "bom-ref": "vuln-651", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28746" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", + "created": "2024-03-14T17:15:50Z", + "description": "Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26603", + "id": "CVE-2023-28746", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28746" }, + "cwes": [ + 1342 + ], "analysis": { "state": "exploitable" }, - "updated": "2024-03-01T14:15:54Z", + "updated": "2024-05-04T16:15:14Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -6368,2144 +49253,2436 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T06:38:14Z" + "value": "2024-05-20T18:48:20Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216702" + "url": "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e" }, { - "url": "https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz@163.com/" + "url": "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + }, + { + "url": "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00" + }, + { + "url": "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35999" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47233" + "url": "https://git.kernel.org/linus/8094a600245e9b28eb36a13036f202ad67c1f887(6.9-rc6)" } ], - "bom-ref": "vuln-27", + "bom-ref": "vuln-652", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35999" } } ], - "created": "2023-11-03T21:15:17Z", - "description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-47233", + "id": "CVE-2024-35999", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35999" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-14T16:00:39Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://www.openssl.org/news/secadv/20240109.txt" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" } ], - "bom-ref": "vuln-28", + "bom-ref": "vuln-653", "ratings": [ { "severity": "none", - "score": 0.00061, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" } } ], - "created": "2024-01-09T17:15:12Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "affects": [ { - "ref": "comp-235" + "ref": "comp-138" } ], - "id": "CVE-2023-6129", + "id": "CVE-2024-28182", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" }, "cwes": [ - 787 + 770 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-16T13:15:09Z" + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754" - }, - { - "url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3" + "url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7" }, { - "url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694" + "url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26584" + "url": "https://git.kernel.org/linus/ecb829459a841198e142f72fadab56424ae96519(6.9-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3(6.8-rc5)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35959" } ], - "bom-ref": "vuln-29", + "bom-ref": "vuln-654", "ratings": [ { "severity": "none", "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35959" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26584", + "id": "CVE-2024-35959", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35959" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/20240207132416.1488485-1-aconole@redhat.com/" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2024-1151" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262241" + "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bd128f62c365(selftests)" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1151" } ], - "bom-ref": "vuln-30", + "bom-ref": "vuln-655", "ratings": [ { - "severity": "none", - "score": 0.00045, + "severity": "unknown", "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" } } ], - "created": "2024-02-11T15:15:07Z", - "description": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-1151", + "id": "CVE-2023-52761", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761" }, - "cwes": [ - 121 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-22T04:15:08Z" + "updated": "2024-05-21T16:53:56Z" }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22099" + "url": "https://git.kernel.org/stable/c/859175d4bc11af829e2fdd261a7effdaba9b5d8f" + }, + { + "url": "https://git.kernel.org/stable/c/f9c4d42464173b826190fae2283ed1a4bbae0c8b" + }, + { + "url": "https://git.kernel.org/stable/c/c13fbb5902bce848759385986d4833f5b90782c1" + }, + { + "url": "https://git.kernel.org/stable/c/c4309e5f8e80584715c814e1d012dbc3eee5a500" + }, + { + "url": "https://git.kernel.org/stable/c/4c02b9ccbb11862ee39850b2b285664cd579b039" + }, + { + "url": "https://git.kernel.org/stable/c/b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76" + }, + { + "url": "https://git.kernel.org/stable/c/d732b83251322ecd3b503e03442247745d6052ce" + }, + { + "url": "https://git.kernel.org/stable/c/b7d33e083f9d5d39445c0a91e7ad4f3e2c47fcb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27421" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76(6.8)" } ], - "bom-ref": "vuln-31", + "bom-ref": "vuln-656", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27421" } } ], - "created": "2024-01-25T07:15:08Z", - "description": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n", + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_routing_control\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-22099", + "id": "CVE-2024-27421", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27421" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-31T20:32:02Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + "url": "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" }, { - "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + "url": "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082" + }, + { + "url": "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26605" + "url": "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52639" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/1e560864159d002b453da42bd2c13a1805515a20(6.8-rc3)" + "url": "https://git.kernel.org/linus/fe752331d4b361d43cfd0b89534b4b2176057c32(6.8-rc4)" } ], - "bom-ref": "vuln-32", + "bom-ref": "vuln-657", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52639" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26605", + "id": "CVE-2023-52639", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248755" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-6039" + "url": "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1" }, { - "url": "https://ubuntu.com/security/notices/USN-6534-2" + "url": "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655" }, { - "url": "https://ubuntu.com/security/notices/USN-6534-1" + "url": "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295" }, { - "url": "https://git.kernel.org/linus/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3(6.5-rc5)" + "url": "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6039" + "url": "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0" }, { - "url": "https://ubuntu.com/security/notices/USN-6628-2" + "url": "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1" }, { - "url": "https://ubuntu.com/security/notices/USN-6628-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36008" }, { - "url": "https://ubuntu.com/security/notices/USN-6626-3" + "url": "https://git.kernel.org/linus/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1(6.9-rc6)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6626-2" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6534-3" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6626-1" } ], - "bom-ref": "vuln-33", + "bom-ref": "vuln-658", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36008" } } ], - "created": "2023-11-09T15:15:09Z", - "description": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6039", + "id": "CVE-2024-36008", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-16T17:59:48Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4" + "url": "https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592" }, { - "url": "https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680" + "url": "https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2" }, { - "url": "https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9" + "url": "https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831" + }, + { + "url": "https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003" + }, + { + "url": "https://git.kernel.org/linus/8b1d72395635af45410b66cc4c4ab37a12c4a831(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26706" } ], - "bom-ref": "vuln-34", + "bom-ref": "vuln-659", "ratings": [ { - "severity": "unknown", + "severity": "none", + "score": 0.00045, "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26706" } } ], - "created": "2024-02-29T15:52:20Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix random data corruption from exception handler\n\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\n\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\n\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\n\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26618", + "id": "CVE-2024-26706", "source": { - "name": "MITRE", - "url": "https://cve.org/CVERecord?id=CVE-2024-26618" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26706" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-29T15:52:20Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10" - }, - { - "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12" - }, - { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c" + "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9" }, { - "url": "https://access.redhat.com/errata/RHSA-2021:1578" + "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" }, { - "url": "https://access.redhat.com/errata/RHSA-2021:1739" + "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-019.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35956" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36694" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/74e97958121aa1f5854da6effba70143f051b0cd(6.9-rc4)" } ], - "bom-ref": "vuln-35", + "bom-ref": "vuln-660", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35956" } } ], - "created": "2023-05-21T23:15:08Z", - "description": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2020-36694", + "id": "CVE-2024-35956", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35956" }, - "cwes": [ - 416 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-06-22T15:15:09Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T14:42:13Z" - } - ] + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5@xs4all.nl/" + "url": "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88" }, { - "url": "https://lore.kernel.org/lkml/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + "url": "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5" + }, + { + "url": "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277" + }, + { + "url": "https://git.kernel.org/linus/7d2a894d7f487dcb894df023e9d3014cf5b93fe5(6.8-rc6)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23848" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27402" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-36", + "bom-ref": "vuln-661", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27402" } } ], - "created": "2024-01-23T09:15:35Z", - "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "created": "2024-05-17T12:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-23848", + "id": "CVE-2024-27402", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27402" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-30T02:04:25Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33" + "url": "https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d" }, { - "url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a" + "url": "https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4" }, { - "url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01" + "url": "https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd" }, { - "url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d" + "url": "https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26583" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26776" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d(6.8-rc5)" + "url": "https://git.kernel.org/linus/de8b6e1c231a95abf95ad097b993d34b31458ec9(6.8-rc2)" } ], - "bom-ref": "vuln-37", + "bom-ref": "vuln-662", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26776" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26583", + "id": "CVE-2024-26776", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26776" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24861" + "url": "https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff" + }, + { + "url": "https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916" + }, + { + "url": "https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43" + }, + { + "url": "https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513" + }, + { + "url": "https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a" + }, + { + "url": "https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586" + }, + { + "url": "https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7" + }, + { + "url": "https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d" + }, + { + "url": "https://git.kernel.org/linus/832698373a25950942c04a512daa652c18a9b513(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26772" } ], - "bom-ref": "vuln-38", + "bom-ref": "vuln-663", "ratings": [ - { - "severity": "medium", - "score": 6.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26772" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24861", + "id": "CVE-2024-26772", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26772" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:59Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b" }, { - "url": "https://ubuntu.com/security/notices/USN-6520-1" + "url": "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-2" + "url": "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a" }, { - "url": "https://ubuntu.com/security/notices/USN-6464-1" + "url": "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-1" + "url": "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5" }, { - "url": "https://ubuntu.com/security/notices/USN-6465-1" + "url": "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f" }, { - "url": "https://ubuntu.com/security/notices/USN-6462-1" + "url": "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c" + }, + { + "url": "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27020" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-3" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f969eb84ce482331a991079ab7a5c4dc3b7f89bf(6.9-rc5)" + } + ], + "bom-ref": "vuln-664", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27020" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27020", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6462-2" + "url": "https://git.kernel.org/stable/c/4fc82cd907ac075648789cc3a00877778aa1838b" }, { - "url": "https://ubuntu.com/security/notices/USN-6466-1" + "url": "https://git.kernel.org/stable/c/f873b85ec762c5a6abe94a7ddb31df5d3ba07d85" }, { - "url": "https://ubuntu.com/security/notices/USN-6465-2" + "url": "https://git.kernel.org/stable/c/c04f2780919f20e2cc4846764221f5e802555868" }, { - "url": "https://ubuntu.com/security/notices/USN-6465-3" + "url": "https://git.kernel.org/stable/c/34a7b30f56d30114bf4d436e4dc793afe326fbcf" }, { - "url": "https://ubuntu.com/security/notices/USN-6439-2" + "url": "https://git.kernel.org/stable/c/d70f1c85113cd8c2aa8373f491ca5d1b22ec0554" }, { - "url": "https://ubuntu.com/security/notices/USN-6439-1" + "url": "https://git.kernel.org/stable/c/025bc6b41e020aeb1e71f84ae3ffce945026de05" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31083" + "url": "https://git.kernel.org/stable/c/2b74b2a92e524d7c8dec8e02e95ecf18b667c062" }, { - "url": "https://git.kernel.org/bluetooth/bluetooth-next/c/ff1b86784849" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26891" }, { - "url": "https://ubuntu.com/security/notices/USN-6516-1" + "url": "https://git.kernel.org/linus/4fc82cd907ac075648789cc3a00877778aa1838b(6.9-rc1)" } ], - "bom-ref": "vuln-39", + "bom-ref": "vuln-665", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26891" } } ], - "created": "2023-04-24T06:15:07Z", - "description": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Don't issue ATS Invalidation request when device is disconnected\n\nFor those endpoint devices connect to system via hotplug capable ports,\nusers could request a hot reset to the device by flapping device's link\nthrough setting the slot's link control register, as pciehp_ist() DLLSC\ninterrupt sequence response, pciehp will unload the device driver and\nthen power it off. thus cause an IOMMU device-TLB invalidation (Intel\nVT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence\ntarget device to be sent and deadly loop to retry that request after ITE\nfault triggered in interrupt context.\n\nThat would cause following continuous hard lockup warning and system hang\n\n[ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down\n[ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present\n[ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144\n[ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822623] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490\n[ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b\n 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1\n0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39\n[ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093\n[ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005\n[ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340\n[ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000\n[ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200\n[ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004\n[ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000)\nknlGS:0000000000000000\n[ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0\n[ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 4223.822628] PKRU: 55555554\n[ 4223.822628] Call Trace:\n[ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0\n[ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250\n[ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50\n[ 4223.822629] intel_iommu_release_device+0x1f/0x30\n[ 4223.822629] iommu_release_device+0x33/0x60\n[ 4223.822629] iommu_bus_notifier+0x7f/0x90\n[ 4223.822630] blocking_notifier_call_chain+0x60/0x90\n[ 4223.822630] device_del+0x2e5/0x420\n[ 4223.822630] pci_remove_bus_device+0x70/0x110\n[ 4223.822630] pciehp_unconfigure_device+0x7c/0x130\n[ 4223.822631] pciehp_disable_slot+0x6b/0x100\n[ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320\n[ 4223.822631] pciehp_ist+0x176/0x180\n[ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110\n[ 4223.822632] irq_thread_fn+0x19/0x50\n[ 4223.822632] irq_thread+0x104/0x190\n[ 4223.822632] ? irq_forced_thread_fn+0x90/0x90\n[ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0\n[ 4223.822633] kthread+0x114/0x130\n[ 4223.822633] ? __kthread_cancel_work+0x40/0x40\n[ 4223.822633] ret_from_fork+0x1f/0x30\n[ 4223.822633] Kernel panic - not syncing: Hard LOCKUP\n[ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822634] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822634] Call Trace:\n[ 4223.822634] \n[ 4223.822635] dump_stack+0x6d/0x88\n[ 4223.822635] panic+0x101/0x2d0\n[ 4223.822635] ? ret_from_fork+0x11/0x30\n[ 4223.822635] nmi_panic.cold.14+0xc/0xc\n[ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81\n[ 4223.822636] __perf_event_overflow+0x4f/0xf0\n[ 4223.822636] handle_pmi_common\n---truncated---", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-31083", + "id": "CVE-2024-26891", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26891" }, - "cwes": [ - 362, - 476 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:14:13Z", + "updated": "2024-04-17T12:48:07Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + "url": "https://git.kernel.org/stable/c/9cb3755b1e3680b720b74dbedfac889e904605c7" }, { - "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + "url": "https://git.kernel.org/stable/c/ff41e0d4f3fa10d7cdd7d40f8026bea9fcc8b000" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + "url": "https://git.kernel.org/stable/c/517621b7060096e48e42f545fa6646fc00252eac" + }, + { + "url": "https://git.kernel.org/stable/c/c560327d900bab968c2e1b4cd7fa2d46cd429e3d" + }, + { + "url": "https://git.kernel.org/stable/c/07c3fe923ff7eccf684fb4f8c953d0a7cc8ded73" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0564" + "url": "https://git.kernel.org/stable/c/585fec7361e7850bead21fada49a7fcde2f2e791" + }, + { + "url": "https://git.kernel.org/stable/c/899e154f9546fcae18065d74064889d08fff62c2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26979" + }, + { + "url": "https://git.kernel.org/linus/517621b7060096e48e42f545fa6646fc00252eac(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-40", + "bom-ref": "vuln-666", "ratings": [ - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" - } - }, { "severity": "none", - "score": 0.00052, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26979" } } ], - "created": "2024-01-30T15:15:08Z", - "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix possible null pointer derefence with invalid contexts\n\nvmw_context_cotable can return either an error or a null pointer and its\nusage sometimes went unchecked. Subsequent code would then try to access\neither a null pointer or an error value.\n\nThe invalid dereferences were only possible with malformed userspace\napps which never properly initialized the rendering contexts.\n\nCheck the results of vmw_context_cotable to fix the invalid derefs.\n\nThanks:\nziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab\nwho was the first person to discover it.\nNiels De Graef who reported it and helped to track down the poc.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-0564", + "id": "CVE-2024-26979", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26979" }, - "cwes": [ - 203 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-08T16:36:48Z", + "updated": "2024-05-01T13:02:20Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24864" + "url": "https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f" + }, + { + "url": "https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462" + }, + { + "url": "https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3" + }, + { + "url": "https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6" + }, + { + "url": "https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26802" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-41", + "bom-ref": "vuln-667", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26802" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won't work and TX queue will eventually timeout,\ncausing 'Reset adapter' error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n \n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24864", + "id": "CVE-2024-26802", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26802" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:22Z" + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24855" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://ubuntu.com/security/notices/USN-6700-1" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://ubuntu.com/security/notices/USN-6699-1" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://ubuntu.com/security/notices/USN-6702-2" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://ubuntu.com/security/notices/USN-6701-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-4" + }, + { + "url": "https://lore.kernel.org/all/20230630024748.1035993-1-islituo@gmail.com/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6700-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://ubuntu.com/security/notices/USN-6702-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6705-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6716-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-3" } ], - "bom-ref": "vuln-42", + "bom-ref": "vuln-668", "ratings": [ { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24855" } }, { - "severity": "none", - "score": 0.00046, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", "affects": [ { - "ref": "comp-254" + "ref": "comp-24" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-24855", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" }, "cwes": [ - 693 + 362, + 476 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-19T23:15:07Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" - } - ] + "updated": "2024-02-10T04:06:40Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144" + "url": "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2" }, { - "url": "https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29" + "url": "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a" }, { - "url": "https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48" + "url": "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da" }, { - "url": "https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa" + "url": "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676" }, { - "url": "https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5" + "url": "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52434" + "url": "https://git.kernel.org/linus/f42c97027fb75776e2e9358d16bf4a99aeb04cf2(6.9-rc6)" }, { - "url": "https://git.kernel.org/linus/af1689a9b7701d9907dfc84d2a4b57c4bc907144(6.7-rc6)" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35848" } ], - "bom-ref": "vuln-43", + "bom-ref": "vuln-669", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35848" } } ], - "created": "2024-02-20T18:15:50Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-52434", + "id": "CVE-2024-35848", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35848" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-01T14:15:53Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://git.kernel.org/linus/8d037973d48c026224ab285e6a06985ccac6f7bf(6.3-rc1)" - }, - { - "url": "https://lkml.org/lkml/2022/12/9/178" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0461" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2176" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6224-1" + "url": "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e" }, { - "url": "https://ubuntu.com/security/notices/USN-6235-1" + "url": "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0448" + "url": "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50" }, { - "url": "https://patchwork.kernel.org/project/linux-rdma/patch/3d0e9a2fd62bc10ba02fed1c7c48a48638952320.1672819273.git.leonro@nvidia.com/" + "url": "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0439" + "url": "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7" }, { - "url": "https://ubuntu.com/security/notices/USN-6228-1" + "url": "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6194-1" + "url": "https://git.kernel.org/linus/961ebd120565cb60cebe21cb634fbc456022db4a(6.8)" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35815" } ], - "bom-ref": "vuln-44", + "bom-ref": "vuln-670", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35815" } } ], - "created": "2023-04-20T21:15:08Z", - "description": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-2176", + "id": "CVE-2024-35815", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35815" }, - "cwes": [ - 125 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-07-27T15:21:17Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQXU752ALW53OJAF5MG3WMR5CCZVLWW6/" + "url": "https://git.kernel.org/stable/c/b7be6c737a179a76901c872f6b4c1d00552d9a1b" }, { - "url": "https://groups.google.com/g/golang-announce" + "url": "https://git.kernel.org/stable/c/e26d3009efda338f19016df4175f354a9bd0a4ab" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q6GE5EQGE4L2KRVGW4T75QVIYAXCLO5X/" + "url": "https://git.kernel.org/stable/c/6f3ae02bbb62f151b19162d5fdc9fe3d48450323" }, { - "url": "https://groups.google.com/g/golang-announce/c/Y5qrqw_lWdU" + "url": "https://git.kernel.org/stable/c/00b19ee0dcc1aef06294471ab489bae26d94524e" }, { - "url": "https://security.gentoo.org/glsa/202208-02" + "url": "https://git.kernel.org/stable/c/116b0e8e4673a5faa8a739a19b467010c4d3058c" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z55VUVGO7E5PJFXIOVAY373NZRHBNCI5/" + "url": "https://git.kernel.org/stable/c/49ce99ae43314d887153e07cec8bb6a647a19268" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZY2SLWOQR4ZURQ7UBRZ7JIX6H6F5JHJR/" + "url": "https://access.redhat.com/errata/RHSA-2024:2394" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1860.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6038-1" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52620" + } + ], + "bom-ref": "vuln-671", + "ratings": [ { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1863.html" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52620" + } + } + ], + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow timeout for anonymous sets\n\nNever used from userspace, disallow these parameters.", + "affects": [ { - "url": "https://alas.aws.amazon.com/ALAS-2022-1635.html" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2023-52620", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52620" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29526" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6038-2" + "url": "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:3642" + "url": "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:1529" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52585" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1858.html" - }, + "url": "https://git.kernel.org/linus/b8d55a90fd55b767c25687747e2b24abd1ef8680(6.8-rc1)" + } + ], + "bom-ref": "vuln-672", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2022:6277" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52585" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "affects": [ { - "url": "https://access.redhat.com/errata/RHSA-2022:6156" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2023-52585", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2022:5699" + "url": "https://git.kernel.org/stable/c/6c92224721a439d6350db5933a1060768dcd565e" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5337" + "url": "https://git.kernel.org/stable/c/5d9fe604bf9b5b09d2215225df55f22a4cbbc684" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5799" + "url": "https://git.kernel.org/stable/c/d164ddc21e986dd9ad614b4b01746e5457aeb24f" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-046.html" + "url": "https://git.kernel.org/stable/c/b1d0eebaf87cc9ccd05f779ec4a0589f95d6c18b" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1847.html" + "url": "https://git.kernel.org/stable/c/8df9a3c7044b847e9c4dc7e683fd64c6b873f328" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/8c2e4efe1278cd2b230cdbf90a6cefbf00acc282" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1859.html" + "url": "https://git.kernel.org/stable/c/4797a3dd46f220e6d83daf54d70c5b33db6deb01" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5392" + "url": "https://git.kernel.org/stable/c/42492b00156c03a79fd4851190aa63045d6a15ce" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1864.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27076" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-047.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:0408" - }, + "url": "https://git.kernel.org/linus/4797a3dd46f220e6d83daf54d70c5b33db6deb01(6.9-rc1)" + } + ], + "bom-ref": "vuln-673", + "ratings": [ { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1861.html" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27076" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx: csc/scaler: fix v4l2_ctrl_handler memory leak\n\nFree the memory allocated in v4l2_ctrl_handler_init on release.", + "affects": [ { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1865.html" + "ref": "comp-24" + } + ], + "id": "CVE-2024-27076", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27076" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5840" + "url": "https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5201" + "url": "https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1862.html" + "url": "https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:6714" + "url": "https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a" }, { - "url": "https://access.redhat.com/errata/RHSA-2022:5729" + "url": "https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1846.html" + "url": "https://git.kernel.org/linus/5ba4e6d5863c53e937f49932dee0ecb004c65928(6.8-rc6)" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASDOCKER-2022-020.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26743" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-048.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-45", - "references": [ - { - "id": "SNYK-GOLANG-GOLANGORGXSYS-5660583", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYS-5660583" - } - }, + "bom-ref": "vuln-674", + "ratings": [ { - "id": "GHSA-p782-xgp4-8hr8", + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-p782-xgp4-8hr8" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26743" } } ], - "created": "2022-06-23T17:15:12Z", - "description": "Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.", + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n\n--[ end trace 888a9b92e04c5c97 ]--", "affects": [ { - "ref": "comp-286" - }, - { - "ref": "comp-281" + "ref": "comp-24" } ], + "id": "CVE-2024-26743", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26743" }, - "cwes": [ - 269 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "ratings": [ - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29526" - } - }, - { - "severity": "none", - "score": 0.00244, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2022-29526", - "updated": "2023-11-07T03:46:03Z", + "updated": "2024-04-03T17:24:18Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-26T14:42:03Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-286", - "value": "0.0.0-20220412211240-33da011f77ad" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-281", - "value": "0.0.0-20220412211240-33da011f77ad" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383" + "url": "https://git.kernel.org/stable/c/31db25e3141b20e2a76a9f219eeca52e3cab126c" }, { - "url": "https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15" + "url": "https://git.kernel.org/stable/c/7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5" }, { - "url": "https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182" + "url": "https://git.kernel.org/stable/c/5ada9016b1217498fad876a3d5b07645cc955608" }, { - "url": "https://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819" + "url": "https://git.kernel.org/stable/c/dac068f164ad05b35e7c0be13f138c3f6adca58f" }, { - "url": "https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62" + "url": "https://git.kernel.org/stable/c/719fcafe07c12646691bd62d7f8d94d657fa0766" }, { - "url": "https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26868" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26586" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/719fcafe07c12646691bd62d7f8d94d657fa0766(6.9-rc1)" } ], - "bom-ref": "vuln-46", + "bom-ref": "vuln-675", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26868" } } ], - "created": "2024-02-22T17:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\n\nWe've been seeing the following panic in production\n\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n \n ? __die+0x78/0xc0\n ? page_fault_oops+0x286/0x380\n ? __rpc_execute+0x2c3/0x470 [sunrpc]\n ? rpc_new_task+0x42/0x1c0 [sunrpc]\n ? exc_page_fault+0x5d/0x110\n ? asm_exc_page_fault+0x22/0x30\n ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\n pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\n pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\n nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\n ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n __nfs_pageio_add_request+0x154/0x6c0 [nfs]\n nfs_pageio_add_request+0x26b/0x380 [nfs]\n nfs_do_writepage+0x111/0x1e0 [nfs]\n nfs_writepages_callback+0xf/0x30 [nfs]\n write_cache_pages+0x17f/0x380\n ? nfs_pageio_init_write+0x50/0x50 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n nfs_writepages+0x125/0x210 [nfs]\n do_writepages+0x67/0x220\n ? generic_perform_write+0x14b/0x210\n filemap_fdatawrite_wbc+0x5b/0x80\n file_write_and_wait_range+0x6d/0xc0\n nfs_file_fsync+0x81/0x170 [nfs]\n ? nfs_file_mmap+0x60/0x60 [nfs]\n __x64_sys_fsync+0x53/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nInspecting the core with drgn I was able to pull this\n\n >>> prog.crashed_thread().stack_trace()[0]\n #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n >>> prog.crashed_thread().stack_trace()[0]['idx']\n (u32)1\n >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds\n (struct nfs4_ff_layout_ds *)0xffffffffffffffed\n\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror->mirror_ds). This\nis inconsistent with the rest of the users of mirror_ds, which have\n\n if (IS_ERR_OR_NULL(mirror_ds))\n\nto keep from tripping over this exact scenario. Fix this up in\nff_layout_cancel_io() to make sure we don't panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26586", + "id": "CVE-2024-26868", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26868" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a" - }, - { - "url": "https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21" - }, - { - "url": "https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9" + "url": "https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4" }, { - "url": "https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2" + "url": "https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0" }, { - "url": "https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c" + "url": "https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82" }, { - "url": "https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f" + "url": "https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f" }, { - "url": "https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7" + "url": "https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8" }, { - "url": "https://git.kernel.org/linus/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21(6.8-rc5)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26744" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26593" + "url": "https://git.kernel.org/linus/fdfa083549de5d50ebf7f6811f33757781e838c0(6.8-rc6)" } ], - "bom-ref": "vuln-47", + "bom-ref": "vuln-676", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26744" } } ], - "created": "2024-02-23T10:15:07Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n \n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26593", + "id": "CVE-2024-26744", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26744" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/CALGdzuo6awWdau3X=8XK547x2vX_-VoFmH1aPsqosRTQ5WzJVA@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457" + }, + { + "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845" + }, + { + "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04" + }, + { + "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2" + }, + { + "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046" }, { - "url": "https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu@suse.com/" + "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2" + }, + { + "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5" + }, + { + "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26654" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23850" + "url": "https://git.kernel.org/linus/051e0840ffa8ab25554d6b14b62c9ab9e4901457(6.9-rc2)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-48", + "bom-ref": "vuln-677", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26654" } } ], - "created": "2024-01-23T09:15:36Z", - "description": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", + "created": "2024-04-01T09:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-23850", + "id": "CVE-2024-26654", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199" + "url": "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76" }, { - "url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724" + "url": "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927" }, { - "url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4" + "url": "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3" }, { - "url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9" + "url": "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e" + }, + { + "url": "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1" + }, + { + "url": "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac" + }, + { + "url": "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09" + }, + { + "url": "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f" + }, + { + "url": "https://git.kernel.org/linus/f123dc86388cb669c3d6322702dc441abc35c31e(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26590" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52699" } ], - "bom-ref": "vuln-49", + "bom-ref": "vuln-678", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52699" } } ], - "created": "2024-02-22T17:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", + "created": "2024-05-19T11:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26590", + "id": "CVE-2023-52699", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52699" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-01T14:15:54Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2024-0841" + "url": "https://git.kernel.org/stable/c/4049a9f80513a6739c5677736a4c88f96df1b436" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256490" + "url": "https://git.kernel.org/stable/c/bc845e2e42cae95172c04bf29807c480f51a2a83" }, { - "url": "https://lore.kernel.org/all/20240130210418.3771-1-osalvador@suse.de/T/" + "url": "https://git.kernel.org/stable/c/1824f942527f784a19e01eac2d9679a21623d010" + }, + { + "url": "https://git.kernel.org/stable/c/f1cf77bb870046a6111a604f7f7fe83d1c8c9610" + }, + { + "url": "https://git.kernel.org/stable/c/31aaf17200c336fe258b70d39c40645ae19d0240" + }, + { + "url": "https://git.kernel.org/stable/c/49f067726ab01c87cf57566797a8a719badbbf08" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0841" + "url": "https://git.kernel.org/stable/c/c67698325c68f8768db858f5c87c34823421746d" + }, + { + "url": "https://git.kernel.org/stable/c/04a2b6eff2ae1c19cb7f41e803bcbfaf94c06455" + }, + { + "url": "https://git.kernel.org/stable/c/9636951e4468f02c72cc75a82dc65d003077edbc" + }, + { + "url": "https://git.kernel.org/linus/9636951e4468f02c72cc75a82dc65d003077edbc(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52644" } ], - "bom-ref": "vuln-50", + "bom-ref": "vuln-679", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52644" } } ], - "created": "2024-01-28T12:15:52Z", - "description": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\n\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\n\nLog of issue before change (with kernel parameter qos=0):\n [ +5.112651] ------------[ cut here ]------------\n [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS\n [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n [ +0.000001] CS: 0010 DS: 0\n---truncated---", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-0841", + "id": "CVE-2023-52644", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52644" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-02T15:38:25Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://android.googlesource.com/kernel/common/+/b35a06182451f" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" }, { - "url": "https://source.android.com/security/bulletin/2023-08-01" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" }, { - "url": "https://android.googlesource.com/kernel/common/+/53625a846a7b4" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23851" }, { - "url": "https://ubuntu.com/security/notices/USN-6383-1" + "url": "https://ubuntu.com/security/notices/USN-6740-1" }, { - "url": "https://git.kernel.org/linus/09cce60bddd6461a93a5bf434265a47827d1bc6f" + "url": "https://lore.kernel.org/all/PH7PR11MB576877FF72A9B2D43EAA1AEBA093A@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-349.html" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21264" + "url": "https://ubuntu.com/security/notices/USN-6726-3" }, { - "url": "https://ubuntu.com/security/notices/USN-6466-1" + "url": "https://ubuntu.com/security/notices/USN-6739-1" }, { - "url": "https://source.android.com/docs/security/bulletin/2023-08-01" + "url": "https://ubuntu.com/security/notices/USN-6726-2" } ], - "bom-ref": "vuln-51", + "bom-ref": "vuln-680", "ratings": [ { "severity": "none", "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23851" } }, { "severity": "medium", - "score": 6.7, + "score": 5.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" } } ], - "created": "2023-08-14T21:15:11Z", - "description": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", + "created": "2024-01-23T09:15:36Z", + "description": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-21264", + "id": "CVE-2024-23851", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" }, - "cwes": [ - 119 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-08-24T15:31:45Z", + "updated": "2024-02-28T03:15:08Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57" + "url": "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154" }, { - "url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb" + "url": "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530" }, { - "url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146" + "url": "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97" + }, + { + "url": "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0" + }, + { + "url": "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26585" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36006" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb(6.8-rc5)" + "url": "https://git.kernel.org/linus/b377add0f0117409c418ddd6504bd682ebe0bf79(6.9-rc6)" } ], - "bom-ref": "vuln-52", + "bom-ref": "vuln-681", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36006" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26585", + "id": "CVE-2024-36006", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://git.kernel.org/linus/a90bca2228c0646fc29a72689d308e5fe03e6d78(6.9-rc5)" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26993" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-682", + "ratings": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26993" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "affects": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2024-26993", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26993" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b7586e902128e4fb7bfbb661cb52e4215a65637b" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://git.kernel.org/stable/c/437a111f79a2f5b2a5f21e27fdec6f40c8768712" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://git.kernel.org/stable/c/f20c3270f3ed5aa6919a87e4de9bf6c05fb57086" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://git.kernel.org/stable/c/d0f5c28333822f9baa5280d813124920720fd856" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://git.kernel.org/stable/c/35674111a043b0482a9bc69da8850a83f465b07d" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://git.kernel.org/stable/c/0d3fe80b6d175c220b3e252efc6c6777e700e98e" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://git.kernel.org/stable/c/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://git.kernel.org/stable/c/779e8db7efb22316c8581d6c229636d2f5694a62" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://git.kernel.org/stable/c/096237039d00c839f3e3a5fe6d001bf0db45b644" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://git.kernel.org/linus/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5(6.9-rc1)" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27043" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-683", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27043" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: edia: dvbdev: fix a use-after-free\n\nIn dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed\nin several error-handling paths. However, *pdvbdev is not set to NULL\nafter dvbdev's deallocation, causing use-after-frees in many places,\nfor example, in the following call chain:\n\nbudget_register\n |-> dvb_dmxdev_init\n |-> dvb_register_device\n |-> dvb_dmxdev_release\n |-> dvb_unregister_device\n |-> dvb_remove_device\n |-> dvb_device_put\n |-> kref_put\n\nWhen calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in\ndvb_register_device) could point to memory that had been freed in\ndvb_register_device. Thereafter, this pointer is transferred to\nkref_put and triggering a use-after-free.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2024-27043", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27043" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://git.kernel.org/linus/fcdbc1d7a4b638e5d5668de461f320386f3002aa(6.9-rc6)" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35948" } ], - "bom-ref": "vuln-53", + "bom-ref": "vuln-684", "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35948" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "created": "2024-05-20T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", "affects": [ { - "ref": "comp-147" + "ref": "comp-24" } ], - "id": "CVE-2023-50868", + "id": "CVE-2024-35948", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35948" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" - } - ] + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256786" + "url": "https://git.kernel.org/stable/c/0193e0660cc6689c794794b471492923cfd7bfbc" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6270" + "url": "https://git.kernel.org/stable/c/6eecddd9c3c8d6e3a097531cdc6d500335b35e46" + }, + { + "url": "https://git.kernel.org/stable/c/d91964cdada76740811b7c621239f9c407820dbc" + }, + { + "url": "https://git.kernel.org/stable/c/ba5e1272142d051dcc57ca1d3225ad8a089f9858" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6270" + "url": "https://git.kernel.org/linus/ba5e1272142d051dcc57ca1d3225ad8a089f9858(6.8-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26681" } ], - "bom-ref": "vuln-54", + "bom-ref": "vuln-685", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.0, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26681" } } ], - "created": "2024-01-04T17:15:08Z", - "description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: avoid potential loop in nsim_dev_trap_report_work()\n\nMany syzbot reports include the following trace [1]\n\nIf nsim_dev_trap_report_work() can not grab the mutex,\nit should rearm itself at least one jiffie later.\n\n[1]\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]\n RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]\n RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]\n RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]\n RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\n RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189\nCode: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00\nRSP: 0018:ffffc90012dcf998 EFLAGS: 00000046\nRAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3\nRDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0\nRBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e\nR10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002\nR13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]\n debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]\n do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141\n __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]\n _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194\n debug_object_activate+0x349/0x540 lib/debugobjects.c:726\n debug_work_activate kernel/workqueue.c:578 [inline]\n insert_work+0x30/0x230 kernel/workqueue.c:1650\n __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802\n __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953\n queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989\n queue_delayed_work include/linux/workqueue.h:563 [inline]\n schedule_delayed_work include/linux/workqueue.h:677 [inline]\n nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842\n process_one_work+0x886/0x15d0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n ", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6270", + "id": "CVE-2024-26681", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26681" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-10T15:59:25Z" + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/e288285d47784fdcf7c81be56df7d65c6f10c58b" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23851" + "url": "https://git.kernel.org/stable/c/f14cee7a882cb79528f17a2335f53e9fd1848467" }, { - "url": "https://lore.kernel.org/all/PH7PR11MB576877FF72A9B2D43EAA1AEBA093A@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + "url": "https://git.kernel.org/stable/c/b7deb675d674f44e0ddbab87fee8f9f098925e73" + }, + { + "url": "https://git.kernel.org/stable/c/825d63164a2e6bacb059a9afb5605425b485413f" + }, + { + "url": "https://git.kernel.org/linus/e288285d47784fdcf7c81be56df7d65c6f10c58b(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26930" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-55", + "bom-ref": "vuln-686", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26930" } } ], - "created": "2024-01-23T09:15:36Z", - "description": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of the ha->vp_map pointer\n\nCoverity scan reported potential risk of double free of the pointer\nha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed\nin function qla2x00_mem_free(ha).\n\nAssign NULL to vp_map and kfree take care of NULL.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-23851", + "id": "CVE-2024-26930", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26930" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-01T13:02:20Z" }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32021" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" } ], - "bom-ref": "vuln-56", + "bom-ref": "vuln-687", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" - } - }, { "severity": "none", - "score": 0.00051, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32021" } } ], - "created": "2024-02-04T20:15:46Z", - "description": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", + "created": "2024-05-14T20:15:13Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.", "affects": [ { - "ref": "comp-62" + "ref": "comp-113" } ], - "id": "CVE-2023-52425", + "id": "CVE-2024-32021", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32021" }, "cwes": [ - 400 + 547 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-26T16:27:48Z" + "updated": "2024-05-15T16:40:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/00000000000056e02f05dfb6e11a@google.com/T/" - }, - { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-37454" + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37454" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208844" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-57", + "bom-ref": "vuln-688", "ratings": [ { "severity": "medium", @@ -8514,39 +51691,39 @@ "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" } }, { "severity": "none", - "score": 0.00043, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23005" } } ], - "created": "2023-07-06T17:15:14Z", - "description": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", + "created": "2023-03-01T20:15:15Z", + "description": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-37454", + "id": "CVE-2023-23005", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" }, "cwes": [ - 416 + 476 ], "analysis": { "state": "exploitable" }, - "updated": "2023-11-07T04:16:56Z", + "updated": "2024-05-17T02:19:48Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -8554,1431 +51731,1717 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "value": "2024-05-15T13:43:21Z" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + "url": "https://git.kernel.org/stable/c/5a33420599fa0288792537e6872fd19cc8607ea6" }, { - "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + "url": "https://git.kernel.org/stable/c/6335c0cdb2ea0ea02c999e04d34fd84f69fb27ff" + }, + { + "url": "https://git.kernel.org/stable/c/dc904345e3771aa01d0b8358b550802fdc6fe00b" + }, + { + "url": "https://git.kernel.org/stable/c/f6564fce256a3944aa1bc76cb3c40e792d97c1eb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26639" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f6564fce256a3944aa1bc76cb3c40e792d97c1eb(6.8-rc3)" } ], - "bom-ref": "vuln-58", + "bom-ref": "vuln-689", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26639" } } ], - "created": "2024-02-29T15:15:07Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "created": "2024-03-18T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, kmsan: fix infinite recursion due to RCU critical section\n\nAlexander Potapenko writes in [1]: \"For every memory access in the code\ninstrumented by KMSAN we call kmsan_get_metadata() to obtain the metadata\nfor the memory being accessed. For virtual memory the metadata pointers\nare stored in the corresponding `struct page`, therefore we need to call\nvirt_to_page() to get them.\n\nAccording to the comment in arch/x86/include/asm/page.h,\nvirt_to_page(kaddr) returns a valid pointer iff virt_addr_valid(kaddr) is\ntrue, so KMSAN needs to call virt_addr_valid() as well.\n\nTo avoid recursion, kmsan_get_metadata() must not call instrumented code,\ntherefore ./arch/x86/include/asm/kmsan.h forks parts of\narch/x86/mm/physaddr.c to check whether a virtual address is valid or not.\n\nBut the introduction of rcu_read_lock() to pfn_valid() added instrumented\nRCU API calls to virt_to_page_or_null(), which is called by\nkmsan_get_metadata(), so there is an infinite recursion now. I do not\nthink it is correct to stop that recursion by doing\nkmsan_enter_runtime()/kmsan_exit_runtime() in kmsan_get_metadata(): that\nwould prevent instrumented functions called from within the runtime from\ntracking the shadow values, which might introduce false positives.\"\n\nFix the issue by switching pfn_valid() to the _sched() variant of\nrcu_read_lock/unlock(), which does not require calling into RCU. Given\nthe critical section in pfn_valid() is very small, this is a reasonable\ntrade-off (with preemptible RCU).\n\nKMSAN further needs to be careful to suppress calls into the scheduler,\nwhich would be another source of recursion. This can be done by wrapping\nthe call to pfn_valid() into preempt_disable/enable_no_resched(). The\ndownside is that this sacrifices breaking scheduling guarantees; however,\na kernel compiled with KMSAN has already given up any performance\nguarantees due to being heavily instrumented.\n\nNote, KMSAN code already disables tracing via Makefile, and since mmzone.h\nis included, it is not necessary to use the notrace variant, which is\ngenerally preferred in all other cases.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-52485", + "id": "CVE-2024-26639", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26639" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-29T18:06:42Z" + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009704" }, { - "url": "https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3847" + } + ], + "bom-ref": "vuln-690", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3847" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + } + } + ], + "created": "2022-04-01T23:15:10Z", + "description": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", + "affects": [ + { + "ref": "comp-24" + } + ], + "id": "CVE-2021-3847", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + }, + "cwes": [ + 281 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-04-11T20:31:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-10T01:20:18Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001" + }, + { + "url": "https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c" + }, + { + "url": "https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397" + }, + { + "url": "https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49" + }, + { + "url": "https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb" + }, + { + "url": "https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05" + }, + { + "url": "https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26910" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26596" + "url": "https://git.kernel.org/linus/97f7cf1cd80eeed3b7c808b7c12463295c751001(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-59", + "bom-ref": "vuln-691", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26910" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910" } } ], - "created": "2024-02-23T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", + "created": "2024-04-17T16:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix performance regression in swap operation\n\nThe patch \"netfilter: ipset: fix race condition between swap/destroy\nand kernel side add/del/test\", commit 28628fa9 fixes a race condition.\nBut the synchronize_rcu() added to the swap function unnecessarily slows\nit down: it can safely be moved to destroy and use call_rcu() instead.\n\nEric Dumazet pointed out that simply calling the destroy functions as\nrcu callback does not work: sets with timeout use garbage collectors\nwhich need cancelling at destroy which can wait. Therefore the destroy\nfunctions are split into two: cancelling garbage collectors safely at\nexecuting the command received by netlink and moving the remaining\npart only into the rcu callback.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26596", + "id": "CVE-2024-26910", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910" }, + "cwes": [ + 362 + ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T16:14:43Z" + "updated": "2024-04-29T19:14:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + "url": "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33" + }, + { + "url": "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + "url": "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029" }, { - "url": "https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15(6.3)" + "url": "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0" + }, + { + "url": "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4" + }, + { + "url": "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4133" + "url": "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35922" + }, + { + "url": "https://git.kernel.org/linus/c2d953276b8b27459baed1277a4fdd5dd9bd4126(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-60", + "bom-ref": "vuln-692", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35922" } } ], - "created": "2023-08-03T15:15:33Z", - "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-4133", + "id": "CVE-2024-35922", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35922" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-07T04:22:09Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + "url": "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809" }, { - "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + "url": "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863" }, { - "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + "url": "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0" + }, + { + "url": "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4" + }, + { + "url": "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470" + }, + { + "url": "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05" + }, + { + "url": "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec" + }, + { + "url": "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4" + }, + { + "url": "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27" + }, + { + "url": "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a" + }, + { + "url": "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064" + }, + { + "url": "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a" + }, + { + "url": "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b" + }, + { + "url": "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52452" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26848" + }, + { + "url": "https://git.kernel.org/linus/5f7a07646655fb4108da527565dcdc80124b14c4(6.8-rc7)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-61", + "bom-ref": "vuln-693", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26848" } } ], - "created": "2024-02-22T17:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-52452", + "id": "CVE-2024-26848", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26848" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-22T19:07:27Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22386" + "url": "https://git.kernel.org/stable/c/b5909f197f3b26aebedca7d8ac7b688fd993a266" + }, + { + "url": "https://git.kernel.org/stable/c/8731fe001a60581794ed9cf65da8cd304846a6fb" + }, + { + "url": "https://git.kernel.org/stable/c/7535ec350a5f09b5756a7607f5582913f21200f4" + }, + { + "url": "https://git.kernel.org/stable/c/ccb88e9549e7cfd8bcd511c538f437e20026e983" + }, + { + "url": "https://git.kernel.org/stable/c/58054faf3bd29cd0b949b77efcb6157f66f401ed" + }, + { + "url": "https://git.kernel.org/stable/c/88aa493f393d2ee38ac140e1f6ac1881346e85d4" + }, + { + "url": "https://git.kernel.org/linus/ccb88e9549e7cfd8bcd511c538f437e20026e983(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26695" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-62", + "bom-ref": "vuln-694", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26695" } } ], - "created": "2024-02-05T08:15:43Z", - "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked\n\nThe SEV platform device can be shutdown with a null psp_master,\ne.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:\n\n[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)\n[ 137.162647] ccp 0000:23:00.1: no command queues available\n[ 137.170598] ccp 0000:23:00.1: sev enabled\n[ 137.174645] ccp 0000:23:00.1: psp enabled\n[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]\n[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311\n[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c\n[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216\n[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e\n[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0\n[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66\n[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28\n[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8\n[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000\n[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0\n[ 137.182693] Call Trace:\n[ 137.182693] \n[ 137.182693] ? show_regs+0x6c/0x80\n[ 137.182693] ? __die_body+0x24/0x70\n[ 137.182693] ? die_addr+0x4b/0x80\n[ 137.182693] ? exc_general_protection+0x126/0x230\n[ 137.182693] ? asm_exc_general_protection+0x2b/0x30\n[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80\n[ 137.182693] sev_dev_destroy+0x49/0x100\n[ 137.182693] psp_dev_destroy+0x47/0xb0\n[ 137.182693] sp_destroy+0xbb/0x240\n[ 137.182693] sp_pci_remove+0x45/0x60\n[ 137.182693] pci_device_remove+0xaa/0x1d0\n[ 137.182693] device_remove+0xc7/0x170\n[ 137.182693] really_probe+0x374/0xbe0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] __driver_probe_device+0x199/0x460\n[ 137.182693] driver_probe_device+0x4e/0xd0\n[ 137.182693] __driver_attach+0x191/0x3d0\n[ 137.182693] ? __pfx___driver_attach+0x10/0x10\n[ 137.182693] bus_for_each_dev+0x100/0x190\n[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10\n[ 137.182693] ? __kasan_check_read+0x15/0x20\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? _raw_spin_unlock+0x27/0x50\n[ 137.182693] driver_attach+0x41/0x60\n[ 137.182693] bus_add_driver+0x2a8/0x580\n[ 137.182693] driver_register+0x141/0x480\n[ 137.182693] __pci_register_driver+0x1d6/0x2a0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] sp_pci_init+0x22/0x30\n[ 137.182693] sp_mod_init+0x14/0x30\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] do_one_initcall+0xd1/0x470\n[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10\n[ 137.182693] ? parameq+0x80/0xf0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? __kmalloc+0x3b0/0x4e0\n[ 137.182693] ? kernel_init_freeable+0x92d/0x1050\n[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] kernel_init_freeable+0xa64/0x1050\n[ 137.182693] ? __pfx_kernel_init+0x10/0x10\n[ 137.182693] kernel_init+0x24/0x160\n[ 137.182693] ? __switch_to_asm+0x3e/0x70\n[ 137.182693] ret_from_fork+0x40/0x80\n[ 137.182693] ? __pfx_kernel_init+0x1\n---truncated---", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-22386", + "id": "CVE-2024-26695", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26695" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:26Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/5kn47peabxjrptkqa6dwtyus35ahf4pcj4qm4pumse33kxqpjw@mec4se5relrc/T/" + "url": "https://git.kernel.org/stable/c/04d9d1fc428ac9f581d55118d67e0cb546701feb" }, { - "url": "https://access.redhat.com/security/cve/CVE-2024-0340" + "url": "https://git.kernel.org/stable/c/1b20e61d36f490319d3fbdedd410155232ab5190" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257406" + "url": "https://git.kernel.org/stable/c/86d9b040421bbd26425f5a3edc226f57ecdecbfe" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/856baaa100cd288d3685eedae9a129c996e7e755" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0340" + "url": "https://git.kernel.org/stable/c/ad105cde6b261b8b05ec872fe7d1987417d7fe5a" }, { - "url": "https://git.kernel.org/linus/4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9(6.4-rc6)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26864" + }, + { + "url": "https://git.kernel.org/linus/04d9d1fc428ac9f581d55118d67e0cb546701feb(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-63", + "bom-ref": "vuln-695", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26864" } } ], - "created": "2024-01-09T18:15:47Z", - "description": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix refcnt handling in __inet_hash_connect().\n\nsyzbot reported a warning in sk_nulls_del_node_init_rcu().\n\nThe commit 66b60b0c8c4a (\"dccp/tcp: Unhash sk from ehash for tb2 alloc\nfailure after check_estalblished().\") tried to fix an issue that an\nunconnected socket occupies an ehash entry when bhash2 allocation fails.\n\nIn such a case, we need to revert changes done by check_established(),\nwhich does not hold refcnt when inserting socket into ehash.\n\nSo, to revert the change, we need to __sk_nulls_add_node_rcu() instead\nof sk_nulls_add_node_rcu().\n\nOtherwise, sock_put() will cause refcnt underflow and leak the socket.\n\n[0]:\nWARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nModules linked in:\nCPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nCode: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2\nRSP: 0018:ffffc900032d7848 EFLAGS: 00010246\nRAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000\nRDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000\nRBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28\nR10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140\nR13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130\nFS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139\n dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956\n __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678\n inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f3b8167dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9\nRDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8\n ", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-0340", + "id": "CVE-2024-26864", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26864" }, - "cwes": [ - 200 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-16T18:49:46Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23196" + "url": "https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139" + }, + { + "url": "https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef" + }, + { + "url": "https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7" + }, + { + "url": "https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214" + }, + { + "url": "https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc" + }, + { + "url": "https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26689" + }, + { + "url": "https://git.kernel.org/linus/cda4672da1c26835dcbd7aec2bfed954eda9b5ef(6.8-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-64", + "bom-ref": "vuln-696", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26689" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n", + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: prevent use-after-free in encode_cap_msg()\n\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\n\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\n\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-23196", + "id": "CVE-2024-26689", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26689" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:14Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054" + "url": "https://git.kernel.org/stable/c/d76c8d7ffe163c6bf2f1ef680b0539c2b3902b90" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" + "url": "https://git.kernel.org/stable/c/5d1935ac02ca5aee364a449a35e2977ea84509b0" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/dc3e0f55bec4410f3d74352c4a7c79f518088ee2" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/6d2cbf517dcabc093159cf138ad5712c9c7fa954" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6356" + "url": "https://git.kernel.org/stable/c/8b1413dbfe49646eda2c00c0f1144ee9d3368e0c" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/cfbbb3199e71b63fc26cee0ebff327c47128a1e8" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://git.kernel.org/stable/c/b183fe8702e78bba3dcef8e7193cab6898abee07" + }, + { + "url": "https://git.kernel.org/stable/c/cd1f93ca97a9136989f3bd2bf90696732a2ed644" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { - "url": "https://lore.kernel.org/linux-nvme/CAK5usQupQgYoyav2itYADv2XVooMptqqswW8cTkuoMkRpjapwQ@mail.gmail.com/T/" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6356" + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/5d1935ac02ca5aee364a449a35e2977ea84509b0(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52622" } ], - "bom-ref": "vuln-65", + "bom-ref": "vuln-697", "ratings": [ { "severity": "none", - "score": 0.00144, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52622" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid online resizing failures due to oversized flex bg\n\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\n\n mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n mount $dev $dir\n resize2fs $dev 16G\n\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n \n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\n\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\n\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\n\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6356", + "id": "CVE-2023-52622", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:08Z" + "updated": "2024-04-11T01:22:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" + "url": "https://git.kernel.org/stable/c/33081e0f34899d5325e7c45683dd8dc9cb18b583" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" + "url": "https://git.kernel.org/stable/c/7d56ffc51ebd2777ded8dca50d631ee19d97db5c" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-0160" + "url": "https://git.kernel.org/stable/c/5deaef2bf56456c71b841e0dfde1bee2fd88c4eb" }, { - "url": "https://lore.kernel.org/bpf/000000000000f1db9605f939720e@google.com/" + "url": "https://git.kernel.org/stable/c/806f462ba9029d41aadf8ec93f2f99c5305deada" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-184.html" + "url": "https://git.kernel.org/stable/c/34c84e0036a60e7e50ae50b42ed194d8daef8cc9" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0160" + "url": "https://git.kernel.org/stable/c/80578681ea274e0a6512bb7515718c206a7b74cf" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/6133a71c75dacea12fcc85838b4455c2055b0f14" }, { - "url": "https://lore.kernel.org/all/20230406122622.109978-1-liuxin350@huawei.com/" - } - ], - "bom-ref": "vuln-66", - "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" - } + "url": "https://git.kernel.org/stable/c/a22f9194f61ad4f2b6405c7c86bee85eac1befa5" }, + { + "url": "https://git.kernel.org/linus/806f462ba9029d41aadf8ec93f2f99c5305deada(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27425" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-698", + "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27425" } } ], - "created": "2023-07-18T17:15:11Z", - "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-0160", + "id": "CVE-2024-27425", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27425" }, - "cwes": [ - 667, - 833 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T03:59:46Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://people.redhat.com/~hkario/marvin/" + "url": "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16" }, { - "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + "url": "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + "url": "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + "url": "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240" + }, + { + "url": "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a" + }, + { + "url": "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a" + }, + { + "url": "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6240" + "url": "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35915" + }, + { + "url": "https://git.kernel.org/linus/d24b03535e5eb82e025219c2f632b485409c898f(6.9-rc2)" } ], - "bom-ref": "vuln-67", + "bom-ref": "vuln-699", "ratings": [ { "severity": "none", - "score": 0.00073, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35915" } } ], - "created": "2024-02-04T14:15:47Z", - "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-6240", + "id": "CVE-2024-35915", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915" }, - "cwes": [ - 203 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-15T08:15:45Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/989b0ff35fe5fc9652ee5bafbe8483db6f27b137" + "url": "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994" }, { - "url": "https://git.kernel.org/stable/c/23d05d563b7e7b0314e65c8e882bc27eac2da8e7" + "url": "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2" }, { - "url": "https://git.kernel.org/stable/c/cd1022eaf87be8e6151435bd4df4c242c347e083" + "url": "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137" }, { - "url": "https://git.kernel.org/stable/c/95b3904a261a9f810205da560e802cc326f50d77" + "url": "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3" }, { - "url": "https://git.kernel.org/stable/c/8f8f185643747fbb448de6aab0efa51c679909a3" + "url": "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424" }, { - "url": "https://git.kernel.org/stable/c/6c53e8547687d9c767c139cd4b50af566f58c29a" + "url": "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52435" + "url": "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1" }, { - "url": "https://git.kernel.org/linus/23d05d563b7e7b0314e65c8e882bc27eac2da8e7(6.7-rc6)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27395" + }, + { + "url": "https://git.kernel.org/linus/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-68", + "bom-ref": "vuln-700", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27395" } } ], - "created": "2024-02-20T20:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", + "created": "2024-05-14T15:12:27Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-52435", + "id": "CVE-2024-27395", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27395" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z", + "updated": "2024-05-14T16:13:02Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4" + "url": "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + "url": "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + "url": "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52429" + "url": "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a" }, { - "url": "https://git.kernel.org/linus/bd504bcfec41a503b32054da5472904b404341a4(6.8-rc3)" + "url": "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b" + }, + { + "url": "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8" + }, + { + "url": "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35930" + }, + { + "url": "https://git.kernel.org/linus/2ae917d4bcab80ab304b774d492e2fcd6c52c06b(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-69", + "bom-ref": "vuln-701", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35930" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-52429", + "id": "CVE-2024-35930", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:15:57Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21803" + "url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac" + }, + { + "url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76" + }, + { + "url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35974" + }, + { + "url": "https://git.kernel.org/linus/8b8ace080319a866f5dfe9da8e665ae51d971c54(6.9-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-70", + "bom-ref": "vuln-702", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35974" } } ], - "created": "2024-01-30T08:15:41Z", - "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn().", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-21803", + "id": "CVE-2024-35974", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35974" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-08T01:57:53Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/24ec7504a08a67247fbe798d1de995208a8c128a" + "url": "https://git.kernel.org/stable/c/3b48c9e258c8691c2f093ee07b1ea3764caaa1b2" }, { - "url": "https://git.kernel.org/stable/c/50fb4e17df319bb33be6f14e2a856950c1577dee" + "url": "https://git.kernel.org/stable/c/46eba193d04f8bd717e525eb4110f3c46c12aec3" }, { - "url": "https://git.kernel.org/stable/c/b6a2a9cbb67545c825ec95f06adb7ff300a2ad71" + "url": "https://git.kernel.org/stable/c/6609e98ed82966a1b3168c142aca30f8284a7b89" }, { - "url": "https://git.kernel.org/stable/c/3cd139875e9a7688b3fc715264032620812a5fa3" + "url": "https://git.kernel.org/stable/c/e9837c83befb5b852fa76425dde98a87b737df00" }, { - "url": "https://git.kernel.org/stable/c/2441a64070b85c14eecc3728cc87e883f953f265" + "url": "https://git.kernel.org/stable/c/e42ff0844fe418c7d03a14f9f90e1b91ba119591" }, { - "url": "https://git.kernel.org/stable/c/944d5fe50f3f03daacfea16300e656a1691c4a23" + "url": "https://git.kernel.org/stable/c/2fc45a4631ac7837a5c497cb4f7e2115d950fc37" }, { - "url": "https://git.kernel.org/stable/c/c5b2063c65d05e79fad8029324581d86cfba7eea" + "url": "https://git.kernel.org/stable/c/7e0ff50131e9d1aa507be8e670d38e9300a5f5bf" }, { - "url": "https://git.kernel.org/stable/c/db896bbe4a9c67cee377e5f6a743350d3ae4acf6" + "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { - "url": "https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26684" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26602" + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://git.kernel.org/linus/46eba193d04f8bd717e525eb4110f3c46c12aec3(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-71", + "bom-ref": "vuln-703", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26684" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\n\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26602", + "id": "CVE-2024-26684", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26684" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3@huawei.com/T/" + "url": "https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca" + }, + { + "url": "https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec" + }, + { + "url": "https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7" + }, + { + "url": "https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576" + }, + { + "url": "https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e" + }, + { + "url": "https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861" + }, + { + "url": "https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a" + }, + { + "url": "https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77" + }, + { + "url": "https://git.kernel.org/linus/136cfaca22567a03bbb3bf53a43d8cb5748b80ec(6.8-rc6)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25740" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26754" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-72", + "bom-ref": "vuln-704", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26754" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-25740", + "id": "CVE-2024-26754", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26754" }, - "cwes": [ - 401 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:11:27Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7" + "url": "https://git.kernel.org/stable/c/a11d965a218f0cd95b13fe44d0bcd8a20ce134a8" }, { - "url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0" + "url": "https://git.kernel.org/stable/c/4cc198580a7b93a36f5beb923f40f7ae27a3716c" }, { - "url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9" + "url": "https://git.kernel.org/stable/c/fdb580ed05df8973aa5149cafa598c64bebcd0cb" }, { - "url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003" + "url": "https://git.kernel.org/stable/c/e1f113b57ddd18274d7c83618deca25cc880bc48" }, { - "url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8" + "url": "https://git.kernel.org/stable/c/739b3ccd9486dff04af95f9a890846d088a84957" }, { - "url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb" + "url": "https://git.kernel.org/stable/c/04cfe4a5da57ab9358cdfadea22bcb37324aaf83" }, { - "url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a" + "url": "https://git.kernel.org/stable/c/69e905beca193125820c201ab3db4fb0e245124e" }, { - "url": "https://git.kernel.org/linus/60c0c230c6f046da536d3df8b39a20b9a9fd6af0(6.8-rc4)" + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/a11d965a218f0cd95b13fe44d0bcd8a20ce134a8(6.8-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26581" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52595" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-73", + "bom-ref": "vuln-705", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52595" } } ], - "created": "2024-02-20T13:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: restart beacon queue when hardware reset\n\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26581", + "id": "CVE-2023-52595", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52595" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z" + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://patchwork.kernel.org/project/linux-raid/patch/20240112071017.16313-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" }, { - "url": "https://lore.kernel.org/linux-raid/20240112071017.16313-1-2045gemini@gmail.com/T/" + "url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26954" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23307" + "url": "https://git.kernel.org/linus/a80a486d72e20bd12c335bcd38b6e6f19356b0aa(6.9-rc1)" } ], - "bom-ref": "vuln-74", + "bom-ref": "vuln-706", "ratings": [ - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26954" } } ], - "created": "2024-01-25T07:15:09Z", - "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-23307", + "id": "CVE-2024-26954", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26954" }, - "cwes": [ - 190 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-31T20:38:12Z" + "updated": "2024-05-01T13:02:20Z" }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" - }, - { - "url": "https://www.openssl.org/news/secadv/20231106.txt" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" + "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26793" } ], - "bom-ref": "vuln-75", + "bom-ref": "vuln-707", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26793" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---", "affects": [ { - "ref": "comp-235" + "ref": "comp-24" } ], - "id": "CVE-2023-5678", + "id": "CVE-2024-26793", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26793" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z" + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/97830f3c3088638ff90b20dfba2eb4d487bf14d7" + "url": "https://git.kernel.org/stable/c/24e51d6eb578b82ff292927f14b9f5ec05a46beb" }, { - "url": "https://git.kernel.org/stable/c/a423042052ec2bdbf1e552e621e6a768922363cc" + "url": "https://git.kernel.org/stable/c/d0b07f712bf61e1a3cf23c87c663791c42e50837" }, { - "url": "https://git.kernel.org/stable/c/93b372c39c40cbf179e56621e6bc48240943af69" + "url": "https://git.kernel.org/stable/c/7393c681f9aa05ffe2385e8716989565eed2fe06" }, { - "url": "https://git.kernel.org/stable/c/dd64bb8329ce0ea27bc557e4160c2688835402ac" + "url": "https://git.kernel.org/stable/c/1597cd1a88cfcdc4bf8b1b44cd458fed9a5a5d63" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/55ca0c7eae8499bb96f4e5d9b26af95e89c4e6a0" }, { - "url": "https://git.kernel.org/stable/c/90e09c016d72b91e76de25f71c7b93d94cc3c769" + "url": "https://git.kernel.org/stable/c/656b8cc123d7635dd399d9f02594f27aa797ac3c" }, { - "url": "https://git.kernel.org/stable/c/42beab162dcee1e691ee4934292d51581c29df61" + "url": "https://git.kernel.org/stable/c/af37aed04997e644f7e1b52b696b62dcae3cc016" }, { - "url": "https://git.kernel.org/stable/c/a7ae586f6f6024f490b8546c8c84670f96bb9b68" + "url": "https://git.kernel.org/stable/c/910363473e4bf97da3c350e08d915546dd6cc30b" }, { - "url": "https://git.kernel.org/stable/c/82722b453dc2f967b172603e389ee7dc1b3137cc" + "url": "https://git.kernel.org/linus/d0b07f712bf61e1a3cf23c87c663791c42e50837(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/97830f3c3088638ff90b20dfba2eb4d487bf14d7(6.8-rc3)" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26606" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27073" } ], - "bom-ref": "vuln-76", + "bom-ref": "vuln-708", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27073" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ttpci: fix two memleaks in budget_av_attach\n\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-26606", + "id": "CVE-2024-27073", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27073" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" }, { - "url": "https://lore.kernel.org/all/20231222161317.6255-1-2045gemini@gmail.com/T/" + "url": "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27010" + }, + { + "url": "https://git.kernel.org/linus/0f022d32c3eca477fbf79a205243a6123ed0fe11(6.9-rc5)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24858" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-77", + "bom-ref": "vuln-709", "ratings": [ - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" - } - }, { "severity": "none", - "score": 0.00044, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27010" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2024-24858", + "id": "CVE-2024-27010", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27010" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:20Z" + "updated": "2024-05-13T08:15:11Z" }, { "advisories": [ { - "url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + "url": "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0597" + "url": "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + "url": "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:6901" + "url": "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750" }, { - "url": "https://lore.kernel.org/lkml/Yz/mfJ1gjgshF19t@hirez.programming.kicks-ass.net/" + "url": "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-2" + "url": "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb" }, { - "url": "https://ubuntu.com/security/notices/USN-6235-1" + "url": "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-1" + "url": "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157" }, { - "url": "https://ubuntu.com/security/notices/USN-6462-1" + "url": "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-3" + "url": "https://git.kernel.org/linus/3d75b8aa5c29058a512db29da7cbee8052724157(6.9-rc1)" }, { - "url": "https://ubuntu.com/security/notices/USN-6462-2" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26976" }, { - "url": "https://ubuntu.com/security/notices/USN-6206-1" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-710", + "ratings": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-0597" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26976" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6300-1" - }, + "ref": "comp-24" + } + ], + "id": "CVE-2024-26976", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26976" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6311-1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" }, { - "url": "https://ubuntu.com/security/notices/USN-6332-1" + "url": "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7077" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6347-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35946" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:6583" + "url": "https://git.kernel.org/linus/7e11a2966f51695c0af0b1f976a32d64dee243b2(6.9-rc1)" } ], - "bom-ref": "vuln-78", + "bom-ref": "vuln-711", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35946" } } ], - "created": "2023-02-23T20:15:12Z", - "description": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-0597", + "id": "CVE-2024-35946", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35946" }, - "cwes": [ - 401, - 200 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-07-28T15:15:09Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-3640" + "url": "https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + "url": "https://git.kernel.org/stable/c/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66dfde68492" + }, + { + "url": "https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd" + }, + { + "url": "https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f" + }, + { + "url": "https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050" + }, + { + "url": "https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64" + }, + { + "url": "https://git.kernel.org/stable/c/62a5dcd9bd3097e9813de62fa6f22815e84a0172" + }, + { + "url": "https://git.kernel.org/linus/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27413" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3640" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-79", + "bom-ref": "vuln-712", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27413" } } ], - "created": "2023-07-24T16:15:13Z", - "description": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect allocation size\n\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\n\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n | ^\n\nUse the correct type instead here.", "affects": [ { "ref": "comp-24" } ], - "id": "CVE-2023-3640", + "id": "CVE-2024-27413", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27413" }, - "cwes": [ - 203 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:19:13Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-24", + "value": "0:6.1.82-1" } ] } diff --git a/entrypoint/tests/test_data/scans/nginx:latest.json.scan b/entrypoint/tests/test_data/scans/nginx:latest.json.scan index 8941df9..21b78f6 100644 --- a/entrypoint/tests/test_data/scans/nginx:latest.json.scan +++ b/entrypoint/tests/test_data/scans/nginx:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "7" } ], - "timestamp": "2024-03-05T15:15:08.559Z" + "timestamp": "2024-05-22T15:41:01.904Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -60,7 +64,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -70,13 +74,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -88,7 +86,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -116,7 +114,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -144,7 +142,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -157,7 +155,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -170,7 +168,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -183,7 +181,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -198,7 +196,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -226,7 +224,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -239,7 +237,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -254,7 +252,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -282,7 +280,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -321,7 +319,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -349,7 +347,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -375,7 +373,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -390,7 +388,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -403,7 +401,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -418,7 +416,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -431,7 +429,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -444,7 +442,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -459,7 +457,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -472,7 +470,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -485,7 +483,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -500,7 +498,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -528,7 +526,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -541,7 +539,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -556,7 +554,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -582,7 +580,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -610,7 +608,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -638,7 +636,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -664,7 +662,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -679,7 +677,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -692,7 +690,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -718,7 +716,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -733,7 +731,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -761,7 +759,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -774,7 +772,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -796,7 +794,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -809,7 +807,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -822,7 +820,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -835,7 +833,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -863,7 +861,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -904,7 +902,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -917,7 +915,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -932,7 +930,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -945,7 +943,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -958,7 +956,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -984,7 +982,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -999,7 +997,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1012,7 +1010,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1025,7 +1023,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1038,7 +1036,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1051,7 +1049,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1064,7 +1062,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1077,7 +1075,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1087,13 +1085,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "bom-ref": "comp-80", @@ -1103,7 +1095,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1118,7 +1110,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1131,7 +1123,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1146,7 +1138,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1200,7 +1192,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1228,7 +1220,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1241,7 +1233,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1254,7 +1246,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1282,7 +1274,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1295,7 +1287,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1323,7 +1315,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1351,7 +1343,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1364,7 +1356,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1377,7 +1369,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1392,7 +1384,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1433,7 +1425,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1474,7 +1466,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1502,7 +1494,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1515,7 +1507,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1543,7 +1535,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1556,7 +1548,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1569,7 +1561,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1582,7 +1574,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1608,7 +1600,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1623,7 +1615,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1636,7 +1628,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1649,7 +1641,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1671,7 +1663,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1684,7 +1676,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1712,7 +1704,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1748,72 +1740,89 @@ ] } ], - "serialNumber": "urn:uuid:ad5e2787-5ccb-45c9-a99c-647fe747972a", + "serialNumber": "urn:uuid:adc2a623-8df3-451c-bc98-fbb4714ad453", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://ubuntu.com/security/notices/USN-6737-2" } ], "bom-ref": "vuln-1", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", "affects": [ { - "ref": "comp-118" + "ref": "comp-2" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-2961", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" }, "cwes": [ - 693 + 787 ], "analysis": { "state": "exploitable" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-04T01:15:06Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -1821,166 +1830,184 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-2", + "value": "0:2.36-9+deb12u6" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" - }, - { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" - }, - { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" - }, - { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, - { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" - }, + "ref": "comp-2" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-2", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-3", + "ratings": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, + "ref": "comp-2" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-2", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://ubuntu.com/security/notices/USN-6719-2" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://ubuntu.com/security/notices/USN-6719-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-4", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } - }, { "severity": "none", - "score": 0.0366, + "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "affects": [ { - "ref": "comp-54" + "ref": "comp-72" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-28085", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" }, - "cwes": [ - 770 - ], "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-01T18:15:16Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -1988,23 +2015,84 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-72", + "value": "0:2.38.1-5+deb12u1" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ + { + "ref": "comp-2" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-2", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" }, { "url": "https://datatracker.ietf.org/doc/html/rfc5155" @@ -2046,11 +2134,38 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, { "url": "https://ubuntu.com/security/notices/USN-6642-1" }, @@ -2058,37 +2173,100 @@ "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" }, { "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, { "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, { "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://ubuntu.com/security/notices/USN-6723-1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-6", "ratings": [ { "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } } ], @@ -2107,7 +2285,392 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-118" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-2" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-2", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-54" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2115,7 +2678,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "value": "2024-05-18T05:37:06Z" } ] } diff --git a/entrypoint/tests/test_data/scans/node:latest.json.scan b/entrypoint/tests/test_data/scans/node:latest.json.scan index 1e011e8..256aa47 100644 --- a/entrypoint/tests/test_data/scans/node:latest.json.scan +++ b/entrypoint/tests/test_data/scans/node:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -17,18 +17,22 @@ }, { "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", - "value": "15" + "value": "24" }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "45" + "value": "64" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "633" } ], - "timestamp": "2024-03-05T15:15:10.147Z" + "timestamp": "2024-05-22T15:41:03.516Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "72.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -60,7 +64,7 @@ "version": "72.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "72.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -101,7 +105,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -114,7 +118,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -129,7 +133,7 @@ "version": "1.14-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -142,7 +146,7 @@ "version": "1.14-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -155,7 +159,7 @@ "version": "1.14-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -170,7 +174,7 @@ "version": "4.2.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -196,7 +200,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -211,7 +215,7 @@ "version": "2.39.2-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -221,13 +225,7 @@ "name": "git", "purl": "pkg:deb/debian/git@2.39.2-1.1?arch=amd64&distro=bookworm&epoch=1", "type": "application", - "version": "2.39.2-1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.39.2-1.1" }, { "components": [ @@ -239,7 +237,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -252,7 +250,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -280,7 +278,7 @@ "version": "2.54.7%2Bdfsg-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -293,7 +291,7 @@ "version": "2.54.7%2Bdfsg-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -306,7 +304,7 @@ "version": "2.54.7%2Bdfsg-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -319,7 +317,7 @@ "version": "2.54.7%2Bdfsg-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -347,7 +345,7 @@ "version": "2.10-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -375,7 +373,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -416,7 +414,7 @@ "version": "0.2.5-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -429,7 +427,7 @@ "version": "0.2.5-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -457,7 +455,7 @@ "version": "9.2p1-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -483,7 +481,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -498,7 +496,7 @@ "version": "2022.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -511,7 +509,7 @@ "version": "2022.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -524,7 +522,7 @@ "version": "2022.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -539,7 +537,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -552,7 +550,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -567,7 +565,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -580,7 +578,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -606,7 +604,7 @@ "version": "1.11-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -621,7 +619,7 @@ "version": "0.188-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -649,7 +647,7 @@ "version": "1.0.8-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -677,7 +675,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -690,7 +688,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -705,7 +703,7 @@ "version": "2.1.5-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -718,7 +716,7 @@ "version": "2.1.5-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -731,7 +729,7 @@ "version": "2.1.5-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -759,7 +757,7 @@ "version": "3.1.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -772,7 +770,7 @@ "version": "3.1.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -800,7 +798,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -813,7 +811,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -841,7 +839,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -854,7 +852,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -867,7 +865,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -880,7 +878,7 @@ "version": "1.203", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -908,7 +906,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -921,7 +919,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -936,7 +934,7 @@ "version": "0.8.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -949,7 +947,7 @@ "version": "0.8.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -964,7 +962,7 @@ "version": "1.0.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -986,7 +984,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -999,7 +997,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1027,7 +1025,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1040,7 +1038,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1053,7 +1051,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1081,7 +1079,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1109,7 +1107,7 @@ "version": "2.4.7-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1122,7 +1120,7 @@ "version": "2.4.7-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1161,7 +1159,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1176,7 +1174,7 @@ "version": "2.0.16-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1189,7 +1187,7 @@ "version": "2.0.16-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1204,7 +1202,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1217,7 +1215,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1232,7 +1230,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1260,7 +1258,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1273,7 +1271,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1288,7 +1286,7 @@ "version": "4.0.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1314,7 +1312,7 @@ "version": "1.4.19-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1327,7 +1325,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1342,7 +1340,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1370,7 +1368,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1383,7 +1381,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1396,7 +1394,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1409,7 +1407,7 @@ "version": "1.23-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1424,7 +1422,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1437,7 +1435,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1459,7 +1457,7 @@ "version": "2.9.14%2Bdfsg-1.3%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1487,7 +1485,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1500,7 +1498,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1528,7 +1526,7 @@ "version": "2.14-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1554,7 +1552,7 @@ "version": "2.71-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1569,7 +1567,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1597,7 +1595,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1610,7 +1608,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1623,7 +1621,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1651,7 +1649,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1664,7 +1662,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1692,7 +1690,7 @@ "version": "0.1.29-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1705,7 +1703,7 @@ "version": "0.1.29-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1733,7 +1731,7 @@ "version": "1.74.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1746,7 +1744,7 @@ "version": "1.74.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1759,7 +1757,7 @@ "version": "1.74.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1772,7 +1770,7 @@ "version": "1.74.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1787,7 +1785,7 @@ "version": "2.1-6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1800,7 +1798,7 @@ "version": "2.1-6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1828,7 +1826,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1841,7 +1839,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1869,7 +1867,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1882,7 +1880,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1895,7 +1893,7 @@ "version": "1.4.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1910,7 +1908,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1938,7 +1936,7 @@ "version": "0.6.24-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1951,7 +1949,7 @@ "version": "0.6.24-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1992,7 +1990,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2020,7 +2018,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2033,7 +2031,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2059,7 +2057,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2074,7 +2072,7 @@ "version": "4.0.0%2Bds-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2087,7 +2085,7 @@ "version": "4.0.0%2Bds-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2100,7 +2098,7 @@ "version": "4.0.0%2Bds-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2115,7 +2113,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2128,7 +2126,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2156,7 +2154,7 @@ "version": "1.7.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2169,7 +2167,7 @@ "version": "1.7.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2197,7 +2195,7 @@ "version": "1.1.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2210,7 +2208,7 @@ "version": "1.1.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2238,7 +2236,7 @@ "version": "3.11.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2251,7 +2249,7 @@ "version": "3.11.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2264,7 +2262,7 @@ "version": "3.11.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2277,7 +2275,7 @@ "version": "2.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2292,7 +2290,7 @@ "version": "2.12.1%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2305,7 +2303,7 @@ "version": "2.12.1%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2318,7 +2316,7 @@ "version": "2.12.1%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2346,7 +2344,7 @@ "version": "3.1.6-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2359,7 +2357,7 @@ "version": "3.1.6-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2372,7 +2370,7 @@ "version": "3.1.6-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2387,7 +2385,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2400,7 +2398,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2415,7 +2413,7 @@ "version": "0.2.12-5.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2428,7 +2426,7 @@ "version": "0.2.12-5.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2441,7 +2439,7 @@ "version": "0.2.12-5.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2469,7 +2467,7 @@ "version": "1.0.11-1%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2497,7 +2495,7 @@ "version": "1.14.2-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2538,7 +2536,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2551,7 +2549,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2579,7 +2577,7 @@ "version": "3.5.28-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2592,7 +2590,7 @@ "version": "3.5.28-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2605,7 +2603,7 @@ "version": "3.5.28-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2633,7 +2631,7 @@ "version": "10.11.6-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2646,7 +2644,7 @@ "version": "10.11.6-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2659,7 +2657,7 @@ "version": "10.11.6-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2672,7 +2670,7 @@ "version": "10.11.6-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2682,13 +2680,7 @@ "name": "mariadb", "purl": "pkg:deb/debian/mariadb@10.11.6-0%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=1", "type": "application", - "version": "10.11.6-0%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "10.11.6-0%2Bdeb12u1" }, { "components": [ @@ -2700,7 +2692,7 @@ "version": "1.52.0-1%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2710,13 +2702,7 @@ "name": "nghttp2", "purl": "pkg:deb/debian/nghttp2@1.52.0-1%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "1.52.0-1%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.52.0-1%2Bdeb12u1" }, { "components": [ @@ -2728,7 +2714,7 @@ "version": "2.4%2B20151223.gitfa8646d.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2756,7 +2742,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2769,7 +2755,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2782,7 +2768,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2795,7 +2781,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2808,7 +2794,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2821,7 +2807,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2834,7 +2820,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2847,7 +2833,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2860,7 +2846,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2873,7 +2859,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2883,13 +2869,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -2901,7 +2881,7 @@ "version": "5.44-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2914,7 +2894,7 @@ "version": "5.44-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2942,7 +2922,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2955,7 +2935,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2968,7 +2948,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2981,7 +2961,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2994,7 +2974,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3007,7 +2987,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3020,7 +3000,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3033,7 +3013,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3046,7 +3026,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3059,7 +3039,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3072,7 +3052,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3085,7 +3065,7 @@ "version": "6.9.11.60%2Bdfsg-1.6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3107,7 +3087,7 @@ "version": "2.14-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3120,7 +3100,7 @@ "version": "2.14-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3148,7 +3128,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3161,7 +3141,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3189,7 +3169,7 @@ "version": "1.2.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3202,7 +3182,7 @@ "version": "1.2.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3215,7 +3195,7 @@ "version": "1.2.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3230,7 +3210,7 @@ "version": "1.8.4-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3243,7 +3223,7 @@ "version": "1.8.4-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3256,7 +3236,7 @@ "version": "1.8.4-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3284,7 +3264,7 @@ "version": "1.1.0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3297,7 +3277,7 @@ "version": "1.1.0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3310,7 +3290,7 @@ "version": "1.1.0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3325,7 +3305,7 @@ "version": "1.21.22", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3338,7 +3318,7 @@ "version": "1.21.22", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3366,7 +3346,7 @@ "version": "1.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3379,7 +3359,7 @@ "version": "1.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3392,7 +3372,7 @@ "version": "1.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3407,7 +3387,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3420,7 +3400,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3433,7 +3413,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3446,7 +3426,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3459,7 +3439,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3487,7 +3467,7 @@ "version": "4.5.0-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3500,7 +3480,7 @@ "version": "4.5.0-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3513,7 +3493,7 @@ "version": "4.5.0-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3541,7 +3521,7 @@ "version": "1.3.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3554,7 +3534,7 @@ "version": "1.3.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3569,7 +3549,7 @@ "version": "1.4.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3597,7 +3577,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3610,7 +3590,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3638,7 +3618,7 @@ "version": "1.15.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3666,7 +3646,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3679,7 +3659,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3692,7 +3672,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3705,7 +3685,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3718,7 +3698,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3731,7 +3711,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3744,7 +3724,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3757,7 +3737,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3770,7 +3750,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3783,7 +3763,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3796,7 +3776,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3824,7 +3804,7 @@ "version": "0.25-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3837,7 +3817,7 @@ "version": "0.25-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3852,7 +3832,7 @@ "version": "15.5-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3865,7 +3845,7 @@ "version": "15.5-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3887,7 +3867,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3900,7 +3880,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3913,7 +3893,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3928,7 +3908,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3941,7 +3921,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3954,7 +3934,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3967,7 +3947,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3980,7 +3960,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3993,7 +3973,7 @@ "version": "1.15-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4021,7 +4001,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4034,7 +4014,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4047,7 +4027,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4060,7 +4040,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4073,7 +4053,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4086,7 +4066,7 @@ "version": "2.40-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4114,7 +4094,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4127,7 +4107,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4140,7 +4120,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4150,13 +4130,7 @@ "name": "curl", "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "7.88.1-10%2Bdeb12u5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "7.88.1-10%2Bdeb12u5" }, { "bom-ref": "comp-307", @@ -4181,7 +4155,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4194,7 +4168,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4207,7 +4181,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4220,7 +4194,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4233,7 +4207,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4246,7 +4220,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4259,7 +4233,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4272,7 +4246,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4285,7 +4259,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4298,7 +4272,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4326,7 +4300,7 @@ "version": "1.3.14-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4354,7 +4328,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4367,7 +4341,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4380,7 +4354,7 @@ "version": "3.11.2-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4390,13 +4364,7 @@ "name": "python3.11", "purl": "pkg:deb/debian/python3.11@3.11.2-6?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "3.11.2-6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "3.11.2-6" }, { "bom-ref": "comp-325", @@ -4406,7 +4374,7 @@ "version": "20220109.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4421,7 +4389,7 @@ "version": "2.42.10%2Bdfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4434,7 +4402,7 @@ "version": "2.42.10%2Bdfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4447,7 +4415,7 @@ "version": "2.42.10%2Bdfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4460,7 +4428,7 @@ "version": "2.42.10%2Bdfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4473,7 +4441,7 @@ "version": "2.42.10%2Bdfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4501,7 +4469,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4514,7 +4482,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4536,7 +4504,7 @@ "version": "3.5-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4562,7 +4530,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4577,7 +4545,7 @@ "version": "7.7%2B23", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4603,7 +4571,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4618,7 +4586,7 @@ "version": "2.74.6-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4631,7 +4599,7 @@ "version": "2.74.6-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4644,7 +4612,7 @@ "version": "2.74.6-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4657,7 +4625,7 @@ "version": "2.74.6-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4670,7 +4638,7 @@ "version": "2.74.6-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4680,13 +4648,7 @@ "name": "glib2.0", "purl": "pkg:deb/debian/glib2.0@2.74.6-2?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.74.6-2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.74.6-2" }, { "components": [ @@ -4698,7 +4660,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4711,7 +4673,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4724,7 +4686,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4737,7 +4699,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4750,7 +4712,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4763,7 +4725,7 @@ "version": "2.1.12-stable-8", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4791,7 +4753,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4804,7 +4766,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4845,7 +4807,7 @@ "version": "1.7.2-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4873,7 +4835,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4886,7 +4848,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4914,7 +4876,7 @@ "version": "1.12.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4927,7 +4889,7 @@ "version": "1.12.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4942,7 +4904,7 @@ "version": "1.0.10-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4955,7 +4917,7 @@ "version": "1.0.10-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4983,7 +4945,7 @@ "version": "1.3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4996,7 +4958,7 @@ "version": "1.3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5024,7 +4986,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5037,7 +4999,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5050,7 +5012,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5063,7 +5025,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5076,7 +5038,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5089,7 +5051,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5102,7 +5064,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5115,7 +5077,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5128,7 +5090,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5141,7 +5103,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5154,7 +5116,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5167,7 +5129,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5180,7 +5142,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5193,7 +5155,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5206,7 +5168,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5219,7 +5181,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5241,7 +5203,7 @@ "version": "3.3.10-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5254,7 +5216,7 @@ "version": "3.3.10-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5269,7 +5231,7 @@ "version": "2.5.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5282,7 +5244,7 @@ "version": "2.5.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5292,7 +5254,13 @@ "name": "expat", "purl": "pkg:deb/debian/expat@2.5.0-1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.5.0-1" + "version": "2.5.0-1", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." + } + ] }, { "components": [ @@ -5304,7 +5272,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5317,7 +5285,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5330,7 +5298,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5343,7 +5311,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5356,7 +5324,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5384,7 +5352,7 @@ "version": "6.1.76-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5404,7 +5372,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5419,7 +5387,7 @@ "version": "1.6.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5447,7 +5415,7 @@ "version": "3.1-20221030-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5460,7 +5428,7 @@ "version": "3.1-20221030-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5475,7 +5443,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5503,7 +5471,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5529,7 +5497,7 @@ "version": "10.0.0", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5555,7 +5523,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5570,7 +5538,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5583,7 +5551,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5596,7 +5564,7 @@ "version": "0.17-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5611,7 +5579,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5624,7 +5592,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5637,7 +5605,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5650,7 +5618,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5660,13 +5628,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -5678,7 +5640,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5691,7 +5653,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5706,7 +5668,7 @@ "version": "0.4.2-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5719,7 +5681,7 @@ "version": "0.4.2-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5732,7 +5694,7 @@ "version": "0.4.2-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5747,7 +5709,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5760,7 +5722,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5773,7 +5735,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5786,7 +5748,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5801,7 +5763,7 @@ "version": "1.10.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5827,7 +5789,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5842,7 +5804,7 @@ "version": "2.37-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5855,7 +5817,7 @@ "version": "2.37-6", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5870,7 +5832,7 @@ "version": "1.2.1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5883,7 +5845,7 @@ "version": "1.2.1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5909,7 +5871,7 @@ "version": "6.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5924,7 +5886,7 @@ "version": "1.2.4-0.2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5937,7 +5899,7 @@ "version": "1.2.4-0.2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5950,7 +5912,7 @@ "version": "1.2.4-0.2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5963,7 +5925,7 @@ "version": "1.2.4-0.2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5991,7 +5953,7 @@ "version": "0.9.10-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6004,7 +5966,7 @@ "version": "0.9.10-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6030,7 +5992,7 @@ "version": "0.17029-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6045,7 +6007,7 @@ "version": "0.42.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6058,7 +6020,7 @@ "version": "0.42.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6086,7 +6048,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6099,7 +6061,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6114,7 +6076,7 @@ "version": "6.3.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6153,7 +6115,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6168,7 +6130,7 @@ "version": "6.0.0%2Bdfsg-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6196,7 +6158,7 @@ "version": "1.50.12%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6209,7 +6171,7 @@ "version": "1.50.12%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6222,7 +6184,7 @@ "version": "1.50.12%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6250,7 +6212,7 @@ "version": "2.8.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6263,7 +6225,7 @@ "version": "2.8.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6276,7 +6238,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6291,7 +6253,7 @@ "version": "1.16.0-7", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6304,7 +6266,7 @@ "version": "1.16.0-7", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6317,7 +6279,7 @@ "version": "1.16.0-7", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6330,7 +6292,7 @@ "version": "1.16.0-7", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6358,7 +6320,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6371,7 +6333,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6397,7 +6359,7 @@ "version": "3.0043%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6412,7 +6374,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6425,7 +6387,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6438,7 +6400,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6451,7 +6413,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6464,7 +6426,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6477,7 +6439,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6490,7 +6452,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6503,7 +6465,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6531,7 +6493,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6544,7 +6506,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6557,7 +6519,7 @@ "version": "1.3.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6572,7 +6534,7 @@ "version": "2.14.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6585,7 +6547,7 @@ "version": "2.14.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6598,7 +6560,7 @@ "version": "2.14.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6624,7 +6586,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6639,7 +6601,7 @@ "version": "3.6.0-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6667,7 +6629,7 @@ "version": "0.2.13-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6680,7 +6642,7 @@ "version": "0.2.13-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6695,7 +6657,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6708,7 +6670,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6721,7 +6683,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6736,7 +6698,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6749,7 +6711,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6762,7 +6724,7 @@ "version": "1.3.3%2Bds-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6790,7 +6752,7 @@ "version": "1.16.5-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6803,7 +6765,7 @@ "version": "1.16.5-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6816,7 +6778,7 @@ "version": "20230311", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6831,7 +6793,7 @@ "version": "5.3.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6844,7 +6806,7 @@ "version": "5.3.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6859,7 +6821,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6872,7 +6834,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6900,7 +6862,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6913,7 +6875,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6926,7 +6888,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6939,7 +6901,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6967,7 +6929,7 @@ "version": "1.6.39-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -6980,7 +6942,7 @@ "version": "1.6.39-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7008,7 +6970,7 @@ "version": "1.3.9-11", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7036,7 +6998,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7049,7 +7011,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7064,7 +7026,7 @@ "version": "1.1.35-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7077,7 +7039,7 @@ "version": "1.1.35-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7118,7 +7080,7 @@ "version": "0.11.7-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7146,7 +7108,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7159,7 +7121,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7174,7 +7136,7 @@ "version": "0.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7187,7 +7149,7 @@ "version": "0.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7202,7 +7164,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7215,7 +7177,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7228,7 +7190,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7241,7 +7203,7 @@ "version": "3.11.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7256,7 +7218,7 @@ "version": "4.3-4.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7269,7 +7231,7 @@ "version": "4.3-4.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7297,7 +7259,7 @@ "version": "2.5.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7310,7 +7272,7 @@ "version": "2.5.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7338,7 +7300,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7351,7 +7313,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7364,7 +7326,7 @@ "version": "1.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7394,7 +7356,7 @@ "value": "/usr/local/lib/node_modules/corepack/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7411,7 +7373,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@colors/colors/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7428,7 +7390,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/emoji-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7445,7 +7407,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/node_modules/string-width/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7462,7 +7424,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@isaacs/cliui/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7479,7 +7441,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@isaacs/string-locale-compare/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7496,7 +7458,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/agent/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7530,7 +7492,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/config/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7547,7 +7509,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/disparity-colors/node_modules/ansi-styles/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7564,7 +7526,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/disparity-colors/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7581,7 +7543,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/fs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7615,7 +7577,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/installed-package-contents/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7632,7 +7594,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/map-workspaces/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7649,7 +7611,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/metavuln-calculator/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7666,7 +7628,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/name-from-folder/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7683,7 +7645,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/node-gyp/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7700,7 +7662,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/package-json/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7717,7 +7679,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/promise-spawn/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7734,7 +7696,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/query/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7751,7 +7713,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@npmcli/run-script/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7768,7 +7730,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@pkgjs/parseargs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7785,7 +7747,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@sigstore/bundle/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7802,7 +7764,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@sigstore/protobuf-specs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7819,7 +7781,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@sigstore/sign/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7836,7 +7798,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@sigstore/tuf/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7853,7 +7815,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@tufjs/canonical-json/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7870,7 +7832,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/@tufjs/models/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7887,7 +7849,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/abbrev/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7904,7 +7866,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/abort-controller/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7921,7 +7883,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/agent-base/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7938,7 +7900,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/aggregate-error/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7972,7 +7934,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/ansi-styles/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -7989,7 +7951,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/aproba/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8006,7 +7968,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/archy/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8023,7 +7985,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/are-we-there-yet/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8040,7 +8002,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/balanced-match/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8057,7 +8019,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/base64-js/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8091,7 +8053,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/binary-extensions/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8125,7 +8087,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/buffer/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8142,7 +8104,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/builtins/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8159,7 +8121,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cacache/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8176,7 +8138,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/chalk/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8210,7 +8172,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/ci-info/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8227,7 +8189,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cidr-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8244,7 +8206,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/clean-stack/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8278,7 +8240,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cli-columns/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8295,7 +8257,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cli-columns/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8312,7 +8274,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cli-table3/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8329,7 +8291,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/clone/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8346,7 +8308,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cmd-shim/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8363,7 +8325,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/color-convert/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8380,7 +8342,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/color-name/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8397,7 +8359,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/color-support/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8431,7 +8393,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/columnify/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8448,7 +8410,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/columnify/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8465,7 +8427,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/common-ancestor-path/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8482,7 +8444,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/console-control-strings/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8499,7 +8461,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cross-spawn/node_modules/which/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8516,7 +8478,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cross-spawn/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8533,7 +8495,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/cssesc/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8584,7 +8546,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/defaults/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8601,7 +8563,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/delegates/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8635,7 +8597,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/eastasianwidth/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8652,7 +8614,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/emoji-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8669,7 +8631,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/encoding/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8686,7 +8648,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/env-paths/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8703,7 +8665,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/err-code/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8720,7 +8682,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/event-target-shim/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8737,7 +8699,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/events/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8754,7 +8716,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/exponential-backoff/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8771,14 +8733,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/fastest-levenshtein/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-629", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -8793,7 +8755,7 @@ }, { "bom-ref": "comp-630", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -8818,7 +8780,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/foreground-child/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8835,7 +8797,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/fs-minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8852,7 +8814,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/function-bind/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8886,7 +8848,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/gauge/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8903,14 +8865,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/gauge/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-637", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -8925,7 +8887,7 @@ }, { "bom-ref": "comp-638", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -8950,7 +8912,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/glob/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8967,7 +8929,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/graceful-fs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -8984,7 +8946,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/has-unicode/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9001,7 +8963,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/hasown/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9086,7 +9048,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/iconv-lite/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9103,7 +9065,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/ieee754/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9120,7 +9082,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/ignore-walk/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9137,7 +9099,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/imurmurhash/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9154,7 +9116,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/indent-string/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9188,7 +9150,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/init-package-json/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9218,7 +9180,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/ip-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9235,7 +9197,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/is-cidr/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9252,7 +9214,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/is-core-module/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9269,7 +9231,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/is-fullwidth-code-point/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9286,7 +9248,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/is-lambda/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9303,14 +9265,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/isexe/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-661", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9325,7 +9287,7 @@ }, { "bom-ref": "comp-662", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9350,7 +9312,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/jackspeak/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9367,7 +9329,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/json-parse-even-better-errors/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9384,7 +9346,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/json-stringify-nice/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9401,7 +9363,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/jsonparse/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9418,7 +9380,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/just-diff/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9435,7 +9397,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/just-diff-apply/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9452,7 +9414,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmaccess/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9469,7 +9431,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmdiff/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9486,7 +9448,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmexec/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9503,7 +9465,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmfund/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9520,7 +9482,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmhook/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9537,7 +9499,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmorg/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9554,7 +9516,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmpack/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9571,7 +9533,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmpublish/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9588,7 +9550,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmsearch/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9605,7 +9567,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmteam/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9622,14 +9584,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/libnpmversion/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-680", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9644,7 +9606,7 @@ }, { "bom-ref": "comp-681", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9669,7 +9631,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/lru-cache/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9686,14 +9648,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/make-fetch-happen/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-684", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9708,7 +9670,7 @@ }, { "bom-ref": "comp-685", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9740,7 +9702,7 @@ }, { "bom-ref": "comp-687", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9755,7 +9717,7 @@ }, { "bom-ref": "comp-688", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -9780,7 +9742,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9797,7 +9759,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-collect/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9814,7 +9776,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-collect/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9831,7 +9793,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-fetch/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9848,7 +9810,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-flush/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9865,7 +9827,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-flush/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9882,7 +9844,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-json-stream/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9899,7 +9861,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-json-stream/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9916,7 +9878,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-pipeline/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9933,7 +9895,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-pipeline/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9950,7 +9912,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-sized/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9967,7 +9929,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minipass-sized/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -9984,7 +9946,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minizlib/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10001,7 +9963,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/minizlib/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10018,7 +9980,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/mkdirp/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10052,7 +10014,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/mute-stream/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10086,7 +10048,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/node-gyp/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10103,7 +10065,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/nopt/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10120,7 +10082,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/normalize-package-data/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10137,7 +10099,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-audit-report/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10154,7 +10116,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-bundled/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10171,7 +10133,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-install-checks/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10188,7 +10150,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-normalize-package-bin/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10205,7 +10167,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-package-arg/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10222,7 +10184,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-packlist/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10239,7 +10201,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-pick-manifest/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10256,7 +10218,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npm-profile/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10307,7 +10269,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/npmlog/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10324,7 +10286,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/p-map/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10341,7 +10303,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/pacote/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10358,7 +10320,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/parse-conflict-json/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10375,14 +10337,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/path-key/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-725", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -10397,7 +10359,7 @@ }, { "bom-ref": "comp-726", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -10422,7 +10384,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/path-scurry/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10439,7 +10401,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/postcss-selector-parser/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10456,7 +10418,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/proc-log/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10473,7 +10435,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/process/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10490,7 +10452,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/promise-all-reject-late/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10507,7 +10469,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/promise-call-limit/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10524,7 +10486,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/promise-inflight/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10541,7 +10503,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/promise-retry/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10558,7 +10520,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/promzard/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10575,7 +10537,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/qrcode-terminal/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10592,7 +10554,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/read/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10609,7 +10571,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/read-cmd-shim/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10626,7 +10588,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/read-package-json/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10643,7 +10605,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/read-package-json-fast/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10660,7 +10622,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/readable-stream/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10677,7 +10639,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/retry/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10694,7 +10656,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/safe-buffer/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10711,7 +10673,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/safer-buffer/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10728,7 +10690,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/semver/node_modules/lru-cache/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10762,7 +10724,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/set-blocking/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10779,7 +10741,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/shebang-command/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10796,14 +10758,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/shebang-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-750", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -10818,7 +10780,7 @@ }, { "bom-ref": "comp-751", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -10843,7 +10805,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/signal-exit/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10860,7 +10822,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/sigstore/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10877,7 +10839,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/smart-buffer/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10894,7 +10856,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/socks/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10911,7 +10873,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/socks-proxy-agent/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10928,7 +10890,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/spdx-correct/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10945,7 +10907,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/spdx-exceptions/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10962,7 +10924,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/spdx-expression-parse/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -10979,7 +10941,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/spdx-license-ids/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11030,7 +10992,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11047,7 +11009,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/string-width/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11081,7 +11043,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/string-width-cjs/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11098,7 +11060,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/string-width-cjs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11115,7 +11077,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/string_decoder/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11132,7 +11094,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11166,7 +11128,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/strip-ansi-cjs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11183,7 +11145,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/supports-color/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11200,7 +11162,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/tar/node_modules/fs-minipass/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11217,7 +11179,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/tar/node_modules/fs-minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11234,7 +11196,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/tar/node_modules/minipass/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11249,10 +11211,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/lib/node_modules/npm/node_modules/tar/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -11268,7 +11226,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/text-table/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11285,7 +11243,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/tiny-relative-date/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11302,7 +11260,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/treeverse/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11319,7 +11277,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/tuf-js/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11336,7 +11294,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/unique-filename/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11353,7 +11311,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/unique-slug/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11370,7 +11328,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/util-deprecate/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11387,7 +11345,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/validate-npm-package-license/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11404,14 +11362,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/validate-npm-package-name/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-786", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -11426,7 +11384,7 @@ }, { "bom-ref": "comp-787", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -11451,7 +11409,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/walk-up-path/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11468,14 +11426,14 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wcwidth/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] }, { "bom-ref": "comp-790", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -11490,7 +11448,7 @@ }, { "bom-ref": "comp-791", - "purl": "pkg%3Anpm/", + "purl": "pkg:npm/", "type": "library", "properties": [ { @@ -11515,7 +11473,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/which/node_modules/isexe/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11532,7 +11490,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/which/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11549,7 +11507,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wide-align/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11566,7 +11524,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/emoji-regex/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11583,7 +11541,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi/node_modules/string-width/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11600,7 +11558,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11634,7 +11592,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi-cjs/node_modules/ansi-styles/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11651,7 +11609,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi-cjs/node_modules/strip-ansi/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11668,7 +11626,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/wrap-ansi-cjs/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11685,7 +11643,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/write-file-atomic/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11702,7 +11660,7 @@ "value": "/usr/local/lib/node_modules/npm/node_modules/yallist/package.json" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -11725,3980 +11683,47267 @@ ] } ], - "serialNumber": "urn:uuid:6c27b0fe-ee5d-4cd6-af22-6aa5facae3dc", + "serialNumber": "urn:uuid:769daeac-4a1f-4709-9d08-c386b673cbd7", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://git.kernel.org/stable/c/135e5465fefa463c5ec93c4eede48b9fedac894a" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://git.kernel.org/stable/c/7f31a244c753aacf40b71d01f03ca6742f81bbbc" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://git.kernel.org/stable/c/95175dda017cd4982cd47960536fa1de003d3298" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://git.kernel.org/stable/c/5ba4e6d5863c53e937f49932dee0ecb004c65928" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://git.kernel.org/stable/c/5639414a52a29336ffa1ede80a67c6d927acbc5a" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://git.kernel.org/stable/c/bab8875c06ebda5e01c5c4cab30022aed85c14e6" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://git.kernel.org/linus/5ba4e6d5863c53e937f49932dee0ecb004c65928(6.8-rc6)" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26743" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-1", + "ratings": [ { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26743" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/qedr: Fix qedr_create_user_qp error flow\n\nAvoid the following warning by making sure to free the allocated\nresources in case that qedr_init_user_queue() fail.\n\n-----------[ cut here ]-----------\nWARNING: CPU: 0 PID: 143192 at drivers/infiniband/core/rdma_core.c:874 uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nModules linked in: tls target_core_user uio target_core_pscsi target_core_file target_core_iblock ib_srpt ib_srp scsi_transport_srp nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs 8021q garp mrp stp llc ext4 mbcache jbd2 opa_vnic ib_umad ib_ipoib sunrpc rdma_ucm ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm hfi1 intel_rapl_msr intel_rapl_common mgag200 qedr sb_edac drm_shmem_helper rdmavt x86_pkg_temp_thermal drm_kms_helper intel_powerclamp ib_uverbs coretemp i2c_algo_bit kvm_intel dell_wmi_descriptor ipmi_ssif sparse_keymap kvm ib_core rfkill syscopyarea sysfillrect video sysimgblt irqbypass ipmi_si ipmi_devintf fb_sys_fops rapl iTCO_wdt mxm_wmi iTCO_vendor_support intel_cstate pcspkr dcdbas intel_uncore ipmi_msghandler lpc_ich acpi_power_meter mei_me mei fuse drm xfs libcrc32c qede sd_mod ahci libahci t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel qed libata tg3\nghash_clmulni_intel megaraid_sas crc8 wmi [last unloaded: ib_srpt]\nCPU: 0 PID: 143192 Comm: fi_rdm_tagged_p Kdump: loaded Not tainted 5.14.0-408.el9.x86_64 #1\nHardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 2.14.0 01/25/2022\nRIP: 0010:uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nCode: 5d 41 5c 41 5d 41 5e e9 0f 26 1b dd 48 89 df e8 67 6a ff ff 49 8b 86 10 01 00 00 48 85 c0 74 9c 4c 89 e7 e8 83 c0 cb dd eb 92 <0f> 0b eb be 0f 0b be 04 00 00 00 48 89 df e8 8e f5 ff ff e9 6d ff\nRSP: 0018:ffffb7c6cadfbc60 EFLAGS: 00010286\nRAX: ffff8f0889ee3f60 RBX: ffff8f088c1a5200 RCX: 00000000802a0016\nRDX: 00000000802a0017 RSI: 0000000000000001 RDI: ffff8f0880042600\nRBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000\nR10: ffff8f11fffd5000 R11: 0000000000039000 R12: ffff8f0d5b36cd80\nR13: ffff8f088c1a5250 R14: ffff8f1206d91000 R15: 0000000000000000\nFS: 0000000000000000(0000) GS:ffff8f11d7c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000147069200e20 CR3: 00000001c7210002 CR4: 00000000001706f0\nCall Trace:\n\n? show_trace_log_lvl+0x1c4/0x2df\n? show_trace_log_lvl+0x1c4/0x2df\n? ib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? __warn+0x81/0x110\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\n? report_bug+0x10a/0x140\n? handle_bug+0x3c/0x70\n? exc_invalid_op+0x14/0x70\n? asm_exc_invalid_op+0x16/0x20\n? uverbs_destroy_ufile_hw+0xcf/0xf0 [ib_uverbs]\nib_uverbs_close+0x1f/0xb0 [ib_uverbs]\n__fput+0x94/0x250\ntask_work_run+0x5c/0x90\ndo_exit+0x270/0x4a0\ndo_group_exit+0x2d/0x90\nget_signal+0x87c/0x8c0\narch_do_signal_or_restart+0x25/0x100\n? ib_uverbs_ioctl+0xc2/0x110 [ib_uverbs]\nexit_to_user_mode_loop+0x9c/0x130\nexit_to_user_mode_prepare+0xb6/0x100\nsyscall_exit_to_user_mode+0x12/0x40\ndo_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? syscall_exit_work+0x103/0x130\n? syscall_exit_to_user_mode+0x22/0x40\n? do_syscall_64+0x69/0x90\n? do_syscall_64+0x69/0x90\n? common_interrupt+0x43/0xa0\nentry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x1470abe3ec6b\nCode: Unable to access opcode bytes at RIP 0x1470abe3ec41.\nRSP: 002b:00007fff13ce9108 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: fffffffffffffffc RBX: 00007fff13ce9218 RCX: 00001470abe3ec6b\nRDX: 00007fff13ce9200 RSI: 00000000c0181b01 RDI: 0000000000000004\nRBP: 00007fff13ce91e0 R08: 0000558d9655da10 R09: 0000558d9655dd00\nR10: 00007fff13ce95c0 R11: 0000000000000246 R12: 00007fff13ce9358\nR13: 0000000000000013 R14: 0000558d9655db50 R15: 00007fff13ce9470\n\n--[ end trace 888a9b92e04c5c97 ]--", + "affects": [ { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2024-26743", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26743" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://git.kernel.org/stable/c/3d1b47e3a935abd4f258a945db87e7267ff4079c" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://git.kernel.org/stable/c/18451798f4a4e7418b9fad7e7dd313fe84b1f545" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://git.kernel.org/stable/c/5abffb66d12bcac84bf7b66389c571b8bb6e82bd" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://git.kernel.org/linus/5abffb66d12bcac84bf7b66389c571b8bb6e82bd(6.9-rc1)" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35927" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" - }, + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35927" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabling\n\nIn drm_kms_helper_poll_disable() check if output polling\nsupport is initialized before disabling polling. If not flag\nthis as a warning.\nAdditionally in drm_mode_config_helper_suspend() and\ndrm_mode_config_helper_resume() calls, that re the callers of these\nfunctions, avoid invoking them if polling is not initialized.\nFor drivers like hyperv-drm, that do not initialize connector\npolling, if suspend is called without this check, it leads to\nsuspend failure with following stack\n[ 770.719392] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.\n[ 770.720592] printk: Suspending console(s) (use no_console_suspend to debug)\n[ 770.948823] ------------[ cut here ]------------\n[ 770.948824] WARNING: CPU: 1 PID: 17197 at kernel/workqueue.c:3162 __flush_work.isra.0+0x212/0x230\n[ 770.948831] Modules linked in: rfkill nft_counter xt_conntrack xt_owner udf nft_compat crc_itu_t nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables nfnetlink vfat fat mlx5_ib ib_uverbs ib_core mlx5_core intel_rapl_msr intel_rapl_common kvm_amd ccp mlxfw kvm psample hyperv_drm tls drm_shmem_helper drm_kms_helper irqbypass pcspkr syscopyarea sysfillrect sysimgblt hv_balloon hv_utils joydev drm fuse xfs libcrc32c pci_hyperv pci_hyperv_intf sr_mod sd_mod cdrom t10_pi sg hv_storvsc scsi_transport_fc hv_netvsc serio_raw hyperv_keyboard hid_hyperv crct10dif_pclmul crc32_pclmul crc32c_intel hv_vmbus ghash_clmulni_intel dm_mirror dm_region_hash dm_log dm_mod\n[ 770.948863] CPU: 1 PID: 17197 Comm: systemd-sleep Not tainted 5.14.0-362.2.1.el9_3.x86_64 #1\n[ 770.948865] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022\n[ 770.948866] RIP: 0010:__flush_work.isra.0+0x212/0x230\n[ 770.948869] Code: 8b 4d 00 4c 8b 45 08 89 ca 48 c1 e9 04 83 e2 08 83 e1 0f 83 ca 02 89 c8 48 0f ba 6d 00 03 e9 25 ff ff ff 0f 0b e9 4e ff ff ff <0f> 0b 45 31 ed e9 44 ff ff ff e8 8f 89 b2 00 66 66 2e 0f 1f 84 00\n[ 770.948870] RSP: 0018:ffffaf4ac213fb10 EFLAGS: 00010246\n[ 770.948871] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8c992857\n[ 770.948872] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff9aad82b00330\n[ 770.948873] RBP: ffff9aad82b00330 R08: 0000000000000000 R09: ffff9aad87ee3d10\n[ 770.948874] R10: 0000000000000200 R11: 0000000000000000 R12: ffff9aad82b00330\n[ 770.948874] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001\n[ 770.948875] FS: 00007ff1b2f6bb40(0000) GS:ffff9aaf37d00000(0000) knlGS:0000000000000000\n[ 770.948878] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 770.948878] CR2: 0000555f345cb666 CR3: 00000001462dc005 CR4: 0000000000370ee0\n[ 770.948879] Call Trace:\n[ 770.948880] \n[ 770.948881] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948884] ? show_trace_log_lvl+0x1c4/0x2df\n[ 770.948886] ? __cancel_work_timer+0x103/0x190\n[ 770.948887] ? __flush_work.isra.0+0x212/0x230\n[ 770.948889] ? __warn+0x81/0x110\n[ 770.948891] ? __flush_work.isra.0+0x212/0x230\n[ 770.948892] ? report_bug+0x10a/0x140\n[ 770.948895] ? handle_bug+0x3c/0x70\n[ 770.948898] ? exc_invalid_op+0x14/0x70\n[ 770.948899] ? asm_exc_invalid_op+0x16/0x20\n[ 770.948903] ? __flush_work.isra.0+0x212/0x230\n[ 770.948905] __cancel_work_timer+0x103/0x190\n[ 770.948907] ? _raw_spin_unlock_irqrestore+0xa/0x30\n[ 770.948910] drm_kms_helper_poll_disable+0x1e/0x40 [drm_kms_helper]\n[ 770.948923] drm_mode_config_helper_suspend+0x1c/0x80 [drm_kms_helper]\n[ 770.948933] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948942] hyperv_vmbus_suspend+0x17/0x40 [hyperv_drm]\n[ 770.948944] ? __pfx_vmbus_suspend+0x10/0x10 [hv_vmbus]\n[ 770.948951] dpm_run_callback+0x4c/0x140\n[ 770.948954] __device_suspend_noir\n---truncated---", + "affects": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2024-35927", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35927" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://git.kernel.org/stable/c/1b2b26595bb09febf14c5444c873ac4ec90a5a77" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://git.kernel.org/stable/c/fff05b2b004d9a8a2416d08647f3dc9068e357c8" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://git.kernel.org/stable/c/8af60bb2b215f478b886f1d6d302fefa7f0b917d" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://git.kernel.org/stable/c/219eee9c0d16f1b754a8b85275854ab17df0850a" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://git.kernel.org/linus/219eee9c0d16f1b754a8b85275854ab17df0850a(6.9-rc1)" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35941" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-3", + "ratings": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35941" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skbuff: add overflow debug check to pull/push helpers\n\nsyzbot managed to trigger following splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x4a3b/0x5e50\nRead of size 1 at addr ffff888208a4000e by task a.out/2313\n[..]\n __skb_flow_dissect+0x4a3b/0x5e50\n __skb_get_hash+0xb4/0x400\n ip_tunnel_xmit+0x77e/0x26f0\n ipip_tunnel_xmit+0x298/0x410\n ..\n\nAnalysis shows that the skb has a valid ->head, but bogus ->data\npointer.\n\nskb->data gets its bogus value via the neigh layer, which does:\n\n1556 __skb_pull(skb, skb_network_offset(skb));\n\n... and the skb was already dodgy at this point:\n\nskb_network_offset(skb) returns a negative value due to an\nearlier overflow of skb->network_header (u16). __skb_pull thus\n\"adjusts\" skb->data by a huge offset, pointing outside skb->head\narea.\n\nAllow debug builds to splat when we try to pull/push more than\nINT_MAX bytes.\n\nAfter this, the syzkaller reproducer yields a more precise splat\nbefore the flow dissector attempts to read off skb->data memory:\n\nWARNING: CPU: 5 PID: 2313 at include/linux/skbuff.h:2653 neigh_connected_output+0x28e/0x400\n ip_finish_output2+0xb25/0xed0\n iptunnel_xmit+0x4ff/0x870\n ipgre_xmit+0x78e/0xbb0", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2024-35941", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35941" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0de693d68b0a18d5e256556c7c62d92cca35ad52" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://git.kernel.org/stable/c/e83bebb718fd1f42549358730e1206164e0861d6" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://git.kernel.org/stable/c/71809805b95052ff551922f11660008fb3666025" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://git.kernel.org/stable/c/89d72d4125e94aa3c2140fedd97ce07ba9e37674" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://git.kernel.org/stable/c/e46274df1100fb0c06704195bfff5bfbd418bf64" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26856" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://git.kernel.org/linus/89d72d4125e94aa3c2140fedd97ce07ba9e37674(6.8)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-1", + "bom-ref": "vuln-4", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } - }, { "severity": "none", - "score": 0.0366, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26856" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sparx5: Fix use after free inside sparx5_del_mact_entry\n\nBased on the static analyzis of the code it looks like when an entry\nfrom the MAC table was removed, the entry was still used after being\nfreed. More precise the vid of the mac_entry was used after calling\ndevm_kfree on the mac_entry.\nThe fix consists in first using the vid of the mac_entry to delete the\nentry from the HW and after that to free it.", "affects": [ { - "ref": "comp-332" + "ref": "comp-399" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-26856", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26856" }, - "cwes": [ - 770 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-04-17T12:48:07Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://git.kernel.org/stable/c/bdce67df7f12fb0409fbc604ce7c4254703f56d4" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://git.kernel.org/stable/c/02c6bbfb08bad78dd014e24c7b893723c15ec7a1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://git.kernel.org/stable/c/8b13601d19c541158a6e18b278c00ba69ae37829" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://git.kernel.org/stable/c/7a4d6481fbdd661f9e40e95febb95e3dee82bad3" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://git.kernel.org/stable/c/856caf2730ea18cb39e95833719c02a02447dc0a" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://git.kernel.org/stable/c/28a1f492cb527f64593457a0a0f0d809b3f36c25" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://git.kernel.org/stable/c/6d0822f2cc9b153bf2df49a84599195a2e0d21a8" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://git.kernel.org/stable/c/6ccf904aac0292e1f6b1a1be6c407c414f7cf713" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://git.kernel.org/linus/8b13601d19c541158a6e18b278c00ba69ae37829(6.8-rc1)" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://ubuntu.com/security/notices/USN-6766-1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://ubuntu.com/security/notices/USN-6688-1" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52598" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://ubuntu.com/security/notices/USN-6767-2" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://ubuntu.com/security/notices/USN-6766-3" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://ubuntu.com/security/notices/USN-6767-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-5", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52598" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/ptrace: handle setting of fpc register correctly\n\nIf the content of the floating point control (fpc) register of a traced\nprocess is modified with the ptrace interface the new value is tested for\nvalidity by temporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the tracing process:\nif an interrupt happens while the value is temporarily loaded into the\nfpc register, and within interrupt context floating point or vector\nregisters are used, the current fp/vx registers are saved with\nsave_fpu_regs() assuming they belong to user space and will be loaded into\nfp/vx registers when returning to user space.\n\ntest_fp_ctl() restores the original user space fpc register value, however\nit will be discarded, when returning to user space.\n\nIn result the tracer will incorrectly continue to run with the value that\nwas supposed to be used for the traced process.\n\nFix this by saving fpu register contents with save_fpu_regs() before using\ntest_fp_ctl().", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2023-52598", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52598" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/954a4a87814465ad61cc97c1cd3de1525baaaf07" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://git.kernel.org/stable/c/fe272b61506bb1534922ef07aa165fd3c37a6a90" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://git.kernel.org/stable/c/1c811d403afd73f04bde82b83b24c754011bd0e8" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://git.kernel.org/stable/c/66fa3fcb474b2b892fe42d455a6f7ec5aaa98fb9" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://git.kernel.org/stable/c/0982fd6bf0b822876f2e93ec782c4c28a3f85535" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35802" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://git.kernel.org/linus/1c811d403afd73f04bde82b83b24c754011bd0e8(6.9-rc1)" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-6", "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35802" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/sev: Fix position dependent variable references in startup code\n\nThe early startup code executes from a 1:1 mapping of memory, which\ndiffers from the mapping that the code was linked and/or relocated to\nrun at. The latter mapping is not active yet at this point, and so\nsymbol references that rely on it will fault.\n\nGiven that the core kernel is built without -fPIC, symbol references are\ntypically emitted as absolute, and so any such references occuring in\nthe early startup code will therefore crash the kernel.\n\nWhile an attempt was made to work around this for the early SEV/SME\nstartup code, by forcing RIP-relative addressing for certain global\nSEV/SME variables via inline assembly (see snp_cpuid_get_table() for\nexample), RIP-relative addressing must be pervasively enforced for\nSEV/SME global variables when accessed prior to page table fixups.\n\n__startup_64() already handles this issue for select non-SEV/SME global\nvariables using fixup_pointer(), which adjusts the pointer relative to a\n`physaddr` argument. To avoid having to pass around this `physaddr`\nargument across all functions needing to apply pointer fixups, introduce\na macro RIP_RELATIVE_REF() which generates a RIP-relative reference to\na given global variable. It is used where necessary to force\nRIP-relative accesses to global variables.\n\nFor backporting purposes, this patch makes no attempt at cleaning up\nother occurrences of this pattern, involving either inline asm or\nfixup_pointer(). Those will be addressed later.\n\n [ bp: Call it \"rip_rel_ref\" everywhere like other code shortens\n \"rIP-relative reference\" and make the asm wrapper __always_inline. ]", "affects": [ { - "ref": "comp-332" + "ref": "comp-399" } ], - "id": "CVE-2023-50868", + "id": "CVE-2024-35802", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35802" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4" + "url": "https://git.kernel.org/stable/c/f42c97027fb75776e2e9358d16bf4a99aeb04cf2" }, { - "url": "https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680" + "url": "https://git.kernel.org/stable/c/26d32bec4c6d255a03762f33c637bfa3718be15a" }, { - "url": "https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9" + "url": "https://git.kernel.org/stable/c/c850f71fca09ea41800ed55905980063d17e01da" + }, + { + "url": "https://git.kernel.org/stable/c/2af84c46b9b8f2d6c0f88d09ee5c849ae1734676" + }, + { + "url": "https://git.kernel.org/stable/c/c43e5028f5a35331eb25017f5ff6cc21735005c6" + }, + { + "url": "https://git.kernel.org/stable/c/6d8b56ec0c8f30d5657382f47344a32569f7a9bc" + }, + { + "url": "https://git.kernel.org/linus/f42c97027fb75776e2e9358d16bf4a99aeb04cf2(6.9-rc6)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35848" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-7", "ratings": [ { - "severity": "unknown", + "severity": "none", + "score": 0.00044, "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35848" } } ], - "created": "2024-02-29T15:52:20Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: at24: fix memory corruption race condition\n\nIf the eeprom is not accessible, an nvmem device will be registered, the\nread will fail, and the device will be torn down. If another driver\naccesses the nvmem device after the teardown, it will reference\ninvalid memory.\n\nMove the failure point before registering the nvmem device.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26618", + "id": "CVE-2024-35848", "source": { - "name": "MITRE", - "url": "https://cve.org/CVERecord?id=CVE-2024-26618" + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35848" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-29T15:52:20Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://lore.kernel.org/all/20231222162310.6461-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/3f38d22e645e2e994979426ea5a35186102ff3c2" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/e6f57c6881916df39db7d95981a8ad2b9c3458d6" + }, + { + "url": "https://git.kernel.org/stable/c/a2fef1d81becf4ff60e1a249477464eae3c3bc2a" + }, + { + "url": "https://git.kernel.org/stable/c/9034a1bec35e9f725315a3bb6002ef39666114d9" + }, + { + "url": "https://git.kernel.org/stable/c/115b7f3bc1dce590a6851a2dcf23dc1100c49790" + }, + { + "url": "https://git.kernel.org/stable/c/47ae64df23ed1318e27bd9844e135a5e1c0e6e39" + }, + { + "url": "https://git.kernel.org/stable/c/52dc9a7a573dbf778625a0efca0fca55489f084b" + }, + { + "url": "https://git.kernel.org/stable/c/5833024a9856f454a964a198c63a57e59e07baf5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26766" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24857" + "url": "https://git.kernel.org/linus/e6f57c6881916df39db7d95981a8ad2b9c3458d6(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-4", + "bom-ref": "vuln-8", "ratings": [ - { - "severity": "medium", - "score": 6.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" - } - }, { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26766" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n\nUnfortunately the commit `fd8958efe877` introduced another error\ncausing the `descs` array to overflow. This reults in further crashes\neasily reproducible by `sendmsg` system call.\n\n[ 1080.836473] general protection fault, probably for non-canonical address 0x400300015528b00a: 0000 [#1] PREEMPT SMP PTI\n[ 1080.869326] RIP: 0010:hfi1_ipoib_build_ib_tx_headers.constprop.0+0xe1/0x2b0 [hfi1]\n--\n[ 1080.974535] Call Trace:\n[ 1080.976990] \n[ 1081.021929] hfi1_ipoib_send_dma_common+0x7a/0x2e0 [hfi1]\n[ 1081.027364] hfi1_ipoib_send_dma_list+0x62/0x270 [hfi1]\n[ 1081.032633] hfi1_ipoib_send+0x112/0x300 [hfi1]\n[ 1081.042001] ipoib_start_xmit+0x2a9/0x2d0 [ib_ipoib]\n[ 1081.046978] dev_hard_start_xmit+0xc4/0x210\n--\n[ 1081.148347] __sys_sendmsg+0x59/0xa0\n\ncrash> ipoib_txreq 0xffff9cfeba229f00\nstruct ipoib_txreq {\n txreq = {\n list = {\n next = 0xffff9cfeba229f00,\n prev = 0xffff9cfeba229f00\n },\n descp = 0xffff9cfeba229f40,\n coalesce_buf = 0x0,\n wait = 0xffff9cfea4e69a48,\n complete = 0xffffffffc0fe0760 ,\n packet_len = 0x46d,\n tlen = 0x0,\n num_desc = 0x0,\n desc_limit = 0x6,\n next_descq_idx = 0x45c,\n coalesce_idx = 0x0,\n flags = 0x0,\n descs = {{\n qw = {0x8024000120dffb00, 0x4} # SDMA_DESC0_FIRST_DESC_FLAG (bit 63)\n }, {\n qw = { 0x3800014231b108, 0x4}\n }, {\n qw = { 0x310000e4ee0fcf0, 0x8}\n }, {\n qw = { 0x3000012e9f8000, 0x8}\n }, {\n qw = { 0x59000dfb9d0000, 0x8}\n }, {\n qw = { 0x78000e02e40000, 0x8}\n }}\n },\n sdma_hdr = 0x400300015528b000, <<< invalid pointer in the tx request structure\n sdma_status = 0x0, SDMA_DESC0_LAST_DESC_FLAG (bit 62)\n complete = 0x0,\n priv = 0x0,\n txq = 0xffff9cfea4e69880,\n skb = 0xffff9d099809f400\n}\n\nIf an SDMA send consists of exactly 6 descriptors and requires dword\npadding (in the 7th descriptor), the sdma_txreq descriptor array is not\nproperly expanded and the packet will overflow into the container\nstructure. This results in a panic when the send completion runs. The\nexact panic varies depending on what elements of the container structure\nget corrupted. The fix is to use the correct expression in\n_pad_sdma_tx_descs() to test the need to expand the descriptor array.\n\nWith this patch the crashes are no longer reproducible and the machine is\nstable.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24857", + "id": "CVE-2024-26766", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26766" }, - "cwes": [ - 190, - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:50Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-3640" + "url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33" + }, + { + "url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a" + }, + { + "url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01" + }, + { + "url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217523" + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-043.html" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3640" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26583" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-057.html" + }, + { + "url": "https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d(6.8-rc5)" } ], - "bom-ref": "vuln-5", + "bom-ref": "vuln-9", "ratings": [ { "severity": "none", "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26583" } }, { - "severity": "high", - "score": 7.8, + "severity": "medium", + "score": 4.7, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" } } ], - "created": "2023-07-24T16:15:13Z", - "description": "A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.", + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-3640", + "id": "CVE-2024-26583", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3640" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" }, "cwes": [ - 203 + 362 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:19:13Z", + "updated": "2024-03-15T13:05:03Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/00000000000056e02f05dfb6e11a@google.com/T/" + "url": "https://git.kernel.org/stable/c/09b54d29f05129b092f7c793a70b689ffb3c7b2c" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-37454" + "url": "https://git.kernel.org/stable/c/fbbb2404340dd6178e281bd427c271f7d5ec1d22" + }, + { + "url": "https://git.kernel.org/stable/c/546d0fe9d76e8229a67369f9cb61e961d99038bd" + }, + { + "url": "https://git.kernel.org/stable/c/2cc7d150550cc981aceedf008f5459193282425c" + }, + { + "url": "https://git.kernel.org/stable/c/1594dac8b1ed78f9e75c263327e198a2e5e25b0e" + }, + { + "url": "https://git.kernel.org/stable/c/ff7431f898dd00892a545b7d0ce7adf5b926944f" + }, + { + "url": "https://git.kernel.org/stable/c/8d6105f637883c8c09825e962308c06e977de4f0" + }, + { + "url": "https://git.kernel.org/stable/c/152ed360cf2d273f88fc99a518b7eb868aae2939" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36004" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37454" + "url": "https://git.kernel.org/linus/2cc7d150550cc981aceedf008f5459193282425c(6.9-rc6)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-6", + "bom-ref": "vuln-10", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36004" } } ], - "created": "2023-07-06T17:15:14Z", - "description": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n\nIssue reported by customer during SRIOV testing, call trace:\nWhen both i40e and the i40iw driver are loaded, a warning\nin check_flush_dependency is being triggered. This seems\nto be because of the i40e driver workqueue is allocated with\nthe WQ_MEM_RECLAIM flag, and the i40iw one is not.\n\nSimilar error was encountered on ice too and it was fixed by\nremoving the flag. Do the same for i40e too.\n\n[Feb 9 09:08] ------------[ cut here ]------------\n[ +0.000004] workqueue: WQ_MEM_RECLAIM i40e:i40e_service_task [i40e] is\nflushing !WQ_MEM_RECLAIM infiniband:0x0\n[ +0.000060] WARNING: CPU: 0 PID: 937 at kernel/workqueue.c:2966\ncheck_flush_dependency+0x10b/0x120\n[ +0.000007] Modules linked in: snd_seq_dummy snd_hrtimer snd_seq\nsnd_timer snd_seq_device snd soundcore nls_utf8 cifs cifs_arc4\nnls_ucs2_utils rdma_cm iw_cm ib_cm cifs_md4 dns_resolver netfs qrtr\nrfkill sunrpc vfat fat intel_rapl_msr intel_rapl_common irdma\nintel_uncore_frequency intel_uncore_frequency_common ice ipmi_ssif\nisst_if_common skx_edac nfit libnvdimm x86_pkg_temp_thermal\nintel_powerclamp gnss coretemp ib_uverbs rapl intel_cstate ib_core\niTCO_wdt iTCO_vendor_support acpi_ipmi mei_me ipmi_si intel_uncore\nioatdma i2c_i801 joydev pcspkr mei ipmi_devintf lpc_ich\nintel_pch_thermal i2c_smbus ipmi_msghandler acpi_power_meter acpi_pad\nxfs libcrc32c ast sd_mod drm_shmem_helper t10_pi drm_kms_helper sg ixgbe\ndrm i40e ahci crct10dif_pclmul libahci crc32_pclmul igb crc32c_intel\nlibata ghash_clmulni_intel i2c_algo_bit mdio dca wmi dm_mirror\ndm_region_hash dm_log dm_mod fuse\n[ +0.000050] CPU: 0 PID: 937 Comm: kworker/0:3 Kdump: loaded Not\ntainted 6.8.0-rc2-Feb-net_dev-Qiueue-00279-gbd43c5687e05 #1\n[ +0.000003] Hardware name: Intel Corporation S2600BPB/S2600BPB, BIOS\nSE5C620.86B.02.01.0013.121520200651 12/15/2020\n[ +0.000001] Workqueue: i40e i40e_service_task [i40e]\n[ +0.000024] RIP: 0010:check_flush_dependency+0x10b/0x120\n[ +0.000003] Code: ff 49 8b 54 24 18 48 8d 8b b0 00 00 00 49 89 e8 48\n81 c6 b0 00 00 00 48 c7 c7 b0 97 fa 9f c6 05 8a cc 1f 02 01 e8 35 b3 fd\nff <0f> 0b e9 10 ff ff ff 80 3d 78 cc 1f 02 00 75 94 e9 46 ff ff ff 90\n[ +0.000002] RSP: 0018:ffffbd294976bcf8 EFLAGS: 00010282\n[ +0.000002] RAX: 0000000000000000 RBX: ffff94d4c483c000 RCX:\n0000000000000027\n[ +0.000001] RDX: ffff94d47f620bc8 RSI: 0000000000000001 RDI:\nffff94d47f620bc0\n[ +0.000001] RBP: 0000000000000000 R08: 0000000000000000 R09:\n00000000ffff7fff\n[ +0.000001] R10: ffffbd294976bb98 R11: ffffffffa0be65e8 R12:\nffff94c5451ea180\n[ +0.000001] R13: ffff94c5ab5e8000 R14: ffff94c5c20b6e05 R15:\nffff94c5f1330ab0\n[ +0.000001] FS: 0000000000000000(0000) GS:ffff94d47f600000(0000)\nknlGS:0000000000000000\n[ +0.000002] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000001] CR2: 00007f9e6f1fca70 CR3: 0000000038e20004 CR4:\n00000000007706f0\n[ +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ +0.000001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ +0.000001] PKRU: 55555554\n[ +0.000001] Call Trace:\n[ +0.000001] \n[ +0.000002] ? __warn+0x80/0x130\n[ +0.000003] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? report_bug+0x195/0x1a0\n[ +0.000005] ? handle_bug+0x3c/0x70\n[ +0.000003] ? exc_invalid_op+0x14/0x70\n[ +0.000002] ? asm_exc_invalid_op+0x16/0x20\n[ +0.000006] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] ? check_flush_dependency+0x10b/0x120\n[ +0.000002] __flush_workqueue+0x126/0x3f0\n[ +0.000015] ib_cache_cleanup_one+0x1c/0xe0 [ib_core]\n[ +0.000056] __ib_unregister_device+0x6a/0xb0 [ib_core]\n[ +0.000023] ib_unregister_device_and_put+0x34/0x50 [ib_core]\n[ +0.000020] i40iw_close+0x4b/0x90 [irdma]\n[ +0.000022] i40e_notify_client_of_netdev_close+0x54/0xc0 [i40e]\n[ +0.000035] i40e_service_task+0x126/0x190 [i40e]\n[ +0.000024] process_one_work+0x174/0x340\n[ +0.000003] worker_th\n---truncated---", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-37454", + "id": "CVE-2024-36004", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36004" }, - "cwes": [ - 416 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:16:56Z", + "updated": "2024-05-20T13:00:04Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4" + "url": "https://git.kernel.org/stable/c/8ef4fcc7014b9f93619851d6b78d6cc2789a4c88" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + "url": "https://git.kernel.org/stable/c/9d5523e065b568e79dfaa2ea1085a5bcf74baf78" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + "url": "https://git.kernel.org/stable/c/7d2a894d7f487dcb894df023e9d3014cf5b93fe5" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52429" + "url": "https://git.kernel.org/stable/c/0a9f558c72c47472c38c05fcb72c70abb9104277" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/7d2a894d7f487dcb894df023e9d3014cf5b93fe5(6.8-rc6)" }, { - "url": "https://git.kernel.org/linus/bd504bcfec41a503b32054da5472904b404341a4(6.8-rc3)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27402" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-7", + "bom-ref": "vuln-11", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27402" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", + "created": "2024-05-17T12:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphonet/pep: fix racy skb_queue_empty() use\n\nThe receive queues are protected by their respective spin-lock, not\nthe socket lock. This could lead to skb_peek() unexpectedly\nreturning NULL or a pointer to an already dequeued socket buffer.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-52429", + "id": "CVE-2024-27402", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27402" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:15:57Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" + "url": "https://git.kernel.org/stable/c/9ae356c627b493323e1433dcb27a26917668c07c" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/03938619a1e718b6168ae4528e1b0f979293f1a5" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254052" + "url": "https://git.kernel.org/stable/c/2f6174fd4ccf403b42b3d5f0d1b6b496a0e5330a" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/c1363ed8867b81ea169fba2ccc14af96a85ed183" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6536" + "url": "https://git.kernel.org/stable/c/024529c27c8b4b273325a169e078337c8279e229" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/4720d590c4cb5d9ffa0060b89743651cc7e995f9" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://git.kernel.org/stable/c/3c6ee34c6f9cd12802326da26631232a61743501" + }, + { + "url": "https://git.kernel.org/stable/c/be2b6bcc936ae17f42fff6494106a5660b35d8d3" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6536" + "url": "https://git.kernel.org/linus/3c6ee34c6f9cd12802326da26631232a61743501(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lore.kernel.org/linux-nvme/69e7bbe4-b454-4941-90e2-2e6a4cf0f182@grimberg.me/T/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35935" } ], - "bom-ref": "vuln-8", + "bom-ref": "vuln-12", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" - } - }, { "severity": "none", - "score": 0.00144, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35935" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: handle path ref underflow in header iterate_inode_ref()\n\nChange BUG_ON to proper error handling if building the path buffer\nfails. The pointers are not printed so we don't accidentally leak kernel\naddresses.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6536", + "id": "CVE-2024-35935", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6536" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35935" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:09Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21803" + "url": "https://git.kernel.org/stable/c/bdd895e0190c464f54f84579e7535d80276f0fc5" + }, + { + "url": "https://git.kernel.org/stable/c/e362d007294955a4fb929e1c8978154a64efdcb6" + }, + { + "url": "https://git.kernel.org/stable/c/ec77fa12da41260c6bf9e060b89234b980c5130f" + }, + { + "url": "https://git.kernel.org/stable/c/7104a00fa37ae898a827381f1161fa3286c8b346" + }, + { + "url": "https://git.kernel.org/stable/c/6413e78086caf7bf15639923740da0d91fdfd090" + }, + { + "url": "https://git.kernel.org/stable/c/85570b91e4820a0db9d9432098778cafafa7d217" + }, + { + "url": "https://git.kernel.org/stable/c/c21a8870c98611e8f892511825c9607f1e2cd456" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26872" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c21a8870c98611e8f892511825c9607f1e2cd456(6.9-rc1)" } ], - "bom-ref": "vuln-9", + "bom-ref": "vuln-13", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26872" } } ], - "created": "2024-01-30T08:15:41Z", - "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Do not register event handler until srpt device is fully setup\n\nUpon rare occasions, KASAN reports a use-after-free Write\nin srpt_refresh_port().\n\nThis seems to be because an event handler is registered before the\nsrpt device is fully setup and a race condition upon error may leave a\npartially setup event handler in place.\n\nInstead, only register the event handler after srpt device initialization\nis complete.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-21803", + "id": "CVE-2024-26872", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26872" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-08T01:57:53Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24864" + "url": "https://git.kernel.org/stable/c/4c86c772fef06f5d7a66151bac42366825db0941" + }, + { + "url": "https://git.kernel.org/stable/c/6bf5c2fade8ed53b2d26fa9875e5b04f36c7145d" + }, + { + "url": "https://git.kernel.org/stable/c/8cf9c5051076e0eb958f4361d50d8b0c3ee6691c" + }, + { + "url": "https://git.kernel.org/stable/c/770a57922ce36a8476c43f7400b6501c554ea511" + }, + { + "url": "https://git.kernel.org/stable/c/8269ab16415f2065cd792c49b0475543936cbd79" + }, + { + "url": "https://git.kernel.org/stable/c/94303a06e1852a366e9671fff46d19459f88cb28" + }, + { + "url": "https://git.kernel.org/stable/c/0de691ff547d86dd54c24b40a81f9c925df8dd77" + }, + { + "url": "https://git.kernel.org/stable/c/622b1cf38521569869c8f7b9fbe9e4f1a289add7" + }, + { + "url": "https://git.kernel.org/stable/c/31096da07933598da8522c54bd007376fb152a09" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27078" + }, + { + "url": "https://git.kernel.org/linus/8cf9c5051076e0eb958f4361d50d8b0c3ee6691c(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-10", + "bom-ref": "vuln-14", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27078" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-tpg: fix some memleaks in tpg_alloc\n\nIn tpg_alloc, resources should be deallocated in each and every\nerror-handling paths, since they are allocated in for statements.\nOtherwise there would be memleaks because tpg_free is called only when\ntpg_alloc return 0.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24864", + "id": "CVE-2024-27078", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27078" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:22Z" + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://people.redhat.com/~hkario/marvin/" + "url": "https://git.kernel.org/stable/c/eb3441093aad251418921246fc3b224fd1575701" }, { - "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + "url": "https://git.kernel.org/stable/c/e2b54eaf28df0c978626c9736b94f003b523b451" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + "url": "https://git.kernel.org/stable/c/c34adc20b91a8e55e048b18d63f4f4ae003ecf8f" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + "url": "https://git.kernel.org/stable/c/c8ab7521665bd0f8bc4a900244d1d5a7095cc3b9" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6240" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26792" } ], - "bom-ref": "vuln-11", + "bom-ref": "vuln-15", "ratings": [ { "severity": "none", - "score": 0.00073, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26792" } } ], - "created": "2024-02-04T14:15:47Z", - "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix double free of anonymous device after snapshot creation failure\n\nWhen creating a snapshot we may do a double free of an anonymous device\nin case there's an error committing the transaction. The second free may\nresult in freeing an anonymous device number that was allocated by some\nother subsystem in the kernel or another btrfs filesystem.\n\nThe steps that lead to this:\n\n1) At ioctl.c:create_snapshot() we allocate an anonymous device number\n and assign it to pending_snapshot->anon_dev;\n\n2) Then we call btrfs_commit_transaction() and end up at\n transaction.c:create_pending_snapshot();\n\n3) There we call btrfs_get_new_fs_root() and pass it the anonymous device\n number stored in pending_snapshot->anon_dev;\n\n4) btrfs_get_new_fs_root() frees that anonymous device number because\n btrfs_lookup_fs_root() returned a root - someone else did a lookup\n of the new root already, which could some task doing backref walking;\n\n5) After that some error happens in the transaction commit path, and at\n ioctl.c:create_snapshot() we jump to the 'fail' label, and after\n that we free again the same anonymous device number, which in the\n meanwhile may have been reallocated somewhere else, because\n pending_snapshot->anon_dev still has the same value as in step 1.\n\nRecently syzbot ran into this and reported the following trace:\n\n ------------[ cut here ]------------\n ida_free called for id=51 which is not allocated.\n WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525\n Modules linked in:\n CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0\n Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\n RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525\n Code: 10 42 80 3c 28 (...)\n RSP: 0018:ffffc90015a67300 EFLAGS: 00010246\n RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000\n RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000\n RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4\n R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246\n R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246\n FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0\n Call Trace:\n \n btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346\n create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837\n create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931\n btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404\n create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848\n btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998\n btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044\n __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306\n btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393\n btrfs_ioctl+0xa74/0xd40\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:871 [inline]\n __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7fca3e67dda9\n Code: 28 00 00 00 (...)\n RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9\n RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003\n RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658\n \n\nWhere we get an explicit message where we attempt to free an anonymous\ndevice number that is not currently allocated. It happens in a different\ncode path from the example below, at btrfs_get_root_ref(), so this change\nmay not fix the case triggered by sy\n---truncated---", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6240", + "id": "CVE-2024-26792", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26792" }, - "cwes": [ - 203 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-15T08:15:45Z" + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a" + "url": "https://git.kernel.org/stable/c/de34de6e57bbbc868e4fcf9e98c76b3587cabb0b" }, { - "url": "https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21" + "url": "https://git.kernel.org/stable/c/6a44065dd604972ec1fbcccbdc4a70d266a89cdd" }, { - "url": "https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9" + "url": "https://git.kernel.org/stable/c/98f9537fe61b8382b3cc5dd97347531698517c56" }, { - "url": "https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2" + "url": "https://git.kernel.org/stable/c/42f433785f108893de0dd5260bafb85d7d51db03" }, { - "url": "https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c" + "url": "https://git.kernel.org/stable/c/6fe8b702125aeee6ce83f20092a2341446704e7b" }, { - "url": "https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f" + "url": "https://git.kernel.org/stable/c/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/e3e95c6850661c77e6dab079d9b5374a618ebb15" }, { - "url": "https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7" + "url": "https://git.kernel.org/stable/c/59342822276f753e49d27ef5eebffbba990572b9" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://ubuntu.com/security/notices/USN-6774-1" }, { - "url": "https://git.kernel.org/linus/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21(6.8-rc5)" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52604" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26593" + "url": "https://git.kernel.org/linus/9862ec7ac1cbc6eb5ee4a045b5d5b8edbb2f7e68(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" } ], - "bom-ref": "vuln-12", + "bom-ref": "vuln-16", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52604" } } ], - "created": "2024-02-23T10:15:07Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree\n\nSyzkaller reported the following issue:\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6\nindex 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]')\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \n================================================================================\nKernel panic - not syncing: UBSAN: panic_on_warn set ...\nCPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n panic+0x30f/0x770 kernel/panic.c:340\n check_panic_on_warn+0x82/0xa0 kernel/panic.c:236\n ubsan_epilogue lib/ubsan.c:223 [inline]\n __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348\n dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867\n dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834\n dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331\n dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline]\n dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402\n txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534\n txUpdateMap+0x342/0x9e0\n txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]\n jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732\n kthread+0x2d3/0x370 kernel/kthread.c:388\n ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304\n \nKernel Offset: disabled\nRebooting in 86400 seconds..\n\nThe issue is caused when the value of lp becomes greater than\nCTLTREESIZE which is the max size of stree. Adding a simple check\nsolves this issue.\n\nDave:\nAs the function returns a void, good error handling\nwould require a more intrusive code reorganization, so I modified\nOsama's patch at use WARN_ON_ONCE for lack of a cleaner option.\n\nThe patch is tested via syzbot.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26593", + "id": "CVE-2023-52604", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52604" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22386" + "url": "https://git.kernel.org/stable/c/04f23510daa40f9010fadf309507564a34ad956f" + }, + { + "url": "https://git.kernel.org/stable/c/5d7f58ee08434a33340f75ac7ac5071eea9673b3" + }, + { + "url": "https://git.kernel.org/stable/c/ce666cecc09c0f92d5f86d89d8068ecfcf723a7e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35943" + }, + { + "url": "https://git.kernel.org/linus/5d7f58ee08434a33340f75ac7ac5071eea9673b3(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-13", + "bom-ref": "vuln-17", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35943" } } ], - "created": "2024-02-05T08:15:43Z", - "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: ti: Add a null pointer check to the omap_prm_domain_init\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-22386", + "id": "CVE-2024-35943", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35943" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:26Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/" + "url": "https://git.kernel.org/stable/c/2b17133a0a2e0e111803124dad09e803718d4a48" + }, + { + "url": "https://git.kernel.org/stable/c/59772327d439874095516673b4b30c48bd83ca38" + }, + { + "url": "https://git.kernel.org/stable/c/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c" + }, + { + "url": "https://git.kernel.org/stable/c/4356a2c3f296503c8b420ae8adece053960a9f06" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35799" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063238" + "url": "https://git.kernel.org/linus/72d72e8fddbcd6c98e1b02d32cf6f2b04e10bd1c(6.9-rc2)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-14", + "bom-ref": "vuln-18", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" - } - }, { "severity": "none", - "score": 0.00051, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35799" } } ], - "created": "2024-02-04T20:15:46Z", - "description": "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Prevent crash when disable stream\n\n[Why]\nDisabling stream encoder invokes a function that no longer exists.\n\n[How]\nCheck if the function declaration is NULL in disable stream encoder.", "affects": [ { - "ref": "comp-390" + "ref": "comp-399" } ], - "id": "CVE-2023-52425", + "id": "CVE-2024-35799", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35799" }, - "cwes": [ - 400 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:27:48Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24861" + "url": "https://git.kernel.org/stable/c/41d8fdf3afaff312e17466e4ab732937738d5644" + }, + { + "url": "https://git.kernel.org/stable/c/e3b887a9c11caf8357a821260e095f2a694a34f2" + }, + { + "url": "https://git.kernel.org/stable/c/14b001ba221136c15f894577253e8db535b99487" + }, + { + "url": "https://git.kernel.org/stable/c/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc" + }, + { + "url": "https://git.kernel.org/stable/c/ebf7c9746f073035ee26209e38c3a1170f7b349a" + }, + { + "url": "https://git.kernel.org/stable/c/7a1679e2d9bfa3b5f8755c2c7113e54b7d42bd46" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26924" + }, + { + "url": "https://git.kernel.org/linus/3cfc9ec039af60dbd8965ae085b2c2ccdcfbe1cc(6.9-rc5)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-15", + "bom-ref": "vuln-19", "ratings": [ - { - "severity": "medium", - "score": 6.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26924" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: do not free live element\n\nPablo reports a crash with large batches of elements with a\nback-to-back add/remove pattern. Quoting Pablo:\n\n add_elem(\"00000000\") timeout 100 ms\n ...\n add_elem(\"0000000X\") timeout 100 ms\n del_elem(\"0000000X\") <---------------- delete one that was just added\n ...\n add_elem(\"00005000\") timeout 100 ms\n\n 1) nft_pipapo_remove() removes element 0000000X\n Then, KASAN shows a splat.\n\nLooking at the remove function there is a chance that we will drop a\nrule that maps to a non-deactivated element.\n\nRemoval happens in two steps, first we do a lookup for key k and return the\nto-be-removed element and mark it as inactive in the next generation.\nThen, in a second step, the element gets removed from the set/map.\n\nThe _remove function does not work correctly if we have more than one\nelement that share the same key.\n\nThis can happen if we insert an element into a set when the set already\nholds an element with same key, but the element mapping to the existing\nkey has timed out or is not active in the next generation.\n\nIn such case its possible that removal will unmap the wrong element.\nIf this happens, we will leak the non-deactivated element, it becomes\nunreachable.\n\nThe element that got deactivated (and will be freed later) will\nremain reachable in the set data structure, this can result in\na crash when such an element is retrieved during lookup (stale\npointer).\n\nAdd a check that the fully matching key does in fact map to the element\nthat we have marked as inactive in the deactivation step.\nIf not, we need to continue searching.\n\nAdd a bug/warn trap at the end of the function as well, the remove\nfunction must not ever be called with an invisible/unreachable/non-existent\nelement.\n\nv2: avoid uneeded temporary variable (Stefano)", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24861", + "id": "CVE-2024-26924", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26924" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:05:59Z" + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2" + "url": "https://git.kernel.org/stable/c/185de0b7cdeaad8b89ebd4c8a258ff2f21adba99" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208844" + "url": "https://git.kernel.org/stable/c/a903cfd38d8dee7e754fb89fd1bebed99e28003d" + }, + { + "url": "https://git.kernel.org/stable/c/5533686e99b04994d7c4877dc0e4282adc9444a2" + }, + { + "url": "https://git.kernel.org/stable/c/a09aecb6cb482de88301c43bf00a6c8726c4d34f" + }, + { + "url": "https://git.kernel.org/stable/c/7e5432401536117c316d7f3b21d46b64c1514f38" + }, + { + "url": "https://git.kernel.org/stable/c/b2dfb216f32627c2f6a8041f2d9d56d102ab87c0" + }, + { + "url": "https://git.kernel.org/stable/c/9b4c4546dd61950e80ffdca1bf6925f42b665b03" + }, + { + "url": "https://git.kernel.org/stable/c/3aedcf3755c74dafc187eb76acb04e3e6348b1a9" + }, + { + "url": "https://git.kernel.org/stable/c/5638330150db2cc30b53eed04e481062faa3ece8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26966" + }, + { + "url": "https://git.kernel.org/linus/a903cfd38d8dee7e754fb89fd1bebed99e28003d(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-16", + "bom-ref": "vuln-20", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26966" } } ], - "created": "2023-03-01T20:15:15Z", - "description": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-apq8084: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-23005", + "id": "CVE-2024-26966", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26966" }, - "cwes": [ - 476 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:07:38Z", + "updated": "2024-05-01T13:02:20Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24860" + "url": "https://git.kernel.org/stable/c/20d3e1c8a1847497269f04d874b2a5818ec29e2d" + }, + { + "url": "https://git.kernel.org/stable/c/e8a1e58345cf40b7b272e08ac7b32328b2543e40" + }, + { + "url": "https://git.kernel.org/stable/c/dcd51ab42b7a0431575689c5f74b8b6efd45fc2f" + }, + { + "url": "https://git.kernel.org/stable/c/49c8951680d7b76fceaee89dcfbab1363fb24fd1" + }, + { + "url": "https://git.kernel.org/stable/c/640297c3e897bd7e1481466a6a5cb9560f1edb88" + }, + { + "url": "https://git.kernel.org/stable/c/068ab2759bc0b4daf0b964de61b2731449c86531" + }, + { + "url": "https://git.kernel.org/stable/c/d3d858650933d44ac12c1f31337e7110c2071821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26961" + }, + { + "url": "https://git.kernel.org/linus/e8a1e58345cf40b7b272e08ac7b32328b2543e40(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-17", + "bom-ref": "vuln-21", "ratings": [ - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" - } - }, { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26961" } } ], - "created": "2024-02-05T08:15:45Z", - "description": "A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\n\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\n\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n \n llsec_lookup_key.isra.0+0x890/0x9e0\n mac802154_llsec_encrypt+0x30c/0x9c0\n ieee802154_subif_start_xmit+0x24/0x1e0\n dev_hard_start_xmit+0x13e/0x690\n sch_direct_xmit+0x2ae/0xbc0\n __dev_queue_xmit+0x11dd/0x3c20\n dgram_sendmsg+0x90b/0xd60\n __sys_sendto+0x466/0x4c0\n __x64_sys_sendto+0xe0/0x1c0\n do_syscall_64+0x45/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\n\nunreferenced object 0xffff8880613b6980 (size 64):\n comm \"iwpan\", pid 2176, jiffies 4294761134 (age 60.475s)\n hex dump (first 32 bytes):\n 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......\".......\n 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e2/0x2d0\n [] kmalloc_trace+0x25/0xc0\n [] mac802154_llsec_key_add+0xac9/0xcf0\n [] ieee802154_add_llsec_key+0x5a/0x80\n [] nl802154_add_llsec_key+0x426/0x5b0\n [] genl_family_rcv_msg_doit+0x1fe/0x2f0\n [] genl_rcv_msg+0x531/0x7d0\n [] netlink_rcv_skb+0x169/0x440\n [] genl_rcv+0x28/0x40\n [] netlink_unicast+0x53c/0x820\n [] netlink_sendmsg+0x93b/0xe60\n [] ____sys_sendmsg+0xac5/0xca0\n [] ___sys_sendmsg+0x11d/0x1c0\n [] __sys_sendmsg+0xfa/0x1d0\n [] do_syscall_64+0x45/0xf0\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\n\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\n\nFound by Linux Verification Center (linuxtesting.org).", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24860", + "id": "CVE-2024-26961", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24860" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26961" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-14T19:50:10Z" + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/6209319b2efdd8524691187ee99c40637558fa33" - }, - { - "url": "https://git.kernel.org/stable/c/86dc27ee36f558fe223dbdfbfcb6856247356f4a" - }, - { - "url": "https://git.kernel.org/stable/c/7a3ca06d04d589deec81f56229a9a9d62352ce01" + "url": "https://git.kernel.org/stable/c/347dcdc15a1706f61aa545ae498ededdf31aeebc" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/9e59b8d76ff511505eb0dd1478329f09e0f04669" }, { - "url": "https://git.kernel.org/stable/c/aec7961916f3f9e88766e2688992da6980f11b8d" + "url": "https://git.kernel.org/linus/cd32b27a66db8776d8b8e82ec7d7dde97a8693b0(6.9-rc1)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26583" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35808" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://git.kernel.org/linus/aec7961916f3f9e88766e2688992da6980f11b8d(6.8-rc5)" } ], - "bom-ref": "vuln-18", + "bom-ref": "vuln-22", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35808" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between async notify and socket close\n\nThe submitting thread (one which called recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete()\nso any code past that point risks touching already freed data.\n\nTry to avoid the locking and extra flags altogether.\nHave the main thread hold an extra reference, this way\nwe can depend solely on the atomic ref counter for\nsynchronization.\n\nDon't futz with reiniting the completion, either, we are now\ntightly controlling when completion fires.", + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd/dm-raid: don't call md_reap_sync_thread() directly\n\nCurrently md_reap_sync_thread() is called from raid_message() directly\nwithout holding 'reconfig_mutex', this is definitely unsafe because\nmd_reap_sync_thread() can change many fields that is protected by\n'reconfig_mutex'.\n\nHowever, hold 'reconfig_mutex' here is still problematic because this\nwill cause deadlock, for example, commit 130443d60b1b (\"md: refactor\nidle/frozen_sync_thread() to fix deadlock\").\n\nFix this problem by using stop_sync_thread() to unregister sync_thread,\nlike md/raid did.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26583", + "id": "CVE-2024-35808", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26583" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35808" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + "url": "https://git.kernel.org/stable/c/913421f9f7fd8324dcc41753d0f28b52e177ef04" }, { - "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + "url": "https://git.kernel.org/stable/c/6632a54ac8057cc0b0d789c6f73883e871bcd25c" + }, + { + "url": "https://git.kernel.org/stable/c/e8025439ef8e16029dc313d78a351ef192469b7b" + }, + { + "url": "https://git.kernel.org/stable/c/a62b9f3d7bbfac874cc0c638bc1776dcf1f8ec06" + }, + { + "url": "https://git.kernel.org/stable/c/a039690d323221eb5865f1f31db3ec264e7a14b6" + }, + { + "url": "https://git.kernel.org/stable/c/aebfdfe39b9327a3077d0df8db3beb3160c9bdd0" + }, + { + "url": "https://git.kernel.org/linus/aebfdfe39b9327a3077d0df8db3beb3160c9bdd0(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52652" } ], - "bom-ref": "vuln-19", + "bom-ref": "vuln-23", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52652" } } ], - "created": "2024-02-29T15:15:07Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNTB: fix possible name leak in ntb_register_device()\n\nIf device_register() fails in ntb_register_device(), the device name\nallocated by dev_set_name() should be freed. As per the comment in\ndevice_register(), callers should use put_device() to give up the\nreference in the error path. So fix this by calling put_device() in the\nerror path so that the name can be freed in kobject_cleanup().\n\nAs a result of this, put_device() in the error path of\nntb_register_device() is removed and the actual error is returned.\n\n[mani: reworded commit message]", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-52485", + "id": "CVE-2023-52652", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52652" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-29T18:06:42Z" + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://android.googlesource.com/kernel/common/+/b35a06182451f" + "url": "https://git.kernel.org/stable/c/92d20406a3d4ff3e8be667c79209dc9ed31df5b3" }, { - "url": "https://source.android.com/security/bulletin/2023-08-01" + "url": "https://git.kernel.org/stable/c/5fd9e45f1ebcd57181358af28506e8a661a260b3" }, { - "url": "https://android.googlesource.com/kernel/common/+/53625a846a7b4" + "url": "https://git.kernel.org/stable/c/70e8038813f9d3e72df966748ebbc40efe466019" }, { - "url": "https://ubuntu.com/security/notices/USN-6383-1" + "url": "https://git.kernel.org/stable/c/3a2a909942b5335b7ea66366d84261b3ed5f89c8" }, { - "url": "https://git.kernel.org/linus/09cce60bddd6461a93a5bf434265a47827d1bc6f" + "url": "https://git.kernel.org/stable/c/1e204a8e9eb514e22a6567fb340ebb47df3f3a48" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/9a52b694b066f299d8b9800854a8503457a8b64c" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-349.html" + "url": "https://git.kernel.org/stable/c/aad6132ae6e4809e375431f8defd1521985e44e7" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21264" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26748" }, { - "url": "https://ubuntu.com/security/notices/USN-6466-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://source.android.com/docs/security/bulletin/2023-08-01" + "url": "https://git.kernel.org/linus/5fd9e45f1ebcd57181358af28506e8a661a260b3(6.8-rc6)" } ], - "bom-ref": "vuln-20", + "bom-ref": "vuln-24", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26748" } } ], - "created": "2023-08-14T21:15:11Z", - "description": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix memory double free when handle zero packet\n\n829 if (request->complete) {\n830 spin_unlock(&priv_dev->lock);\n831 usb_gadget_giveback_request(&priv_ep->endpoint,\n832 request);\n833 spin_lock(&priv_dev->lock);\n834 }\n835\n836 if (request->buf == priv_dev->zlp_buf)\n837 cdns3_gadget_ep_free_request(&priv_ep->endpoint, request);\n\nDriver append an additional zero packet request when queue a packet, which\nlength mod max packet size is 0. When transfer complete, run to line 831,\nusb_gadget_giveback_request() will free this requestion. 836 condition is\ntrue, so cdns3_gadget_ep_free_request() free this request again.\n\nLog:\n\n[ 1920.140696][ T150] BUG: KFENCE: use-after-free read in cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.140696][ T150]\n[ 1920.151837][ T150] Use-after-free read at 0x000000003d1cd10b (in kfence-#36):\n[ 1920.159082][ T150] cdns3_gadget_giveback+0x134/0x2c0 [cdns3]\n[ 1920.164988][ T150] cdns3_transfer_completed+0x438/0x5f8 [cdns3]\n\nAdd check at line 829, skip call usb_gadget_giveback_request() if it is\nadditional zero length packet request. Needn't call\nusb_gadget_giveback_request() because it is allocated in this driver.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-21264", + "id": "CVE-2024-26748", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26748" }, - "cwes": [ - 119 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-08-24T15:31:45Z", + "updated": "2024-04-03T17:24:18Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23196" + "url": "https://git.kernel.org/stable/c/47635b112a64b7b208224962471e7e42f110e723" + }, + { + "url": "https://git.kernel.org/stable/c/a4e7ff1a74274e59a2de9bb57236542aa990d20a" + }, + { + "url": "https://git.kernel.org/stable/c/ae7079238f6faf1b94accfccf334e98b46a0c0aa" + }, + { + "url": "https://git.kernel.org/stable/c/c7cff9780297d55d97ad068b68b703cfe53ef9af" + }, + { + "url": "https://git.kernel.org/stable/c/13edb509abc91c72152a11baaf0e7c060a312e03" + }, + { + "url": "https://git.kernel.org/stable/c/aaa8736370db1a78f0e8434344a484f9fd20be3b" + }, + { + "url": "https://git.kernel.org/stable/c/af2a9f98d884205145fd155304a6955822ccca1c" + }, + { + "url": "https://git.kernel.org/stable/c/5cb59db49c9c0fccfd33b2209af4f7ae3c6ddf40" + }, + { + "url": "https://git.kernel.org/stable/c/52018aa146e3cf76569a9b1e6e49a2b7c8d4a088" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/aaa8736370db1a78f0e8434344a484f9fd20be3b(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26816" } ], - "bom-ref": "vuln-21", + "bom-ref": "vuln-25", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26816" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's sound/hda device driver in snd_hdac_regmap_sync() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n", + "created": "2024-04-10T14:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86, relocs: Ignore relocations in .notes section\n\nWhen building with CONFIG_XEN_PV=y, .text symbols are emitted into\nthe .notes section so that Xen can find the \"startup_xen\" entry point.\nThis information is used prior to booting the kernel, so relocations\nare not useful. In fact, performing relocations against the .notes\nsection means that the KASLR base is exposed since /sys/kernel/notes\nis world-readable.\n\nTo avoid leaking the KASLR base without breaking unprivileged tools that\nare expecting to read /sys/kernel/notes, skip performing relocations in\nthe .notes section. The values readable in .notes are then identical to\nthose found in System.map.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-23196", + "id": "CVE-2024-26816", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23196" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26816" }, - "cwes": [ - 362, - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:14Z" + "updated": "2024-04-10T19:49:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://git.kernel.org/stable/c/40f4ced305c6c47487d3cd8da54676e2acc1a6ad" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://git.kernel.org/stable/c/4b0dcae5c4797bf31c63011ed62917210d3fdac3" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://git.kernel.org/stable/c/68459b8e3ee554ce71878af9eb69659b9462c588" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://git.kernel.org/stable/c/52854101180beccdb9dc2077a3bea31b6ad48dfa" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://git.kernel.org/stable/c/f8bbc07ac535593139c875ffa19af924b1084540" + }, + { + "url": "https://git.kernel.org/stable/c/a50dbeca28acf7051dfa92786b85f704c75db6eb" + }, + { + "url": "https://git.kernel.org/stable/c/14cdb43dbc827e18ac7d5b30c5b4c676219f1421" + }, + { + "url": "https://git.kernel.org/stable/c/62e27ef18eb4f0d33bbae8e9ef56b99696a74713" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27013" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://git.kernel.org/linus/f8bbc07ac535593139c875ffa19af924b1084540(6.9-rc5)" } ], - "bom-ref": "vuln-22", + "bom-ref": "vuln-26", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27013" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntun: limit printing rate when illegal packet received by tun dev\n\nvhost_worker will call tun call backs to receive packets. If too many\nillegal packets arrives, tun_do_read will keep dumping packet contents.\nWhen console is enabled, it will costs much more cpu time to dump\npacket and soft lockup will be detected.\n\nnet_ratelimit mechanism can be used to limit the dumping rate.\n\nPID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: \"vhost-32980\"\n #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253\n #1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3\n #2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e\n #3 [fffffe00003fced0] do_nmi at ffffffff8922660d\n #4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663\n [exception RIP: io_serial_in+20]\n RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002\n RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000\n RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0\n RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f\n R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020\n R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #5 [ffffa655314979e8] io_serial_in at ffffffff89792594\n #6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470\n #7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6\n #8 [ffffa65531497a20] uart_console_write at ffffffff8978b605\n #9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558\n #10 [ffffa65531497ac8] console_unlock at ffffffff89316124\n #11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07\n #12 [ffffa65531497b68] printk at ffffffff89318306\n #13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765\n #14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun]\n #15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun]\n #16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net]\n #17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost]\n #18 [ffffa65531497f10] kthread at ffffffff892d2e72\n #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f", "affects": [ { - "ref": "comp-371" + "ref": "comp-399" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-27013", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27013" }, - "cwes": [ - 693 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-03T06:15:13Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1973689" + "url": "https://git.kernel.org/stable/c/1382d8b55129875b2e07c4d2a7ebc790183769ee" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037090" + "url": "https://git.kernel.org/stable/c/d5a7726e6ea62d447b79ab5baeb537ea6bdb225b" }, { - "url": "https://ubuntu.com/security/notices/USN-6200-1" + "url": "https://git.kernel.org/stable/c/99adc8b4d2f38bf0d06483ec845bc48f60c3f8cf" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26799" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3610" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-23", + "bom-ref": "vuln-27", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610" - } - }, { "severity": "none", - "score": 0.00082, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26799" } } ], - "created": "2022-02-24T19:15:09Z", - "description": "A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.", + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: Fix uninitialized pointer dmactl\n\nIn the case where __lpass_get_dmactl_handle is called and the driver\nid dai_id is invalid the pointer dmactl is not being assigned a value,\nand dmactl contains a garbage value since it has not been initialized\nand so the null check may not work. Fix this to initialize dmactl to\nNULL. One could argue that modern compilers will set this to zero, but\nit is useful to keep this initialized as per the same way in functions\n__lpass_platform_codec_intf_init and lpass_cdc_dma_daiops_hw_params.\n\nCleans up clang scan build warning:\nsound/soc/qcom/lpass-cdc-dma.c:275:7: warning: Branch condition\nevaluates to a garbage value [core.uninitialized.Branch]", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2021-3610", + "id": "CVE-2024-26799", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26799" }, - "cwes": [ - 125, - 787 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-06-26T18:56:40Z", - "properties": [ + "updated": "2024-04-04T12:48:22Z" + }, + { + "advisories": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "url": "https://git.kernel.org/stable/c/98fb98fd37e42fd4ce13ff657ea64503e24b6090" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-24T01:12:33Z" + "url": "https://git.kernel.org/stable/c/2449007d3f73b2842c9734f45f0aadb522daf592" }, { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" - } - ] - }, - { - "advisories": [ + "url": "https://git.kernel.org/stable/c/e0b278650f07acf2e0932149183458468a731c03" + }, { - "url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754" + "url": "https://git.kernel.org/stable/c/2ab9a19d896f5a0dd386e1f001c5309bc35f433b" }, { - "url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3" + "url": "https://git.kernel.org/stable/c/6dd0a9dfa99f8990a08eb8fdd8e79bee31c7d8e2" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/45085686b9559bfbe3a4f41d3d695a520668f5e1" }, { - "url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694" + "url": "https://git.kernel.org/stable/c/dd594cdc24f2e48dab441732e6dfcafd6b0711d1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/da4569d450b193e39e87119fd316c0291b585d14" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26584" + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26801" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3(6.8-rc5)" + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" } ], - "bom-ref": "vuln-24", + "bom-ref": "vuln-28", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26801" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Avoid potential use-after-free in hci_error_reset\n\nWhile handling the HCI_EV_HARDWARE_ERROR event, if the underlying\nBT controller is not responding, the GPIO reset mechanism would\nfree the hci_dev and lead to a use-after-free in hci_error_reset.\n\nHere's the call trace observed on a ChromeOS device with Intel AX201:\n queue_work_on+0x3e/0x6c\n __hci_cmd_sync_sk+0x2ee/0x4c0 [bluetooth ]\n ? init_wait_entry+0x31/0x31\n __hci_cmd_sync+0x16/0x20 [bluetooth ]\n hci_error_reset+0x4f/0xa4 [bluetooth ]\n process_one_work+0x1d8/0x33f\n worker_thread+0x21b/0x373\n kthread+0x13a/0x152\n ? pr_cont_work+0x54/0x54\n ? kthread_blkcg+0x31/0x31\n ret_from_fork+0x1f/0x30\n\nThis patch holds the reference count on the hci_dev while processing\na HCI_EV_HARDWARE_ERROR event to avoid potential crash.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26584", + "id": "CVE-2024-26801", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26801" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/ec6bb037e4a35fcbb5cd7bc78242d034ed893fcd" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24859" + "url": "https://git.kernel.org/stable/c/04ae3eb470e52a3c41babe85ff8cee195e4dcbea" }, { - "url": "https://lore.kernel.org/all/20231222162931.6553-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/8e25c0ee5665e8a768b8e21445db1f86e9156eb7" + }, + { + "url": "https://git.kernel.org/stable/c/f2e80ac9344aebbff576453d5c0290b332e187ed" + }, + { + "url": "https://git.kernel.org/stable/c/f6d51a91b41704704e395de6839c667b0f810bbf" + }, + { + "url": "https://git.kernel.org/stable/c/746606d37d662c70ae1379fc658ee9c65f06880f" + }, + { + "url": "https://git.kernel.org/stable/c/4ab14eccf5578af1dd5668a5f2d771df27683cab" + }, + { + "url": "https://git.kernel.org/linus/04ae3eb470e52a3c41babe85ff8cee195e4dcbea(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35829" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-25", + "bom-ref": "vuln-29", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" - } - }, { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35829" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/lima: fix a memleak in lima_heap_alloc\n\nWhen lima_vm_map_bo fails, the resources need to be deallocated, or\nthere will be memleaks.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24859", + "id": "CVE-2024-35829", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35829" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:05Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248755" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-6039" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6534-2" + "url": "https://git.kernel.org/stable/c/0588bbbd718a8130b98c54518f1e0b569ce60a93" }, { - "url": "https://ubuntu.com/security/notices/USN-6534-1" + "url": "https://git.kernel.org/stable/c/7f67c2020cb08499c400abf0fc32c65e4d9a09ca" }, { - "url": "https://git.kernel.org/linus/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3(6.5-rc5)" + "url": "https://git.kernel.org/stable/c/7250326cbb1f4f90391ac511a126b936cefb5bb7" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6039" + "url": "https://git.kernel.org/stable/c/6334b8e4553cc69f51e383c9de545082213d785e" }, { - "url": "https://ubuntu.com/security/notices/USN-6628-2" + "url": "https://git.kernel.org/stable/c/f356fd0cbd9c9cbd0854657a80d1608d0d732db3" }, { - "url": "https://ubuntu.com/security/notices/USN-6628-1" + "url": "https://git.kernel.org/linus/6334b8e4553cc69f51e383c9de545082213d785e(6.9-rc5)" }, { - "url": "https://ubuntu.com/security/notices/USN-6626-3" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26996" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6626-2" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6534-3" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6626-1" } ], - "bom-ref": "vuln-26", + "bom-ref": "vuln-30", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26996" } } ], - "created": "2023-11-09T15:15:09Z", - "description": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error\n\nWhen ncm function is working and then stop usb0 interface for link down,\neth_stop() is called. At this piont, accidentally if usb transport error\nshould happen in usb_ep_enable(), 'in_ep' and/or 'out_ep' may not be enabled.\n\nAfter that, ncm_disable() is called to disable for ncm unbind\nbut gether_disconnect() is never called since 'in_ep' is not enabled.\n\nAs the result, ncm object is released in ncm unbind\nbut 'dev->port_usb' associated to 'ncm->port' is not NULL.\n\nAnd when ncm bind again to recover netdev, ncm object is reallocated\nbut usb0 interface is already associated to previous released ncm object.\n\nTherefore, once usb0 interface is up and eth_start_xmit() is called,\nreleased ncm object is dereferrenced and it might cause use-after-free memory.\n\n[function unlink via configfs]\n usb0: eth_stop dev->port_usb=ffffff9b179c3200\n --> error happens in usb_ep_enable().\n NCM: ncm_disable: ncm=ffffff9b179c3200\n --> no gether_disconnect() since ncm->port.in_ep->enabled is false.\n NCM: ncm_unbind: ncm unbind ncm=ffffff9b179c3200\n NCM: ncm_free: ncm free ncm=ffffff9b179c3200 <-- released ncm\n\n[function link via configfs]\n NCM: ncm_alloc: ncm alloc ncm=ffffff9ac4f8a000\n NCM: ncm_bind: ncm bind ncm=ffffff9ac4f8a000\n NCM: ncm_set_alt: ncm=ffffff9ac4f8a000 alt=0\n usb0: eth_open dev->port_usb=ffffff9b179c3200 <-- previous released ncm\n usb0: eth_start dev->port_usb=ffffff9b179c3200 <--\n eth_start_xmit()\n --> dev->wrap()\n Unable to handle kernel paging request at virtual address dead00000000014f\n\nThis patch addresses the issue by checking if 'ncm->netdev' is not NULL at\nncm_disable() to call gether_disconnect() to deassociate 'dev->port_usb'.\nIt's more reasonable to check 'ncm->netdev' to call gether_connect/disconnect\nrather than check 'ncm->port.in_ep->enabled' since it might not be enabled\nbut the gether connection might be established.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6039", + "id": "CVE-2024-26996", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26996" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-16T17:59:48Z" + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2022-1115" + "url": "https://git.kernel.org/stable/c/63981561ffd2d4987807df4126f96a11e18b0c1d" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067022" + "url": "https://git.kernel.org/stable/c/d919b6ea15ffa56fbafef4a1d92f47aeda9af645" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282" + "url": "https://git.kernel.org/stable/c/aa582b33f94453fdeaff1e7d0aa252c505975e01" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1115" + "url": "https://git.kernel.org/stable/c/f9414004798d9742c1af23a1d839fe6a9503751c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35862" + }, + { + "url": "https://git.kernel.org/linus/63981561ffd2d4987807df4126f96a11e18b0c1d(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-27", + "bom-ref": "vuln-31", "ratings": [ { "severity": "none", - "score": 0.00066, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35862" } } ], - "created": "2022-08-29T15:15:10Z", - "description": "A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.", + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_network_name_deleted()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2022-1115", + "id": "CVE-2024-35862", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35862" }, - "cwes": [ - 787, - 119 - ], "analysis": { "state": "in_triage" }, - "updated": "2022-09-06T14:09:41Z", + "updated": "2024-05-20T13:00:04Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d" }, { - "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/" + "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf" }, { - "url": "https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/" + "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928" }, { - "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com/" + "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d" }, { - "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + "url": "https://git.kernel.org/linus/b3cb7a830a24527877b0bc900b9bd74a96aea928(6.8-rc1)" }, { - "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3864" - }, - { - "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - } - ], - "bom-ref": "vuln-28", - "ratings": [ + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52664" + } + ], + "bom-ref": "vuln-32", + "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.0, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52664" } } ], - "created": "2022-08-26T16:15:09Z", - "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2021-3864", + "id": "CVE-2023-52664", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52664" }, - "cwes": [ - 284 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-02-12T23:42:51Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-27T19:33:24Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/linus/8d037973d48c026224ab285e6a06985ccac6f7bf(6.3-rc1)" - }, - { - "url": "https://lkml.org/lkml/2022/12/9/178" + "url": "https://git.kernel.org/stable/c/76ffbe911e2798c7296968f5fd72f7bf67207a8d" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0461" + "url": "https://git.kernel.org/stable/c/48d443d200237782dc82e6b60663ec414ef02e39" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2176" + "url": "https://git.kernel.org/stable/c/0c8aa4cfda4e4adb15d5b6536d155eca9c9cd44c" }, { - "url": "https://ubuntu.com/security/notices/USN-6224-1" + "url": "https://git.kernel.org/stable/c/f0fe7ad5aff4f0fcf988913313c497de85f1e186" }, { - "url": "https://ubuntu.com/security/notices/USN-6235-1" + "url": "https://git.kernel.org/stable/c/269cdf353b5bdd15f1a079671b0f889113865f20" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0448" + "url": "https://git.kernel.org/stable/c/91e4c4595fae5e87069e44687ae879091783c183" }, { - "url": "https://patchwork.kernel.org/project/linux-rdma/patch/3d0e9a2fd62bc10ba02fed1c7c48a48638952320.1672819273.git.leonro@nvidia.com/" + "url": "https://git.kernel.org/stable/c/ca581d237f3b8539c044205bb003de71d75d227c" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/32eaee72e96590a75445c8a6c7c1057673b47e07" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0439" + "url": "https://git.kernel.org/stable/c/192e9f9078c96be30b31c4b44d6294b24520fce5" }, { - "url": "https://ubuntu.com/security/notices/USN-6228-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26955" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/linus/269cdf353b5bdd15f1a079671b0f889113865f20(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6194-1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" } ], - "bom-ref": "vuln-29", + "bom-ref": "vuln-33", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26955" } } ], - "created": "2023-04-20T21:15:08Z", - "description": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: prevent kernel bug at submit_bh_wbc()\n\nFix a bug where nilfs_get_block() returns a successful status when\nsearching and inserting the specified block both fail inconsistently. If\nthis inconsistent behavior is not due to a previously fixed bug, then an\nunexpected race is occurring, so return a temporary error -EAGAIN instead.\n\nThis prevents callers such as __block_write_begin_int() from requesting a\nread into a buffer that is not mapped, which would cause the BUG_ON check\nfor the BH_Mapped flag in submit_bh_wbc() to fail.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-2176", + "id": "CVE-2024-26955", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26955" }, - "cwes": [ - 125 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-07-27T15:21:17Z", + "updated": "2024-05-01T13:02:20Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" - }, - { - "url": "https://www.openssl.org/news/secadv/20231106.txt" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" + "url": "https://git.kernel.org/stable/c/c8bddbd91bc8e42c961a5e2cec20ab879f21100f" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + "url": "https://git.kernel.org/stable/c/4f2bdb3c5e3189297e156b3ff84b140423d64685" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" + "url": "https://git.kernel.org/stable/c/e8678551c0243f799b4859448781cbec1bd6f1cb" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://git.kernel.org/stable/c/ea9a0cfc07a7d3601cc680718d9cff0d6927a921" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + "url": "https://git.kernel.org/stable/c/7eeabcea79b67cc29563e6a9a5c81f9e2c664d5b" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://git.kernel.org/stable/c/2884a50f52313a7a911de3afcad065ddbb3d78fc" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://git.kernel.org/stable/c/6b948b54c8bd620725e0c906e44b10c0b13087a7" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + "url": "https://git.kernel.org/stable/c/e8b067c4058c0121ac8ca71559df8e2e08ff1a7e" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://git.kernel.org/stable/c/be1dd9254fc115321d6fbee042026d42afc8d931" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35789" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://git.kernel.org/linus/4f2bdb3c5e3189297e156b3ff84b140423d64685(6.9-rc2)" } ], - "bom-ref": "vuln-30", + "bom-ref": "vuln-34", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35789" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes\n\nWhen moving a station out of a VLAN and deleting the VLAN afterwards, the\nfast_rx entry still holds a pointer to the VLAN's netdev, which can cause\nuse-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx\nafter the VLAN change.", "affects": [ { - "ref": "comp-103" + "ref": "comp-399" } ], - "id": "CVE-2023-5678", + "id": "CVE-2024-35789", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35789" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10" - }, - { - "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12" - }, - { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c" + "url": "https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce" }, { - "url": "https://access.redhat.com/errata/RHSA-2021:1578" + "url": "https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97" }, { - "url": "https://access.redhat.com/errata/RHSA-2021:1739" + "url": "https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-019.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36694" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35860" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/linus/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce(6.9-rc3)" } ], - "bom-ref": "vuln-31", + "bom-ref": "vuln-35", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35860" } } ], - "created": "2023-05-21T23:15:08Z", - "description": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support deferring bpf_link dealloc to after RCU grace period\n\nBPF link for some program types is passed as a \"context\" which can be\nused by those BPF programs to look up additional information. E.g., for\nmulti-kprobes and multi-uprobes, link is used to fetch BPF cookie values.\n\nBecause of this runtime dependency, when bpf_link refcnt drops to zero\nthere could still be active BPF programs running accessing link data.\n\nThis patch adds generic support to defer bpf_link dealloc callback to\nafter RCU GP, if requested. This is done by exposing two different\ndeallocation callbacks, one synchronous and one deferred. If deferred\none is provided, bpf_link_free() will schedule dealloc_deferred()\ncallback to happen after RCU GP.\n\nBPF is using two flavors of RCU: \"classic\" non-sleepable one and RCU\ntasks trace one. The latter is used when sleepable BPF programs are\nused. bpf_link_free() accommodates that by checking underlying BPF\nprogram's sleepable flag, and goes either through normal RCU GP only for\nnon-sleepable, or through RCU tasks trace GP *and* then normal RCU GP\n(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF\nprogram is sleepable.\n\nWe use this for multi-kprobe and multi-uprobe links, which dereference\nlink during program run. We also preventively switch raw_tp link to use\ndeferred dealloc callback, as upcoming changes in bpf-next tree expose\nraw_tp link data (specifically, cookie value) to BPF program at runtime\nas well.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2020-36694", + "id": "CVE-2024-35860", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35860" }, - "cwes": [ - 416 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-06-22T15:15:09Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T14:42:13Z" - } - ] + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-5341" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241774" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" + "url": "https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/" + "url": "https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2" }, { - "url": "https://ubuntu.com/security/notices/USN-6621-1" + "url": "https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2289.html" + "url": "https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-379.html" + "url": "https://git.kernel.org/linus/8b1d72395635af45410b66cc4c4ab37a12c4a831(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5341" - }, - { - "url": "https://alas.aws.amazon.com/ALAS-2023-1856.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26706" } ], - "bom-ref": "vuln-32", + "bom-ref": "vuln-36", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26706" } } ], - "created": "2023-11-19T10:15:49Z", - "description": "A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.", + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nparisc: Fix random data corruption from exception handler\n\nThe current exception handler implementation, which assists when accessing\nuser space memory, may exhibit random data corruption if the compiler decides\nto use a different register than the specified register %r29 (defined in\nASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another\nregister, the fault handler will nevertheless store -EFAULT into %r29 and thus\ntrash whatever this register is used for.\nLooking at the assembly I found that this happens sometimes in emulate_ldd().\n\nTo solve the issue, the easiest solution would be if it somehow is\npossible to tell the fault handler which register is used to hold the error\ncode. Using %0 or %1 in the inline assembly is not posssible as it will show\nup as e.g. %r29 (with the \"%r\" prefix), which the GNU assembler can not\nconvert to an integer.\n\nThis patch takes another, better and more flexible approach:\nWe extend the __ex_table (which is out of the execution path) by one 32-word.\nIn this word we tell the compiler to insert the assembler instruction\n\"or %r0,%r0,%reg\", where %reg references the register which the compiler\nchoosed for the error return code.\nIn case of an access failure, the fault handler finds the __ex_table entry and\ncan examine the opcode. The used register is encoded in the lowest 5 bits, and\nthe fault handler can then store -EFAULT into this register.\n\nSince we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT\nconfig option any longer.", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2023-5341", + "id": "CVE-2024-26706", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26706" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-22T11:15:08Z", + "updated": "2024-04-03T17:24:18Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/989b0ff35fe5fc9652ee5bafbe8483db6f27b137" - }, - { - "url": "https://git.kernel.org/stable/c/23d05d563b7e7b0314e65c8e882bc27eac2da8e7" + "url": "https://git.kernel.org/stable/c/a891add409e3bc381f4f68c2ce9d953f1865cb1f" }, { - "url": "https://git.kernel.org/stable/c/cd1022eaf87be8e6151435bd4df4c242c347e083" + "url": "https://git.kernel.org/stable/c/f4bbac954d8f9ab214ea1d4f385de4fa6bd92dd0" }, { - "url": "https://git.kernel.org/stable/c/95b3904a261a9f810205da560e802cc326f50d77" + "url": "https://git.kernel.org/stable/c/32e39bab59934bfd3f37097d4dd85ac5eb0fd549" }, { - "url": "https://git.kernel.org/stable/c/8f8f185643747fbb448de6aab0efa51c679909a3" + "url": "https://git.kernel.org/stable/c/72e4d3fb72e9f0f016946158a7d95304832768e6" }, { - "url": "https://git.kernel.org/stable/c/6c53e8547687d9c767c139cd4b50af566f58c29a" + "url": "https://git.kernel.org/stable/c/94cf2fb6feccd625e5b4e23e1b70f39a206f82ac" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52435" + "url": "https://git.kernel.org/linus/32e39bab59934bfd3f37097d4dd85ac5eb0fd549(6.9-rc2)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/23d05d563b7e7b0314e65c8e882bc27eac2da8e7(6.7-rc6)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26938" } ], - "bom-ref": "vuln-33", + "bom-ref": "vuln-37", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26938" } } ], - "created": "2024-02-20T20:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()\n\nIf we have no VBT, or the VBT didn't declare the encoder\nin question, we won't have the 'devdata' for the encoder.\nInstead of oopsing just bail early.\n\nWe won't be able to tell whether the port is DP++ or not,\nbut so be it.\n\n(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-52435", + "id": "CVE-2024-26938", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26938" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z", + "updated": "2024-05-01T13:02:20Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + "url": "https://git.kernel.org/stable/c/3b48c9e258c8691c2f093ee07b1ea3764caaa1b2" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + "url": "https://git.kernel.org/stable/c/46eba193d04f8bd717e525eb4110f3c46c12aec3" }, { - "url": "https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15(6.3)" + "url": "https://git.kernel.org/stable/c/6609e98ed82966a1b3168c142aca30f8284a7b89" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/e9837c83befb5b852fa76425dde98a87b737df00" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4133" - } - ], - "bom-ref": "vuln-34", - "ratings": [ + "url": "https://git.kernel.org/stable/c/e42ff0844fe418c7d03a14f9f90e1b91ba119591" + }, { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" - } + "url": "https://git.kernel.org/stable/c/2fc45a4631ac7837a5c497cb4f7e2115d950fc37" + }, + { + "url": "https://git.kernel.org/stable/c/7e0ff50131e9d1aa507be8e670d38e9300a5f5bf" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26684" }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://git.kernel.org/linus/46eba193d04f8bd717e525eb4110f3c46c12aec3(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-38", + "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26684" } } ], - "created": "2023-08-03T15:15:33Z", - "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: xgmac: fix handling of DPP safety error for DMA channels\n\nCommit 56e58d6c8a56 (\"net: stmmac: Implement Safety Features in\nXGMAC core\") checks and reports safety errors, but leaves the\nData Path Parity Errors for each channel in DMA unhandled at all, lead to\na storm of interrupt.\nFix it by checking and clearing the DMA_DPP_Interrupt_Status register.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-4133", + "id": "CVE-2024-26684", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26684" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-07T04:22:09Z" + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/CALGdzuo6awWdau3X=8XK547x2vX_-VoFmH1aPsqosRTQ5WzJVA@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/0399d7eba41d9b28f5bdd7757ec21a5b7046858d" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/d637b5118274701e8448f35953877daf04df18b4" }, { - "url": "https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu@suse.com/" + "url": "https://git.kernel.org/stable/c/f19361d570c67e7e014896fa2dacd7d721bf0aa8" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23850" + "url": "https://git.kernel.org/stable/c/e94da8aca2e78ef9ecca02eb211869eacd5504e5" + }, + { + "url": "https://git.kernel.org/stable/c/e4168ac25b4bd378bd7dda322d589482a136c1fd" + }, + { + "url": "https://git.kernel.org/stable/c/de8b6e1c231a95abf95ad097b993d34b31458ec9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26776" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/de8b6e1c231a95abf95ad097b993d34b31458ec9(6.8-rc2)" } ], - "bom-ref": "vuln-35", + "bom-ref": "vuln-39", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26776" } } ], - "created": "2024-01-23T09:15:36Z", - "description": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected\n\nReturn IRQ_NONE from the interrupt handler when no interrupt was\ndetected. Because an empty interrupt will cause a null pointer error:\n\n Unable to handle kernel NULL pointer dereference at virtual\n address 0000000000000008\n Call trace:\n complete+0x54/0x100\n hisi_sfc_v3xx_isr+0x2c/0x40 [spi_hisi_sfc_v3xx]\n __handle_irq_event_percpu+0x64/0x1e0\n handle_irq_event+0x7c/0x1cc", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-23850", + "id": "CVE-2024-26776", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26776" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6655G3GPS42WQM32DJHUCZALI2URQSCO/" + "url": "https://git.kernel.org/stable/c/5e3eb862df9f972ab677fb19e0d4b9b1be8db7b5" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185714" + "url": "https://git.kernel.org/stable/c/59b2626dd8c8a2e13f18054b3530e0c00073d79f" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-1906" + "url": "https://git.kernel.org/stable/c/704edc9252f4988ae1ad7dafa23d0db8d90d7190" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034373" + "url": "https://git.kernel.org/stable/c/0e45882ca829b26b915162e8e86dbb1095768e9e" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-170.html" + "url": "https://git.kernel.org/linus/0e45882ca829b26b915162e8e86dbb1095768e9e(6.9-rc2)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1906" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6200-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26939" } ], - "bom-ref": "vuln-36", + "bom-ref": "vuln-40", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26939" } } ], - "created": "2023-04-12T22:15:11Z", - "description": "A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.", + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/vma: Fix UAF on destroy against retire race\n\nObject debugging tools were sporadically reporting illegal attempts to\nfree a still active i915 VMA object when parking a GT believed to be idle.\n\n[161.359441] ODEBUG: free active (active state 0) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+0x0/0x50 [i915]\n[161.360082] WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+0x80/0xb0\n...\n[161.360304] CPU: 5 PID: 276 Comm: kworker/5:2 Not tainted 6.5.0-rc1-CI_DRM_13375-g003f860e5577+ #1\n[161.360314] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n[161.360322] Workqueue: i915-unordered __intel_wakeref_put_work [i915]\n[161.360592] RIP: 0010:debug_print_object+0x80/0xb0\n...\n[161.361347] debug_object_free+0xeb/0x110\n[161.361362] i915_active_fini+0x14/0x130 [i915]\n[161.361866] release_references+0xfe/0x1f0 [i915]\n[161.362543] i915_vma_parked+0x1db/0x380 [i915]\n[161.363129] __gt_park+0x121/0x230 [i915]\n[161.363515] ____intel_wakeref_put_last+0x1f/0x70 [i915]\n\nThat has been tracked down to be happening when another thread is\ndeactivating the VMA inside __active_retire() helper, after the VMA's\nactive counter has been already decremented to 0, but before deactivation\nof the VMA's object is reported to the object debugging tool.\n\nWe could prevent from that race by serializing i915_active_fini() with\n__active_retire() via ref->tree_lock, but that wouldn't stop the VMA from\nbeing used, e.g. from __i915_vma_retire() called at the end of\n__active_retire(), after that VMA has been already freed by a concurrent\ni915_vma_destroy() on return from the i915_active_fini(). Then, we should\nrather fix the issue at the VMA level, not in i915_active.\n\nSince __i915_vma_parked() is called from __gt_park() on last put of the\nGT's wakeref, the issue could be addressed by holding the GT wakeref long\nenough for __active_retire() to complete before that wakeref is released\nand the GT parked.\n\nI believe the issue was introduced by commit d93939730347 (\"drm/i915:\nRemove the vma refcount\") which moved a call to i915_active_fini() from\na dropped i915_vma_release(), called on last put of the removed VMA kref,\nto i915_vma_parked() processing path called on last put of a GT wakeref.\nHowever, its visibility to the object debugging tool was suppressed by a\nbug in i915_active that was fixed two weeks later with commit e92eb246feb9\n(\"drm/i915/active: Fix missing debug object activation\").\n\nA VMA associated with a request doesn't acquire a GT wakeref by itself.\nInstead, it depends on a wakeref held directly by the request's active\nintel_context for a GT associated with its VM, and indirectly on that\nintel_context's engine wakeref if the engine belongs to the same GT as the\nVMA's VM. Those wakerefs are released asynchronously to VMA deactivation.\n\nFix the issue by getting a wakeref for the VMA's GT when activating it,\nand putting that wakeref only after the VMA is deactivated. However,\nexclude global GTT from that processing path, otherwise the GPU never goes\nidle. Since __i915_vma_retire() may be called from atomic contexts, use\nasync variant of wakeref put. Also, to avoid circular locking dependency,\ntake care of acquiring the wakeref before VM mutex when both are needed.\n\nv7: Add inline comments with justifications for:\n - using untracked variants of intel_gt_pm_get/put() (Nirmoy),\n - using async variant of _put(),\n - not getting the wakeref in case of a global GTT,\n - always getting the first wakeref outside vm->mutex.\nv6: Since __i915_vma_active/retire() callbacks are not serialized, storing\n a wakeref tracking handle inside struct i915_vma is not safe, and\n there is no other good place for that. Use untracked variants of\n intel_gt_pm_get/put_async().\nv5: Replace \"tile\" with \"GT\" across commit description (Rodrigo),\n - \n---truncated---", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2023-1906", + "id": "CVE-2024-26939", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26939" }, - "cwes": [ - 787, - 122 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:05:19Z", + "updated": "2024-05-01T13:02:20Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-24T01:12:33Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/24ec7504a08a67247fbe798d1de995208a8c128a" + "url": "https://git.kernel.org/stable/c/a9ebf340d123ae12582210407f879d6a5a1bc25b" }, { - "url": "https://git.kernel.org/stable/c/50fb4e17df319bb33be6f14e2a856950c1577dee" + "url": "https://git.kernel.org/stable/c/0b6de00206adbbfc6373b3ae38d2a6f197987907" }, { - "url": "https://git.kernel.org/stable/c/b6a2a9cbb67545c825ec95f06adb7ff300a2ad71" + "url": "https://git.kernel.org/stable/c/939109c0a8e2a006a6cc8209e262d25065f4403a" }, { - "url": "https://git.kernel.org/stable/c/3cd139875e9a7688b3fc715264032620812a5fa3" + "url": "https://git.kernel.org/stable/c/934e66e231cff2b18faa2c8aad0b8cec13957e05" }, { - "url": "https://git.kernel.org/stable/c/2441a64070b85c14eecc3728cc87e883f953f265" + "url": "https://git.kernel.org/stable/c/8d56bad42ac4c43c6c72ddd6a654a2628bf839c5" }, { - "url": "https://git.kernel.org/stable/c/944d5fe50f3f03daacfea16300e656a1691c4a23" + "url": "https://git.kernel.org/stable/c/01f1a678b05ade4b1248019c2dcca773aebbeb7f" }, { - "url": "https://git.kernel.org/stable/c/c5b2063c65d05e79fad8029324581d86cfba7eea" + "url": "https://git.kernel.org/stable/c/b38a133d37fa421c8447b383d788c9cc6f5cb34c" }, { - "url": "https://git.kernel.org/stable/c/db896bbe4a9c67cee377e5f6a743350d3ae4acf6" + "url": "https://git.kernel.org/stable/c/f969eb84ce482331a991079ab7a5c4dc3b7f89bf" }, { - "url": "https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27020" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26602" + "url": "https://git.kernel.org/linus/f969eb84ce482331a991079ab7a5c4dc3b7f89bf(6.9-rc5)" } ], - "bom-ref": "vuln-37", + "bom-ref": "vuln-41", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27020" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()\n\nnft_unregister_expr() can concurrent with __nft_expr_type_get(),\nand there is not any protection when iterate over nf_tables_expressions\nlist in __nft_expr_type_get(). Therefore, there is potential data-race\nof nf_tables_expressions list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_expressions\nlist in __nft_expr_type_get(), and use rcu_read_lock() in the caller\nnft_expr_type_get() to protect the entire type query process.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26602", + "id": "CVE-2024-27020", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27020" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + "url": "https://git.kernel.org/stable/c/1d7f1049035b2060342f11eff957cf567d810bdc" }, { - "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + "url": "https://git.kernel.org/stable/c/a6d2a8b211c874971ee4cf3ddd167408177f6e76" + }, + { + "url": "https://git.kernel.org/stable/c/aaef73821a3b0194a01bd23ca77774f704a04d40" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26605" + "url": "https://git.kernel.org/stable/c/f01d6619045704d78613b14e2e0420bfdb7f1c15" + }, + { + "url": "https://git.kernel.org/stable/c/a2fd6dbc98be1105a1d8e9e31575da8873ef115c" + }, + { + "url": "https://git.kernel.org/stable/c/68a28f551e4690db2b27b3db716c7395f6fada12" + }, + { + "url": "https://git.kernel.org/stable/c/48a1f83ca9c68518b1a783c62e6a8223144fa9fc" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/1e560864159d002b453da42bd2c13a1805515a20(6.8-rc3)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26926" + }, + { + "url": "https://git.kernel.org/linus/aaef73821a3b0194a01bd23ca77774f704a04d40(6.9-rc5)" } ], - "bom-ref": "vuln-38", + "bom-ref": "vuln-42", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26926" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: check offset alignment in binder_get_object()\n\nCommit 6d98eb95b450 (\"binder: avoid potential data leakage when copying\ntxn\") introduced changes to how binder objects are copied. In doing so,\nit unintentionally removed an offset alignment check done through calls\nto binder_alloc_copy_from_buffer() -> check_buffer().\n\nThese calls were replaced in binder_get_object() with copy_from_user(),\nso now an explicit offset alignment check is needed here. This avoids\nlater complications when unwinding the objects gets harder.\n\nIt is worth noting this check existed prior to commit 7a67a39320df\n(\"binder: add function to copy binder object from buffer\"), likely\nremoved due to redundancy at the time.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26605", + "id": "CVE-2024-26926", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26926" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://www.postgresql.org/support/security/CVE-2024-0985/" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:1071" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:1070" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6656-1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0988" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0956" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0985" + "url": "https://git.kernel.org/stable/c/7a3bbe41efa55323b6ea3c35fa15941d4dbecdef" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0990" + "url": "https://git.kernel.org/stable/c/ca09dfc3cfdf89e6af3ac24e1c6c0be5c575a729" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0992" + "url": "https://git.kernel.org/stable/c/d679c816929d62af51c8e6d7fc0e165c9412d2f3" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/1be3226445362bfbf461c92a5bcdb1723f2e4907" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:1069" + "url": "https://git.kernel.org/stable/c/69a02273e288011b521ee7c1f3ab2c23fda633ce" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0950" + "url": "https://git.kernel.org/stable/c/ab86cf6f8d24e63e9aca23da5108af1aa5483928" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:1017" + "url": "https://git.kernel.org/stable/c/52aaf1ff14622a04148dbb9ccce6d9de5d534ea7" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0973" + "url": "https://git.kernel.org/stable/c/bbaafbb4651fede8d3c3881601ecaa4f834f9d3f" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0951" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26999" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0974" + "url": "https://git.kernel.org/linus/1be3226445362bfbf461c92a5bcdb1723f2e4907(6.9-rc5)" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0975" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-39", + "bom-ref": "vuln-43", "ratings": [ - { - "severity": "high", - "score": 8.0, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0985" - } - }, { "severity": "none", - "score": 0.0005, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26999" } } ], - "created": "2024-02-08T13:15:08Z", - "description": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.", + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial/pmac_zilog: Remove flawed mitigation for rx irq flood\n\nThe mitigation was intended to stop the irq completely. That may be\nbetter than a hard lock-up but it turns out that you get a crash anyway\nif you're using pmac_zilog as a serial console:\n\nttyPZ0: pmz: rx irq flood !\nBUG: spinlock recursion on CPU#0, swapper/0\n\nThat's because the pr_err() call in pmz_receive_chars() results in\npmz_console_write() attempting to lock a spinlock already locked in\npmz_interrupt(). With CONFIG_DEBUG_SPINLOCK=y, this produces a fatal\nBUG splat. The spinlock in question is the one in struct uart_port.\n\nEven when it's not fatal, the serial port rx function ceases to work.\nAlso, the iteration limit doesn't play nicely with QEMU, as can be\nseen in the bug report linked below.\n\nA web search for other reports of the error message \"pmz: rx irq flood\"\ndidn't produce anything. So I don't think this code is needed any more.\nRemove it.", "affects": [ { - "ref": "comp-283" + "ref": "comp-399" } ], - "id": "CVE-2024-0985", + "id": "CVE-2024-26999", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0985" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26999" }, - "cwes": [ - 271 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-15T15:23:49Z", + "updated": "2024-05-03T06:15:12Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T05:28:43Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-283", - "value": "0:15.6-0+deb12u1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS" + "url": "https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce" }, { - "url": "https://code.videolan.org/videolan/dav1d/-/releases/1.4.0" + "url": "https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064310" + "url": "https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039" + }, + { + "url": "https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7" + }, + { + "url": "https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9" + }, + { + "url": "https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525" + }, + { + "url": "https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52" + }, + { + "url": "https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716" + }, + { + "url": "https://git.kernel.org/linus/fff1386cc889d8fb4089d285f883f8cba62d82ce(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26984" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1580" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-40", + "bom-ref": "vuln-44", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26984" } } ], - "created": "2024-02-19T11:15:08Z", - "description": "An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.\n\n\n\n", + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: fix instmem race condition around ptr stores\n\nRunning a lot of VK CTS in parallel against nouveau, once every\nfew hours you might see something like this crash.\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\nHardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\nRIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\nCode: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1\nRSP: 0000:ffffac20c5857838 EFLAGS: 00010202\nRAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001\nRDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180\nRBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10\nR10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c\nR13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c\nFS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\n...\n\n ? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]\n ? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]\n nvkm_vmm_iter+0x351/0xa20 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n ? __lock_acquire+0x3ed/0x2170\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]\n ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]\n ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]\n nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]\n\nAdding any sort of useful debug usually makes it go away, so I hand\nwrote the function in a line, and debugged the asm.\n\nEvery so often pt->memory->ptrs is NULL. This ptrs ptr is set in\nthe nv50_instobj_acquire called from nvkm_kmap.\n\nIf Thread A and Thread B both get to nv50_instobj_acquire around\nthe same time, and Thread A hits the refcount_set line, and in\nlockstep thread B succeeds at refcount_inc_not_zero, there is a\nchance the ptrs value won't have been stored since refcount_set\nis unordered. Force a memory barrier here, I picked smp_mb, since\nwe want it on all CPUs and it's write followed by a read.\n\nv2: use paired smp_rmb/smp_wmb.", "affects": [ { - "ref": "comp-69" + "ref": "comp-399" } ], - "id": "CVE-2024-1580", + "id": "CVE-2024-26984", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1580" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26984" }, - "cwes": [ - 190 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T19:50:53Z" + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3@huawei.com/T/" + "url": "https://git.kernel.org/stable/c/6e920422e7104928f760fc0e12b6d65ab097a2e7" + }, + { + "url": "https://git.kernel.org/stable/c/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0" + }, + { + "url": "https://git.kernel.org/stable/c/a2e6bffc0388526ed10406040279a693d62b36ec" + }, + { + "url": "https://git.kernel.org/stable/c/bc4d1ebca11b4f194e262326bd45938e857c59d2" + }, + { + "url": "https://git.kernel.org/stable/c/b9117dc783c0ab0a3866812f70e07bf2ea071ac4" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25740" + "url": "https://git.kernel.org/stable/c/d7ee3bf0caf599c14db0bf4af7aacd6206ef8a23" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35934" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/00af2aa93b76b1bade471ad0d0525d4d29ca5cc0(6.9-rc1)" } ], - "bom-ref": "vuln-41", + "bom-ref": "vuln-45", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35934" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()\n\nMany syzbot reports show extreme rtnl pressure, and many of them hint\nthat smc acquires rtnl in netns creation for no good reason [1]\n\nThis patch returns early from smc_pnet_net_init()\nif there is no netdevice yet.\n\nI am not even sure why smc_pnet_create_pnetids_list() even exists,\nbecause smc_pnet_netdev_event() is also calling\nsmc_pnet_add_base_pnetid() when handling NETDEV_UP event.\n\n[1] extract of typical syzbot reports\n\n2 locks held by syz-executor.3/12252:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12253:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12257:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12261:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.0/12265:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.3/12268:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.4/12271:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.1/12274:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878\n2 locks held by syz-executor.2/12280:\n #0: ffffffff8f369610 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c7/0x7b0 net/core/net_namespace.c:491\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_create_pnetids_list net/smc/smc_pnet.c:809 [inline]\n #1: ffffffff8f375b88 (rtnl_mutex){+.+.}-{3:3}, at: smc_pnet_net_init+0x10a/0x1e0 net/smc/smc_pnet.c:878", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-25740", + "id": "CVE-2024-35934", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35934" }, - "cwes": [ - 401 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:11:27Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815" + "url": "https://git.kernel.org/stable/c/bdbe483da21f852c93b22557b146bc4d989260f0" + }, + { + "url": "https://git.kernel.org/stable/c/90823f8d9ecca3d5fa6b102c8e464c62f416975f" + }, + { + "url": "https://git.kernel.org/stable/c/897ac5306bbeb83e90c437326f7044c79a17c611" + }, + { + "url": "https://git.kernel.org/stable/c/c4a7dc9523b59b3e73fd522c73e95e072f876b16" + }, + { + "url": "https://git.kernel.org/stable/c/7061c7efbb9e8f11ce92d6b4646405ea2b0b4de1" + }, + { + "url": "https://git.kernel.org/stable/c/90f43980ea6be4ad903e389be9a27a2a0018f1c8" + }, + { + "url": "https://git.kernel.org/stable/c/2382eae66b196c31893984a538908c3eb7506ff9" + }, + { + "url": "https://git.kernel.org/stable/c/054f29e9ca05be3906544c5f2a2c7321c30a4243" + }, + { + "url": "https://git.kernel.org/linus/c4a7dc9523b59b3e73fd522c73e95e072f876b16(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26981" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-42", + "bom-ref": "vuln-46", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26981" } } ], - "created": "2024-03-04T07:15:11Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix OOB in nilfs_set_de_type\n\nThe size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is\ndefined as \"S_IFMT >> S_SHIFT\", but the nilfs_set_de_type() function,\nwhich uses this array, specifies the index to read from the array in the\nsame way as \"(mode & S_IFMT) >> S_SHIFT\".\n\nstatic void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode\n *inode)\n{\n\tumode_t mode = inode->i_mode;\n\n\tde->file_type = nilfs_type_by_mode[(mode & S_IFMT)>>S_SHIFT]; // oob\n}\n\nHowever, when the index is determined this way, an out-of-bounds (OOB)\nerror occurs by referring to an index that is 1 larger than the array size\nwhen the condition \"mode & S_IFMT == S_IFMT\" is satisfied. Therefore, a\npatch to resize the nilfs_type_by_mode array should be applied to prevent\nOOB errors.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26622", + "id": "CVE-2024-26981", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26981" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-04T13:58:23Z" + "updated": "2024-05-03T06:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009704" + "url": "https://git.kernel.org/stable/c/74204bf9050f7627aead9875fe4e07ba125cb19b" + }, + { + "url": "https://git.kernel.org/stable/c/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89" + }, + { + "url": "https://git.kernel.org/stable/c/c6a368f9c7af4c14b14d390c2543af8001c9bdb9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35887" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3847" + "url": "https://git.kernel.org/linus/fd819ad3ecf6f3c232a06b27423ce9ed8c20da89(6.9-rc3)" } ], - "bom-ref": "vuln-43", + "bom-ref": "vuln-47", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35887" } } ], - "created": "2022-04-01T23:15:10Z", - "description": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix use-after-free bugs caused by ax25_ds_del_timer\n\nWhen the ax25 device is detaching, the ax25_dev_device_down()\ncalls ax25_ds_del_timer() to cleanup the slave_timer. When\nthe timer handler is running, the ax25_ds_del_timer() that\ncalls del_timer() in it will return directly. As a result,\nthe use-after-free bugs could happen, one of the scenarios\nis shown below:\n\n (Thread 1) | (Thread 2)\n | ax25_ds_timeout()\nax25_dev_device_down() |\n ax25_ds_del_timer() |\n del_timer() |\n ax25_dev_put() //FREE |\n | ax25_dev-> //USE\n\nIn order to mitigate bugs, when the device is detaching, use\ntimer_shutdown_sync() to stop the timer.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2021-3847", + "id": "CVE-2024-35887", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35887" }, - "cwes": [ - 281 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2022-04-11T20:31:06Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" + "url": "https://git.kernel.org/stable/c/8de8305a25bfda607fc13475ebe84b978c96d7ff" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-3397" + "url": "https://git.kernel.org/stable/c/d3bbe77a76bc52e9d4d0a120f1509be36e25c916" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-043.html" + "url": "https://git.kernel.org/stable/c/5a6dcc4ad0f7f7fa8e8d127b5526e7c5f2d38a43" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1883.html" + "url": "https://git.kernel.org/stable/c/832698373a25950942c04a512daa652c18a9b513" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2340.html" + "url": "https://git.kernel.org/stable/c/21dbe20589c7f48e9c5d336ce6402bcebfa6d76a" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3397" + "url": "https://git.kernel.org/stable/c/d639102f4cbd4cb65d1225dba3b9265596aab586" }, { - "url": "https://lore.kernel.org/lkml/20230515095956.17898-1-zyytlz.wz@163.com/" + "url": "https://git.kernel.org/stable/c/ffeb72a80a82aba59a6774b0611f792e0ed3b0b7" + }, + { + "url": "https://git.kernel.org/stable/c/6b92b1bc16d691c95b152c6dbf027ad64315668d" + }, + { + "url": "https://git.kernel.org/linus/832698373a25950942c04a512daa652c18a9b513(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2023-056.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26772" } ], - "bom-ref": "vuln-44", + "bom-ref": "vuln-48", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26772" } } ], - "created": "2023-11-01T20:15:08Z", - "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()\n\nPlaces the logic for checking if the group's block bitmap is corrupt under\nthe protection of the group lock to avoid allocating blocks from the group\nwith a corrupted block bitmap.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-3397", + "id": "CVE-2024-26772", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26772" }, - "cwes": [ - 416, - 362 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-09T15:09:04Z", + "updated": "2024-04-03T17:24:18Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/b3db266fb031fba88c423d4bb8983a73a3db6527" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23851" + "url": "https://git.kernel.org/stable/c/266f403ec47573046dee4bcebda82777ce702c40" }, { - "url": "https://lore.kernel.org/all/PH7PR11MB576877FF72A9B2D43EAA1AEBA093A@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + "url": "https://git.kernel.org/stable/c/0defcaa09d3b21e8387829ee3a652c43fa91e13f" + }, + { + "url": "https://git.kernel.org/linus/b3db266fb031fba88c423d4bb8983a73a3db6527(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35924" } ], - "bom-ref": "vuln-45", + "bom-ref": "vuln-49", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35924" } } ], - "created": "2024-01-23T09:15:36Z", - "description": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: ucsi: Limit read size on v1.2\n\nBetween UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region was\nincreased from 16 to 256. In order to avoid overflowing reads for older\nsystems, add a mechanism to use the read UCSI version to truncate read\nsizes on UCSI v1.2.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-23851", + "id": "CVE-2024-35924", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35924" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144" - }, - { - "url": "https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29" + "url": "https://git.kernel.org/stable/c/eaa8fc9b092837cf2c754bde1a15d784ce9a85ab" }, { - "url": "https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48" + "url": "https://git.kernel.org/stable/c/af916cb66a80597f3523bc85812e790bcdcfd62b" }, { - "url": "https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa" + "url": "https://git.kernel.org/stable/c/16c4770c75b1223998adbeb7286f9a15c65fba73" }, { - "url": "https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5" + "url": "https://git.kernel.org/linus/16c4770c75b1223998adbeb7286f9a15c65fba73(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52434" - }, - { - "url": "https://git.kernel.org/linus/af1689a9b7701d9907dfc84d2a4b57c4bc907144(6.7-rc6)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35794" } ], - "bom-ref": "vuln-46", + "bom-ref": "vuln-50", "ratings": [ { "severity": "none", "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35794" } } ], - "created": "2024-02-20T18:15:50Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", + "created": "2024-05-17T13:15:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid: really frozen sync_thread during suspend\n\n1) commit f52f5c71f3d4 (\"md: fix stopping sync thread\") remove\n MD_RECOVERY_FROZEN from __md_stop_writes() and doesn't realize that\n dm-raid relies on __md_stop_writes() to frozen sync_thread\n indirectly. Fix this problem by adding MD_RECOVERY_FROZEN in\n md_stop_writes(), and since stop_sync_thread() is only used for\n dm-raid in this case, also move stop_sync_thread() to\n md_stop_writes().\n2) The flag MD_RECOVERY_FROZEN doesn't mean that sync thread is frozen,\n it only prevent new sync_thread to start, and it can't stop the\n running sync thread; In order to frozen sync_thread, after seting the\n flag, stop_sync_thread() should be used.\n3) The flag MD_RECOVERY_FROZEN doesn't mean that writes are stopped, use\n it as condition for md_stop_writes() in raid_postsuspend() doesn't\n look correct. Consider that reentrant stop_sync_thread() do nothing,\n always call md_stop_writes() in raid_postsuspend().\n4) raid_message can set/clear the flag MD_RECOVERY_FROZEN at anytime,\n and if MD_RECOVERY_FROZEN is cleared while the array is suspended,\n new sync_thread can start unexpected. Fix this by disallow\n raid_message() to change sync_thread status during suspend.\n\nNote that after commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), the\ntest shell/lvconvert-raid-reshape.sh start to hang in stop_sync_thread(),\nand with previous fixes, the test won't hang there anymore, however, the\ntest will still fail and complain that ext4 is corrupted. And with this\npatch, the test won't hang due to stop_sync_thread() or fail due to ext4\nis corrupted anymore. However, there is still a deadlock related to\ndm-raid456 that will be fixed in following patches.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-52434", + "id": "CVE-2024-35794", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35794" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-01T14:15:53Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383" + "url": "https://git.kernel.org/stable/c/419a0ffca7010216f0fc265b08558d7394fa0ba7" }, { - "url": "https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15" + "url": "https://git.kernel.org/stable/c/51eda36d33e43201e7a4fd35232e069b2c850b01" }, { - "url": "https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182" + "url": "https://git.kernel.org/stable/c/72473db90900da970a16ee50ad23c2c38d107d8c" }, { - "url": "https://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819" + "url": "https://git.kernel.org/stable/c/7bc65d23ba20dcd7ecc094a12c181e594e5eb315" }, { - "url": "https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62" + "url": "https://git.kernel.org/stable/c/b0e30c37695b614bee69187f86eaf250e36606ce" }, { - "url": "https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35967" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26586" + "url": "https://git.kernel.org/linus/51eda36d33e43201e7a4fd35232e069b2c850b01(6.9-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-47", + "bom-ref": "vuln-51", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35967" } } ], - "created": "2024-02-22T17:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: SCO: Fix not validating setsockopt user input\n\nsyzbot reported sco_sock_setsockopt() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in sco_sock_setsockopt+0xc0b/0xf90\nnet/bluetooth/sco.c:893\nRead of size 4 at addr ffff88805f7b15a3 by task syz-executor.5/12578", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26586", + "id": "CVE-2024-35967", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35967" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176858" - }, - { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-150.html" - }, - { - "url": "https://alas.aws.amazon.com/ALAS-2023-1745.html" + "url": "https://git.kernel.org/stable/c/bdcb8aa434c6d36b5c215d02a9ef07551be25a37" }, { - "url": "https://ubuntu.com/security/notices/USN-6200-1" + "url": "https://git.kernel.org/stable/c/08a28272faa750d4357ea2cb48d2baefd778ea81" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1289" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2014.html" } ], - "bom-ref": "vuln-48", + "bom-ref": "vuln-52", "ratings": [ { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1289" - } - }, - { - "severity": "none", - "score": 0.00079, + "severity": "unknown", "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" } } ], - "created": "2023-03-23T20:15:14Z", - "description": "A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in \"/tmp,\" resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.", + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Fix slab-use-after-free in gfs2_qd_dealloc\n\nIn gfs2_put_super(), whether withdrawn or not, the quota should\nbe cleaned up by gfs2_quota_cleanup().\n\nOtherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu\ncallback) has run for all gfs2_quota_data objects, resulting in\nuse-after-free.\n\nAlso, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called\nby gfs2_make_fs_ro(), so in gfs2_put_super(), after calling\ngfs2_make_fs_ro(), there is no need to call them again.", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2023-1289", + "id": "CVE-2023-52760", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1289" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52760" }, - "cwes": [ - 20 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-22T11:15:07Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-28T12:46:07Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" - } - ] + "updated": "2024-05-21T16:53:56Z" }, { "advisories": [ { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=98bea253aa28ad8be2ce565a9ca21beb4a9419e5" + "url": "https://git.kernel.org/stable/c/1baae052cccd08daf9a9d64c3f959d8cdb689757" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-1192" + "url": "https://git.kernel.org/stable/c/a55f0d6179a19c6b982e2dc344d58c98647a3be0" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2154178" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26758" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0448" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7749" - }, + "url": "https://git.kernel.org/linus/1baae052cccd08daf9a9d64c3f959d8cdb689757(6.8-rc6)" + } + ], + "bom-ref": "vuln-53", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0439" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26758" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore suspended array in md_check_recovery()\n\nmddev_suspend() never stop sync_thread, hence it doesn't make sense to\nignore suspended array in md_check_recovery(), which might cause\nsync_thread can't be unregistered.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) suspend the array:\nraid_postsuspend\n mddev_suspend\n\n2) stop the array:\nraid_dtr\n md_stop\n __md_stop_writes\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n3) sync thread done:\nmd_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n4) daemon thread can't unregister sync thread:\nmd_check_recovery\n if (mddev->suspended)\n return; -> return directly\n md_read_sync_thread\n clear_bit(MD_RECOVERY_RUNNING, &mddev->recovery);\n -> MD_RECOVERY_RUNNING can't be cleared, hence step 2 hang;\n\nThis problem is not just related to dm-raid, fix it by ignoring\nsuspended array in md_check_recovery(). And follow up patches will\nimprove dm-raid better to frozen sync thread during suspend.", + "affects": [ { - "url": "https://access.redhat.com/errata/RHSA-2023:7549" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2024-26758", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26758" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2023:7539" + "url": "https://git.kernel.org/stable/c/4a4eeb6912538c2d0b158e8d11b62d96c1dada4e" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1192" + "url": "https://git.kernel.org/stable/c/ce0809ada38dca8d6d41bb57ab40494855c30582" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7548" + "url": "https://git.kernel.org/stable/c/85933e80d077c9ae2227226beb86c22f464059cc" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-1192" + "url": "https://git.kernel.org/stable/c/10048689def7e40a4405acda16fdc6477d4ecc5c" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0562" + "url": "https://git.kernel.org/stable/c/d93fd40c62397326046902a2c5cb75af50882a85" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/f74362a004225df935863dea6eb7d82daaa5b16e" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0563" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0412" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26782" } ], - "bom-ref": "vuln-49", + "bom-ref": "vuln-54", "ratings": [ - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192" - } - }, { "severity": "none", - "score": 0.0005, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26782" } } ], - "created": "2023-11-01T20:15:08Z", - "description": "A use-after-free flaw was found in smb2_is_status_io_timeout() in CIFS in the Linux Kernel. After CIFS transfers response data to a system call, there are still local variable points to the memory region, and if the system call frees it faster than CIFS uses it, CIFS will access a free memory region, leading to a denial of service.", + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix double-free on socket dismantle\n\nwhen MPTCP server accepts an incoming connection, it clones its listener\nsocket. However, the pointer to 'inet_opt' for the new socket has the same\nvalue as the original one: as a consequence, on program exit it's possible\nto observe the following splat:\n\n BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0\n Free of addr ffff888485950880 by task swapper/25/0\n\n CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609\n Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013\n Call Trace:\n \n dump_stack_lvl+0x32/0x50\n print_report+0xca/0x620\n kasan_report_invalid_free+0x64/0x90\n __kasan_slab_free+0x1aa/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n rcu_do_batch+0x34e/0xd90\n rcu_core+0x559/0xac0\n __do_softirq+0x183/0x5a4\n irq_exit_rcu+0x12d/0x170\n sysvec_apic_timer_interrupt+0x6b/0x80\n \n \n asm_sysvec_apic_timer_interrupt+0x16/0x20\n RIP: 0010:cpuidle_enter_state+0x175/0x300\n Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b\n RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202\n RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000\n RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588\n RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080\n R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0\n R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80\n cpuidle_enter+0x4a/0xa0\n do_idle+0x310/0x410\n cpu_startup_entry+0x51/0x60\n start_secondary+0x211/0x270\n secondary_startup_64_no_verify+0x184/0x18b\n \n\n Allocated by task 6853:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0xa6/0xb0\n __kmalloc+0x1eb/0x450\n cipso_v4_sock_setattr+0x96/0x360\n netlbl_sock_setattr+0x132/0x1f0\n selinux_netlbl_socket_post_create+0x6c/0x110\n selinux_socket_post_create+0x37b/0x7f0\n security_socket_post_create+0x63/0xb0\n __sock_create+0x305/0x450\n __sys_socket_create.part.23+0xbd/0x130\n __sys_socket+0x37/0xb0\n __x64_sys_socket+0x6f/0xb0\n do_syscall_64+0x83/0x160\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 6858:\n kasan_save_stack+0x1c/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x3b/0x60\n __kasan_slab_free+0x12c/0x1f0\n kfree+0xed/0x2e0\n inet_sock_destruct+0x54f/0x8b0\n __sk_destruct+0x48/0x5b0\n subflow_ulp_release+0x1f0/0x250\n tcp_cleanup_ulp+0x6e/0x110\n tcp_v4_destroy_sock+0x5a/0x3a0\n inet_csk_destroy_sock+0x135/0x390\n tcp_fin+0x416/0x5c0\n tcp_data_queue+0x1bc8/0x4310\n tcp_rcv_state_process+0x15a3/0x47b0\n tcp_v4_do_rcv+0x2c1/0x990\n tcp_v4_rcv+0x41fb/0x5ed0\n ip_protocol_deliver_rcu+0x6d/0x9f0\n ip_local_deliver_finish+0x278/0x360\n ip_local_deliver+0x182/0x2c0\n ip_rcv+0xb5/0x1c0\n __netif_receive_skb_one_core+0x16e/0x1b0\n process_backlog+0x1e3/0x650\n __napi_poll+0xa6/0x500\n net_rx_action+0x740/0xbb0\n __do_softirq+0x183/0x5a4\n\n The buggy address belongs to the object at ffff888485950880\n which belongs to the cache kmalloc-64 of size 64\n The buggy address is located 0 bytes inside of\n 64-byte region [ffff888485950880, ffff8884859508c0)\n\n The buggy address belongs to the physical page:\n page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950\n flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006\n raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff888485950780: fa fb fb\n---truncated---", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-1192", + "id": "CVE-2024-26782", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1192" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26782" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-09T15:24:11Z" + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25741" + "url": "https://git.kernel.org/stable/c/a5d9b1aa61b401867b9066d54086b3e4ee91f8ed" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/a8b2b26fdd011ebe36d68a9a321ca45801685959" }, { - "url": "https://lore.kernel.org/all/CALGdzurBnMztPW1Q8mujfYaopVQ8MkSUXUvnAqJcLGu5ROSU4Q@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/d7ae7d1265686b55832a445b1db8cdd69738ac07" + }, + { + "url": "https://git.kernel.org/stable/c/c554badcae9c45b737a22d23454170c6020b90e6" + }, + { + "url": "https://git.kernel.org/stable/c/e97fe4901e0f59a0bfd524578fe3768f8ca42428" + }, + { + "url": "https://git.kernel.org/stable/c/0efb9ef6fb95384ba631d6819e66f10392aabfa2" + }, + { + "url": "https://git.kernel.org/stable/c/239174535dba11f7b83de0eaaa27909024f8c185" + }, + { + "url": "https://git.kernel.org/stable/c/6f073b24a9e2becd25ac4505a9780a87e621bb51" + }, + { + "url": "https://git.kernel.org/linus/e97fe4901e0f59a0bfd524578fe3768f8ca42428(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27038" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-50", + "bom-ref": "vuln-55", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27038" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Fix clk_core_get NULL dereference\n\nIt is possible for clk_core_get to dereference a NULL in the following\nsequence:\n\nclk_core_get()\n of_clk_get_hw_from_clkspec()\n __of_clk_get_hw_from_provider()\n __clk_get_hw()\n\n__clk_get_hw() can return NULL which is dereferenced by clk_core_get() at\nhw->core.\n\nPrior to commit dde4eff47c82 (\"clk: Look for parents with clkdev based\nclk_lookups\") the check IS_ERR_OR_NULL() was performed which would have\ncaught the NULL.\n\nReading the description of this function it talks about returning NULL but\nthat cannot be so at the moment.\n\nUpdate the function to check for hw before dereferencing it and return NULL\nif hw is NULL.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-25741", + "id": "CVE-2024-27038", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27038" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-12T14:20:03Z" + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html" + "url": "https://git.kernel.org/stable/c/855678ed8534518e2b428bcbcec695de9ba248e8" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063535" + "url": "https://git.kernel.org/stable/c/02dad157ba11064d073f5499dc33552b227d5d3a" }, { - "url": "https://ubuntu.com/security/notices/USN-6643-1" + "url": "https://git.kernel.org/stable/c/11f81438927f84edfaaeb5d5f10856c3a1c1fc82" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42282" - } - ], - "bom-ref": "vuln-51", - "references": [ + "url": "https://git.kernel.org/stable/c/6b2ff10390b19a2364af622b6666b690443f9f3f" + }, { - "id": "SNYK-JS-IP-6240864", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-JS-IP-6240864" - } + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27023" }, { - "id": "GHSA-78xj-cgh5-2h22", + "url": "https://git.kernel.org/linus/855678ed8534518e2b428bcbcec695de9ba248e8(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-56", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27023" } } ], - "created": "2024-02-08T17:15:10Z", - "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Fix missing release of 'active_io' for flush\n\nsubmit_flushes\n atomic_set(&mddev->flush_pending, 1);\n rdev_for_each_rcu(rdev, mddev)\n atomic_inc(&mddev->flush_pending);\n bi->bi_end_io = md_end_flush\n submit_bio(bi);\n /* flush io is done first */\n md_end_flush\n if (atomic_dec_and_test(&mddev->flush_pending))\n percpu_ref_put(&mddev->active_io)\n -> active_io is not released\n\n if (atomic_dec_and_test(&mddev->flush_pending))\n -> missing release of active_io\n\nFor consequence, mddev_suspend() will wait for 'active_io' to be zero\nforever.\n\nFix this problem by releasing 'active_io' in submit_flushes() if\n'flush_pending' is decreased to zero.", "affects": [ { - "ref": "comp-654" + "ref": "comp-399" } ], + "id": "CVE-2024-27023", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27023" }, - "cwes": [ - 918 - ], "analysis": { "state": "in_triage" }, - "ratings": [ + "updated": "2024-05-01T19:50:25Z", + "properties": [ { - "severity": "critical", - "score": 9.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" - } + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4fff3d735baea104017f2e3c245e27cdc79f2426" + }, + { + "url": "https://git.kernel.org/stable/c/de1034b38a346ef6be25fe8792f5d1e0684d5ff4" + }, + { + "url": "https://git.kernel.org/stable/c/4aa36b62c3eaa869860bf78b1146e9f2b5f782a9" + }, + { + "url": "https://git.kernel.org/stable/c/700c3f642c32721f246e09d3a9511acf40ae42be" + }, + { + "url": "https://git.kernel.org/stable/c/156cb12ffdcf33883304f0db645e1eadae712fe0" }, + { + "url": "https://git.kernel.org/stable/c/cf3d6813601fe496de7f023435e31bfffa74ae70" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26843" + }, + { + "url": "https://git.kernel.org/linus/de1034b38a346ef6be25fe8792f5d1e0684d5ff4(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-57", + "ratings": [ { "severity": "none", - "score": 0.00063, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26843" } } ], - "id": "CVE-2023-42282", - "updated": "2024-03-03T00:15:43Z", + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: runtime: Fix potential overflow of soft-reserved region size\n\nmd_size will have been narrowed if we have >= 4GB worth of pages in a\nsoft-reserved region.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26843", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26843" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-654", - "value": "2.0.1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + "url": "https://git.kernel.org/stable/c/5cdce3dda3b3dacde902f63a8ee72c2b7f91912d" }, { - "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + "url": "https://git.kernel.org/stable/c/e8d27caef2c829a306e1f762fb95f06e8ec676f6" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + "url": "https://git.kernel.org/stable/c/6fcd12cb90888ef2d8af8d4c04e913252eee4ef3" + }, + { + "url": "https://git.kernel.org/stable/c/589c414138a1bed98e652c905937d8f790804efe" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0564" + "url": "https://git.kernel.org/stable/c/5d5f1a7f3b1039925f79c7894f153c2a905201fb" + }, + { + "url": "https://git.kernel.org/stable/c/6c6064cbe58b43533e3451ad6a8ba9736c109ac3" + }, + { + "url": "https://git.kernel.org/linus/6c6064cbe58b43533e3451ad6a8ba9736c109ac3(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35817" } ], - "bom-ref": "vuln-52", + "bom-ref": "vuln-58", "ratings": [ - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" - } - }, { "severity": "none", - "score": 0.00052, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35817" } } ], - "created": "2024-01-30T15:15:08Z", - "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag\n\nOtherwise after the GTT bo is released, the GTT and gart space is freed\nbut amdgpu_ttm_backend_unbind will not clear the gart page table entry\nand leave valid mapping entry pointing to the stale system page. Then\nif GPU access the gart address mistakely, it will read undefined value\ninstead page fault, harder to debug and reproduce the real issue.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-0564", + "id": "CVE-2024-35817", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35817" }, - "cwes": [ - 203 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-08T16:36:48Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/" + "url": "https://git.kernel.org/stable/c/33081e0f34899d5325e7c45683dd8dc9cb18b583" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210657" + "url": "https://git.kernel.org/stable/c/7d56ffc51ebd2777ded8dca50d631ee19d97db5c" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/" + "url": "https://git.kernel.org/stable/c/5deaef2bf56456c71b841e0dfde1bee2fd88c4eb" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" + "url": "https://git.kernel.org/stable/c/806f462ba9029d41aadf8ec93f2f99c5305deada" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-34151" + "url": "https://git.kernel.org/stable/c/34c84e0036a60e7e50ae50b42ed194d8daef8cc9" + }, + { + "url": "https://git.kernel.org/stable/c/80578681ea274e0a6512bb7515718c206a7b74cf" + }, + { + "url": "https://git.kernel.org/stable/c/6133a71c75dacea12fcc85838b4455c2055b0f14" + }, + { + "url": "https://git.kernel.org/stable/c/a22f9194f61ad4f2b6405c7c86bee85eac1befa5" + }, + { + "url": "https://git.kernel.org/linus/806f462ba9029d41aadf8ec93f2f99c5305deada(6.8)" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2272.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27425" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-59", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27425" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27425", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27425" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + }, + { + "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52452" + } + ], + "bom-ref": "vuln-60", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52452" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + } + } + ], + "created": "2024-02-22T17:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52452", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + }, + "cwes": [ + 665 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T18:24:33Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1001db6c42e4012b55e5ee19405490f23e033b5a" + }, + { + "url": "https://git.kernel.org/stable/c/a262b78dd085dbe9b3c75dc1d9c4cd102b110b53" + }, + { + "url": "https://git.kernel.org/stable/c/8bf2ca8c60712af288b88ba80f8e4df4573d923f" + }, + { + "url": "https://git.kernel.org/stable/c/dffdf7c783ef291eef38a5a0037584fd1a7fa464" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26765" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1001db6c42e4012b55e5ee19405490f23e033b5a(6.8-rc6)" + } + ], + "bom-ref": "vuln-61", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26765" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Disable IRQ before init_fn() for nonboot CPUs\n\nDisable IRQ before init_fn() for nonboot CPUs when hotplug, in order to\nsilence such warnings (and also avoid potential errors due to unexpected\ninterrupts):\n\nWARNING: CPU: 1 PID: 0 at kernel/rcu/tree.c:4503 rcu_cpu_starting+0x214/0x280\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\npc 90000000048e3334 ra 90000000047bd56c tp 900000010039c000 sp 900000010039fdd0\na0 0000000000000001 a1 0000000000000006 a2 900000000802c040 a3 0000000000000000\na4 0000000000000001 a5 0000000000000004 a6 0000000000000000 a7 90000000048e3f4c\nt0 0000000000000001 t1 9000000005c70968 t2 0000000004000000 t3 000000000005e56e\nt4 00000000000002e4 t5 0000000000001000 t6 ffffffff80000000 t7 0000000000040000\nt8 9000000007931638 u0 0000000000000006 s9 0000000000000004 s0 0000000000000001\ns1 9000000006356ac0 s2 9000000007244000 s3 0000000000000001 s4 0000000000000001\ns5 900000000636f000 s6 7fffffffffffffff s7 9000000002123940 s8 9000000001ca55f8\n ra: 90000000047bd56c tlb_init+0x24c/0x528\n ERA: 90000000048e3334 rcu_cpu_starting+0x214/0x280\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000000 (PPLV0 -PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071000 (LIE=12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\nCPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.6.17+ #1198\nStack : 0000000000000000 9000000006375000 9000000005b61878 900000010039c000\n 900000010039fa30 0000000000000000 900000010039fa38 900000000619a140\n 9000000006456888 9000000006456880 900000010039f950 0000000000000001\n 0000000000000001 cb0cb028ec7e52e1 0000000002b90000 9000000100348700\n 0000000000000000 0000000000000001 ffffffff916d12f1 0000000000000003\n 0000000000040000 9000000007930370 0000000002b90000 0000000000000004\n 9000000006366000 900000000619a140 0000000000000000 0000000000000004\n 0000000000000000 0000000000000009 ffffffffffc681f2 9000000002123940\n 9000000001ca55f8 9000000006366000 90000000047a4828 00007ffff057ded8\n 00000000000000b0 0000000000000000 0000000000000000 0000000000071000\n ...\nCall Trace:\n[<90000000047a4828>] show_stack+0x48/0x1a0\n[<9000000005b61874>] dump_stack_lvl+0x84/0xcc\n[<90000000047f60ac>] __warn+0x8c/0x1e0\n[<9000000005b0ab34>] report_bug+0x1b4/0x280\n[<9000000005b63110>] do_bp+0x2d0/0x480\n[<90000000047a2e20>] handle_bp+0x120/0x1c0\n[<90000000048e3334>] rcu_cpu_starting+0x214/0x280\n[<90000000047bd568>] tlb_init+0x248/0x528\n[<90000000047a4c44>] per_cpu_trap_init+0x124/0x160\n[<90000000047a19f4>] cpu_probe+0x494/0xa00\n[<90000000047b551c>] start_secondary+0x3c/0xc0\n[<9000000005b66134>] smpboot_entry+0x50/0x58", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26765", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26765" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6cbbe1ba76ee7e674a86abd43009b083a45838cb" + }, + { + "url": "https://git.kernel.org/stable/c/2aeb805a1bcd5f27c8c0d1a9d4d653f16d1506f4" + }, + { + "url": "https://git.kernel.org/stable/c/1bc83a019bbe268be3526406245ec28c2458a518" + }, + { + "url": "https://git.kernel.org/stable/c/9627fd0c6ea1c446741a33e67bc5709c59923827" + }, + { + "url": "https://git.kernel.org/stable/c/9a3b90904d8a072287480eed4c3ece4b99d64f78" + }, + { + "url": "https://git.kernel.org/stable/c/7f609f630951b624348373cef99991ce08831927" + }, + { + "url": "https://git.kernel.org/stable/c/b58d0ac35f6d75ec1db8650a29dfd6f292c11362" + }, + { + "url": "https://git.kernel.org/linus/1bc83a019bbe268be3526406245ec28c2458a518(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35897" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-62", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35897" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: discard table flag update with pending basechain deletion\n\nHook unregistration is deferred to the commit phase, same occurs with\nhook updates triggered by the table dormant flag. When both commands are\ncombined, this results in deleting a basechain while leaving its hook\nstill registered in the core.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35897", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35897" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b7be6c737a179a76901c872f6b4c1d00552d9a1b" + }, + { + "url": "https://git.kernel.org/stable/c/e26d3009efda338f19016df4175f354a9bd0a4ab" + }, + { + "url": "https://git.kernel.org/stable/c/6f3ae02bbb62f151b19162d5fdc9fe3d48450323" + }, + { + "url": "https://git.kernel.org/stable/c/00b19ee0dcc1aef06294471ab489bae26d94524e" + }, + { + "url": "https://git.kernel.org/stable/c/116b0e8e4673a5faa8a739a19b467010c4d3058c" + }, + { + "url": "https://git.kernel.org/stable/c/49ce99ae43314d887153e07cec8bb6a647a19268" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52620" + } + ], + "bom-ref": "vuln-63", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52620" + } + } + ], + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow timeout for anonymous sets\n\nNever used from userspace, disallow these parameters.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52620", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52620" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8c77398c72618101d66480b94b34fe9087ee3d08" + }, + { + "url": "https://git.kernel.org/stable/c/1c0a95d99b1b2b5d842e5abc7ef7eed1193b60d7" + }, + { + "url": "https://git.kernel.org/stable/c/652cfeb43d6b9aba5c7c4902bed7a7340df131fb" + }, + { + "url": "https://git.kernel.org/linus/652cfeb43d6b9aba5c7c4902bed7a7340df131fb(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27407" + } + ], + "bom-ref": "vuln-64", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27407" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fixed overflow check in mi_enum_attr()", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27407", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27407" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/95915ba4b987cf2b222b0f251280228a1ff977ac" + }, + { + "url": "https://git.kernel.org/stable/c/520f79c110ff712b391b3d87fcacf03c74bc56ee" + }, + { + "url": "https://git.kernel.org/stable/c/4b12ff5edd141926d49c9ace4791adf3a4902fe7" + }, + { + "url": "https://git.kernel.org/stable/c/bc40ded92af55760d12bec8222d4108de725dbe4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa344afbe472a9be08f78551fa2190c1a07d7d3" + }, + { + "url": "https://git.kernel.org/stable/c/e5b5948c769aa1ebf962dddfb972f87d8f166f95" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35785" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/95915ba4b987cf2b222b0f251280228a1ff977ac(6.8)" + } + ], + "bom-ref": "vuln-65", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35785" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntee: optee: Fix kernel panic caused by incorrect error handling\n\nThe error path while failing to register devices on the TEE bus has a\nbug leading to kernel panic as follows:\n\n[ 15.398930] Unable to handle kernel paging request at virtual address ffff07ed00626d7c\n[ 15.406913] Mem abort info:\n[ 15.409722] ESR = 0x0000000096000005\n[ 15.413490] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 15.418814] SET = 0, FnV = 0\n[ 15.421878] EA = 0, S1PTW = 0\n[ 15.425031] FSC = 0x05: level 1 translation fault\n[ 15.429922] Data abort info:\n[ 15.432813] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n[ 15.438310] CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n[ 15.443372] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 15.448697] swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000d9e3e000\n[ 15.455413] [ffff07ed00626d7c] pgd=1800000bffdf9003, p4d=1800000bffdf9003, pud=0000000000000000\n[ 15.464146] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n\nCommit 7269cba53d90 (\"tee: optee: Fix supplicant based device enumeration\")\nlead to the introduction of this bug. So fix it appropriately.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35785", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35785" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063535" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6643-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-42282" + }, + { + "url": "https://access.redhat.com/errata/RHBA-2024:1440" + } + ], + "bom-ref": "vuln-66", + "references": [ + { + "id": "GHSA-78xj-cgh5-2h22", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22" + } + } + ], + "created": "2024-02-08T17:15:10Z", + "description": "The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.", + "affects": [ + { + "ref": "comp-654" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" + }, + "cwes": [ + 918 + ], + "analysis": { + "state": "exploitable" + }, + "ratings": [ + { + "severity": "critical", + "score": 9.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" + } + }, + { + "severity": "none", + "score": 0.00084, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-42282" + } + } + ], + "id": "CVE-2023-42282", + "updated": "2024-03-15T19:25:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T18:03:44Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-654", + "value": "2.0.1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/31db25e3141b20e2a76a9f219eeca52e3cab126c" + }, + { + "url": "https://git.kernel.org/stable/c/7ca651b4ec4a049f5a46a0e5ff921b86b91c47c5" + }, + { + "url": "https://git.kernel.org/stable/c/5ada9016b1217498fad876a3d5b07645cc955608" + }, + { + "url": "https://git.kernel.org/stable/c/dac068f164ad05b35e7c0be13f138c3f6adca58f" + }, + { + "url": "https://git.kernel.org/stable/c/719fcafe07c12646691bd62d7f8d94d657fa0766" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/719fcafe07c12646691bd62d7f8d94d657fa0766(6.9-rc1)" + } + ], + "bom-ref": "vuln-67", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26868" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix panic when nfs4_ff_layout_prepare_ds() fails\n\nWe've been seeing the following panic in production\n\nBUG: kernel NULL pointer dereference, address: 0000000000000065\nPGD 2f485f067 P4D 2f485f067 PUD 2cc5d8067 PMD 0\nRIP: 0010:ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\nCall Trace:\n \n ? __die+0x78/0xc0\n ? page_fault_oops+0x286/0x380\n ? __rpc_execute+0x2c3/0x470 [sunrpc]\n ? rpc_new_task+0x42/0x1c0 [sunrpc]\n ? exc_page_fault+0x5d/0x110\n ? asm_exc_page_fault+0x22/0x30\n ? ff_layout_free_layoutreturn+0x110/0x110 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x3a/0x90 [nfs_layout_flexfiles]\n ? ff_layout_cancel_io+0x6f/0x90 [nfs_layout_flexfiles]\n pnfs_mark_matching_lsegs_return+0x1b0/0x360 [nfsv4]\n pnfs_error_mark_layout_for_return+0x9e/0x110 [nfsv4]\n ? ff_layout_send_layouterror+0x50/0x160 [nfs_layout_flexfiles]\n nfs4_ff_layout_prepare_ds+0x11f/0x290 [nfs_layout_flexfiles]\n ff_layout_pg_init_write+0xf0/0x1f0 [nfs_layout_flexfiles]\n __nfs_pageio_add_request+0x154/0x6c0 [nfs]\n nfs_pageio_add_request+0x26b/0x380 [nfs]\n nfs_do_writepage+0x111/0x1e0 [nfs]\n nfs_writepages_callback+0xf/0x30 [nfs]\n write_cache_pages+0x17f/0x380\n ? nfs_pageio_init_write+0x50/0x50 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n ? nfs_writepages+0x6d/0x210 [nfs]\n nfs_writepages+0x125/0x210 [nfs]\n do_writepages+0x67/0x220\n ? generic_perform_write+0x14b/0x210\n filemap_fdatawrite_wbc+0x5b/0x80\n file_write_and_wait_range+0x6d/0xc0\n nfs_file_fsync+0x81/0x170 [nfs]\n ? nfs_file_mmap+0x60/0x60 [nfs]\n __x64_sys_fsync+0x53/0x90\n do_syscall_64+0x3d/0x90\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nInspecting the core with drgn I was able to pull this\n\n >>> prog.crashed_thread().stack_trace()[0]\n #0 at 0xffffffffa079657a (ff_layout_cancel_io+0x3a/0x84) in ff_layout_cancel_io at fs/nfs/flexfilelayout/flexfilelayout.c:2021:27\n >>> prog.crashed_thread().stack_trace()[0]['idx']\n (u32)1\n >>> prog.crashed_thread().stack_trace()[0]['flseg'].mirror_array[1].mirror_ds\n (struct nfs4_ff_layout_ds *)0xffffffffffffffed\n\nThis is clear from the stack trace, we call nfs4_ff_layout_prepare_ds()\nwhich could error out initializing the mirror_ds, and then we go to\nclean it all up and our check is only for if (!mirror->mirror_ds). This\nis inconsistent with the rest of the users of mirror_ds, which have\n\n if (IS_ERR_OR_NULL(mirror_ds))\n\nto keep from tripping over this exact scenario. Fix this up in\nff_layout_cancel_io() to make sure we don't panic when we get an error.\nI also spot checked all the other instances of checking mirror_ds and we\nappear to be doing the correct checks everywhere, only unconditionally\ndereferencing mirror_ds when we know it would be valid.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26868" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/de76ae9ea1a6cf9e77fcec4f2df2904e26c23ceb" + }, + { + "url": "https://git.kernel.org/stable/c/4b19e9507c275de0cfe61c24db69179dc52cf9fb" + }, + { + "url": "https://git.kernel.org/stable/c/6cdb20c342cd0193d3e956e3d83981d0f438bb83" + }, + { + "url": "https://git.kernel.org/stable/c/01b11a0566670612bd464a932e5ac2eae53d8652" + }, + { + "url": "https://git.kernel.org/stable/c/b4b3b69a19016d4e7fbdbd1dbcc184915eb862e1" + }, + { + "url": "https://git.kernel.org/stable/c/7633c4da919ad51164acbf1aa322cc1a3ead6129" + }, + { + "url": "https://git.kernel.org/stable/c/3fb02ec57ead2891a2306af8c51a306bc5945e70" + }, + { + "url": "https://git.kernel.org/stable/c/cca606e14264098cba65efa82790825dbf69e903" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35969" + }, + { + "url": "https://git.kernel.org/linus/7633c4da919ad51164acbf1aa322cc1a3ead6129(6.9-rc4)" + } + ], + "bom-ref": "vuln-68", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35969" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr\n\nAlthough ipv6_get_ifaddr walks inet6_addr_lst under the RCU lock, it\nstill means hlist_for_each_entry_rcu can return an item that got removed\nfrom the list. The memory itself of such item is not freed thanks to RCU\nbut nothing guarantees the actual content of the memory is sane.\n\nIn particular, the reference count can be zero. This can happen if\nipv6_del_addr is called in parallel. ipv6_del_addr removes the entry\nfrom inet6_addr_lst (hlist_del_init_rcu(&ifp->addr_lst)) and drops all\nreferences (__in6_ifa_put(ifp) + in6_ifa_put(ifp)). With bad enough\ntiming, this can happen:\n\n1. In ipv6_get_ifaddr, hlist_for_each_entry_rcu returns an entry.\n\n2. Then, the whole ipv6_del_addr is executed for the given entry. The\n reference count drops to zero and kfree_rcu is scheduled.\n\n3. ipv6_get_ifaddr continues and tries to increments the reference count\n (in6_ifa_hold).\n\n4. The rcu is unlocked and the entry is freed.\n\n5. The freed entry is returned.\n\nPrevent increasing of the reference count in such case. The name\nin6_ifa_hold_safe is chosen to mimic the existing fib6_info_hold_safe.\n\n[ 41.506330] refcount_t: addition on 0; use-after-free.\n[ 41.506760] WARNING: CPU: 0 PID: 595 at lib/refcount.c:25 refcount_warn_saturate+0xa5/0x130\n[ 41.507413] Modules linked in: veth bridge stp llc\n[ 41.507821] CPU: 0 PID: 595 Comm: python3 Not tainted 6.9.0-rc2.main-00208-g49563be82afa #14\n[ 41.508479] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n[ 41.509163] RIP: 0010:refcount_warn_saturate+0xa5/0x130\n[ 41.509586] Code: ad ff 90 0f 0b 90 90 c3 cc cc cc cc 80 3d c0 30 ad 01 00 75 a0 c6 05 b7 30 ad 01 01 90 48 c7 c7 38 cc 7a 8c e8 cc 18 ad ff 90 <0f> 0b 90 90 c3 cc cc cc cc 80 3d 98 30 ad 01 00 0f 85 75 ff ff ff\n[ 41.510956] RSP: 0018:ffffbda3c026baf0 EFLAGS: 00010282\n[ 41.511368] RAX: 0000000000000000 RBX: ffff9e9c46914800 RCX: 0000000000000000\n[ 41.511910] RDX: ffff9e9c7ec29c00 RSI: ffff9e9c7ec1c900 RDI: ffff9e9c7ec1c900\n[ 41.512445] RBP: ffff9e9c43660c9c R08: 0000000000009ffb R09: 00000000ffffdfff\n[ 41.512998] R10: 00000000ffffdfff R11: ffffffff8ca58a40 R12: ffff9e9c4339a000\n[ 41.513534] R13: 0000000000000001 R14: ffff9e9c438a0000 R15: ffffbda3c026bb48\n[ 41.514086] FS: 00007fbc4cda1740(0000) GS:ffff9e9c7ec00000(0000) knlGS:0000000000000000\n[ 41.514726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 41.515176] CR2: 000056233b337d88 CR3: 000000000376e006 CR4: 0000000000370ef0\n[ 41.515713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 41.516252] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 41.516799] Call Trace:\n[ 41.517037] \n[ 41.517249] ? __warn+0x7b/0x120\n[ 41.517535] ? refcount_warn_saturate+0xa5/0x130\n[ 41.517923] ? report_bug+0x164/0x190\n[ 41.518240] ? handle_bug+0x3d/0x70\n[ 41.518541] ? exc_invalid_op+0x17/0x70\n[ 41.520972] ? asm_exc_invalid_op+0x1a/0x20\n[ 41.521325] ? refcount_warn_saturate+0xa5/0x130\n[ 41.521708] ipv6_get_ifaddr+0xda/0xe0\n[ 41.522035] inet6_rtm_getaddr+0x342/0x3f0\n[ 41.522376] ? __pfx_inet6_rtm_getaddr+0x10/0x10\n[ 41.522758] rtnetlink_rcv_msg+0x334/0x3d0\n[ 41.523102] ? netlink_unicast+0x30f/0x390\n[ 41.523445] ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[ 41.523832] netlink_rcv_skb+0x53/0x100\n[ 41.524157] netlink_unicast+0x23b/0x390\n[ 41.524484] netlink_sendmsg+0x1f2/0x440\n[ 41.524826] __sys_sendto+0x1d8/0x1f0\n[ 41.525145] __x64_sys_sendto+0x1f/0x30\n[ 41.525467] do_syscall_64+0xa5/0x1b0\n[ 41.525794] entry_SYSCALL_64_after_hwframe+0x72/0x7a\n[ 41.526213] RIP: 0033:0x7fbc4cfcea9a\n[ 41.526528] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[ 41.527942] RSP: 002b:00007f\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35969", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35969" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/" + }, + { + "url": "https://www.kb.cert.org/vuls/id/127587" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1714.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4038" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1980.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3595" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3550" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3594" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4282" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3591" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-116.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3931" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4008" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3777" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3810" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3556" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3776" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3811" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3932" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4004" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-24329" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3796" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4203" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1990.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3935" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-500.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-001.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3934" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3936" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1713.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5888-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3780" + }, + { + "url": "https://ubuntu.com/security/notices/USN-5960-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6139-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:4032" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6793" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:3781" + } + ], + "bom-ref": "vuln-69", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" + } + }, + { + "severity": "none", + "score": 0.001, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-24329" + } + } + ], + "created": "2023-02-17T15:15:12Z", + "description": "An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.", + "affects": [ + { + "ref": "comp-321" + } + ], + "id": "CVE-2023-24329", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24329" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:08:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T14:11:20Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e2891c763aa2cff74dd6b5e978411ccf0cf94abe" + }, + { + "url": "https://git.kernel.org/stable/c/6156277d1b26cb3fdb6fcbf0686ab78268571644" + }, + { + "url": "https://git.kernel.org/stable/c/14f1992430ef9e647b02aa8ca12c5bcb9a1dffea" + }, + { + "url": "https://git.kernel.org/stable/c/e3b63e966cac0bf78aaa1efede1827a252815a1d" + }, + { + "url": "https://git.kernel.org/linus/e3b63e966cac0bf78aaa1efede1827a252815a1d(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26832" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-70", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26832" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix missing folio cleanup in writeback race path\n\nIn zswap_writeback_entry(), after we get a folio from\n__read_swap_cache_async(), we grab the tree lock again to check that the\nswap entry was not invalidated and recycled. If it was, we delete the\nfolio we just added to the swap cache and exit.\n\nHowever, __read_swap_cache_async() returns the folio locked when it is\nnewly allocated, which is always true for this path, and the folio is\nref'd. Make sure to unlock and put the folio before returning.\n\nThis was discovered by code inspection, probably because this path handles\na race condition that should not happen often, and the bug would not crash\nthe system, it will only strand the folio indefinitely.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26832", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26832" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/37179fcc916bce8c3cc7b36d67ef814cce55142b" + }, + { + "url": "https://git.kernel.org/stable/c/6b2e428e673b3f55965674a426c40922e91388aa" + }, + { + "url": "https://git.kernel.org/stable/c/8d2ad999ca3c64cb08cf6a58d227b9d9e746d708" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-71", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Fix delete_endpoint() vs parent unregistration race\n\nThe CXL subsystem, at cxl_mem ->probe() time, establishes a lineage of\nports (struct cxl_port objects) between an endpoint and the root of a\nCXL topology. Each port including the endpoint port is attached to the\ncxl_port driver.\n\nGiven that setup, it follows that when either any port in that lineage\ngoes through a cxl_port ->remove() event, or the memdev goes through a\ncxl_mem ->remove() event. The hierarchy below the removed port, or the\nentire hierarchy if the memdev is removed needs to come down.\n\nThe delete_endpoint() callback is careful to check whether it is being\ncalled to tear down the hierarchy, or if it is only being called to\nteardown the memdev because an ancestor port is going through\n->remove().\n\nThat care needs to take the device_lock() of the endpoint's parent.\nWhich requires 2 bugs to be fixed:\n\n1/ A reference on the parent is needed to prevent use-after-free\n scenarios like this signature:\n\n BUG: spinlock bad magic on CPU#0, kworker/u56:0/11\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20230524-3.fc38 05/24/2023\n Workqueue: cxl_port detach_memdev [cxl_core]\n RIP: 0010:spin_bug+0x65/0xa0\n Call Trace:\n do_raw_spin_lock+0x69/0xa0\n __mutex_lock+0x695/0xb80\n delete_endpoint+0xad/0x150 [cxl_core]\n devres_release_all+0xb8/0x110\n device_unbind_cleanup+0xe/0x70\n device_release_driver_internal+0x1d2/0x210\n detach_memdev+0x15/0x20 [cxl_core]\n process_one_work+0x1e3/0x4c0\n worker_thread+0x1dd/0x3d0\n\n2/ In the case of RCH topologies, the parent device that needs to be\n locked is not always @port->dev as returned by cxl_mem_find_port(), use\n endpoint->dev.parent instead.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52771", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52771" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cba376eb036c2c20077b41d47b317d8218fe754f" + }, + { + "url": "https://git.kernel.org/stable/c/492337a4fbd1421b42df684ee9b34be2a2722540" + }, + { + "url": "https://git.kernel.org/stable/c/49d5d70538b6b8f2a3f8f1ac30c1f921d4a0929b" + }, + { + "url": "https://git.kernel.org/stable/c/be0384bf599cf1eb8d337517feeb732d71f75a6f" + }, + { + "url": "https://git.kernel.org/linus/be0384bf599cf1eb8d337517feeb732d71f75a6f(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35971" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-72", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35971" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ks8851: Handle softirqs at the end of IRQ thread to fix hang\n\nThe ks8851_irq() thread may call ks8851_rx_pkts() in case there are\nany packets in the MAC FIFO, which calls netif_rx(). This netif_rx()\nimplementation is guarded by local_bh_disable() and local_bh_enable().\nThe local_bh_enable() may call do_softirq() to run softirqs in case\nany are pending. One of the softirqs is net_rx_action, which ultimately\nreaches the driver .start_xmit callback. If that happens, the system\nhangs. The entire call chain is below:\n\nks8851_start_xmit_par from netdev_start_xmit\nnetdev_start_xmit from dev_hard_start_xmit\ndev_hard_start_xmit from sch_direct_xmit\nsch_direct_xmit from __dev_queue_xmit\n__dev_queue_xmit from __neigh_update\n__neigh_update from neigh_update\nneigh_update from arp_process.constprop.0\narp_process.constprop.0 from __netif_receive_skb_one_core\n__netif_receive_skb_one_core from process_backlog\nprocess_backlog from __napi_poll.constprop.0\n__napi_poll.constprop.0 from net_rx_action\nnet_rx_action from __do_softirq\n__do_softirq from call_with_stack\ncall_with_stack from do_softirq\ndo_softirq from __local_bh_enable_ip\n__local_bh_enable_ip from netif_rx\nnetif_rx from ks8851_irq\nks8851_irq from irq_thread_fn\nirq_thread_fn from irq_thread\nirq_thread from kthread\nkthread from ret_from_fork\n\nThe hang happens because ks8851_irq() first locks a spinlock in\nks8851_par.c ks8851_lock_par() spin_lock_irqsave(&ksp->lock, ...)\nand with that spinlock locked, calls netif_rx(). Once the execution\nreaches ks8851_start_xmit_par(), it calls ks8851_lock_par() again\nwhich attempts to claim the already locked spinlock again, and the\nhang happens.\n\nMove the do_softirq() call outside of the spinlock protected section\nof ks8851_irq() by disabling BHs around the entire spinlock protected\nsection of ks8851_irq() handler. Place local_bh_enable() outside of\nthe spinlock protected section, so that it can trigger do_softirq()\nwithout the ks8851_par.c ks8851_lock_par() spinlock being held, and\nsafely call ks8851_start_xmit_par() without attempting to lock the\nalready locked spinlock.\n\nSince ks8851_irq() is protected by local_bh_disable()/local_bh_enable()\nnow, replace netif_rx() with __netif_rx() which is not duplicating the\nlocal_bh_disable()/local_bh_enable() calls.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35971", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35971" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.2" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1208844" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-73", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23005" + } + } + ], + "created": "2023-03-01T20:15:15Z", + "description": "In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-23005", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23005" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-17T02:19:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T13:43:21Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d159d6637ccce25f879d662a480541ef4ba3a50" + }, + { + "url": "https://git.kernel.org/stable/c/26d4bac55750d535f1f0b8790dc26daf6089e373" + }, + { + "url": "https://git.kernel.org/stable/c/17ef8efc00b34918b966388b2af0993811895a8c" + }, + { + "url": "https://git.kernel.org/stable/c/7eb06ee5921189812e6b4bfe7b0f1e878be16df7" + }, + { + "url": "https://git.kernel.org/stable/c/a03ede2282ebbd181bd6f5c38cbfcb5765afcd04" + }, + { + "url": "https://git.kernel.org/stable/c/5da9a218340a2bc804dc4327e5804392e24a0b88" + }, + { + "url": "https://git.kernel.org/linus/17ef8efc00b34918b966388b2af0993811895a8c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27390" + } + ], + "bom-ref": "vuln-74", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27390" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()\n\nAs discussed in the past (commit 2d3916f31891 (\"ipv6: fix skb drops\nin igmp6_event_query() and igmp6_event_report()\")) I think the\nsynchronize_net() call in ipv6_mc_down() is not needed.\n\nUnder load, synchronize_net() can last between 200 usec and 5 ms.\n\nKASAN seems to agree as well.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27390", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27390" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5a7e89d3315d1be86aff8a8bf849023cda6547f7" + }, + { + "url": "https://git.kernel.org/stable/c/a5ca1be7f9817de4e93085778b3ee2219bdc2664" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26945" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/5a7e89d3315d1be86aff8a8bf849023cda6547f7(6.9-rc2)" + } + ], + "bom-ref": "vuln-75", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26945" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix nr_cpus < nr_iaa case\n\nIf nr_cpus < nr_iaa, the calculated cpus_per_iaa will be 0, which\ncauses a divide-by-0 in rebalance_wq_table().\n\nMake sure cpus_per_iaa is 1 in that case, and also in the nr_iaa == 0\ncase, even though cpus_per_iaa is never used if nr_iaa == 0, for\nparanoia.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26945", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26945" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + } + ], + "bom-ref": "vuln-76", + "ratings": [ + { + "severity": "none", + "score": 0.00194, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + } + } + ], + "created": "2024-01-09T17:15:12Z", + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "affects": [ + { + "ref": "comp-103" + } + ], + "id": "CVE-2023-6129", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ce156482a6fef349d2eba98e5070c412d3af662" + }, + { + "url": "https://git.kernel.org/stable/c/ce29728ef6485a367934cc100249c66dd3cde5b6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52634" + }, + { + "url": "https://git.kernel.org/linus/2ce156482a6fef349d2eba98e5070c412d3af662(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-77", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52634" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix disable_otg_wa logic\n\n[Why]\nWhen switching to another HDMI mode, we are unnecesarilly\ndisabling/enabling FIFO causing both HPO and DIG registers to be set at\nthe same time when only HPO is supposed to be set.\n\nThis can lead to a system hang the next time we change refresh rates as\nthere are cases when we don't disable OTG/FIFO but FIFO is enabled when\nit isn't supposed to be.\n\n[How]\nRemoving the enable/disable FIFO entirely.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52634", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52634" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb8adca52f306563d958a863bb0cbae9c184d1ae" + }, + { + "url": "https://git.kernel.org/stable/c/817e8138ce86001b2fa5c63d6ede756e205a01f7" + }, + { + "url": "https://git.kernel.org/stable/c/2c9e2df022ef8b9d7fac58a04a2ef4ed25288955" + }, + { + "url": "https://git.kernel.org/stable/c/64be3c6154886200708da0dfe259705fb992416c" + }, + { + "url": "https://git.kernel.org/stable/c/f7b94bdc1ec107c92262716b073b3e816d4784fb" + }, + { + "url": "https://git.kernel.org/linus/f7b94bdc1ec107c92262716b073b3e816d4784fb(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26886" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-78", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26886" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: af_bluetooth: Fix deadlock\n\nAttemting to do sock_lock on .recvmsg may cause a deadlock as shown\nbellow, so instead of using sock_sock this uses sk_receive_queue.lock\non bt_sock_ioctl to avoid the UAF:\n\nINFO: task kworker/u9:1:121 blocked for more than 30 seconds.\n Not tainted 6.7.6-lemon #183\nWorkqueue: hci0 hci_rx_work\nCall Trace:\n \n __schedule+0x37d/0xa00\n schedule+0x32/0xe0\n __lock_sock+0x68/0xa0\n ? __pfx_autoremove_wake_function+0x10/0x10\n lock_sock_nested+0x43/0x50\n l2cap_sock_recv_cb+0x21/0xa0\n l2cap_recv_frame+0x55b/0x30a0\n ? psi_task_switch+0xeb/0x270\n ? finish_task_switch.isra.0+0x93/0x2a0\n hci_rx_work+0x33a/0x3f0\n process_one_work+0x13a/0x2f0\n worker_thread+0x2f0/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe0/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2c/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26886", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26886" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32021" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-79", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32021" + } + } + ], + "created": "2024-05-14T20:15:13Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning\nwill be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-32021", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32021" + }, + "cwes": [ + 547 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-15T16:40:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a16fbb80064634b254520a46395e36b87ca4731e" + }, + { + "url": "https://git.kernel.org/stable/c/1a54aa506b3b2f31496731039e49778f54eee881" + }, + { + "url": "https://git.kernel.org/stable/c/ad80c34944d7175fa1f5c7a55066020002921a99" + }, + { + "url": "https://git.kernel.org/stable/c/eb48680b0255a9e8a9bdc93d6a55b11c31262e62" + }, + { + "url": "https://git.kernel.org/stable/c/079cba4f4e307c69878226fdf5228c20aa1c969c" + }, + { + "url": "https://git.kernel.org/stable/c/f98364e926626c678fb4b9004b75cacf92ff0662" + }, + { + "url": "https://git.kernel.org/stable/c/74ca3ef68d2f449bc848c0a814cefc487bf755fa" + }, + { + "url": "https://git.kernel.org/stable/c/7dd09fa80b0765ce68bfae92f4e2f395ccf0fba4" + }, + { + "url": "https://git.kernel.org/stable/c/faf0b4c5e00bb680e8e43ac936df24d3f48c8e65" + }, + { + "url": "https://git.kernel.org/linus/f98364e926626c678fb4b9004b75cacf92ff0662(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26898" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-80", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26898" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: fix the potential use-after-free problem in aoecmd_cfg_pkts\n\nThis patch is against CVE-2023-6270. The description of cve is:\n\n A flaw was found in the ATA over Ethernet (AoE) driver in the Linux\n kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on\n `struct net_device`, and a use-after-free can be triggered by racing\n between the free on the struct and the access through the `skbtxq`\n global queue. This could lead to a denial of service condition or\n potential code execution.\n\nIn aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial\ncode is finished. But the net_device ifp will still be used in\nlater tx()->dev_queue_xmit() in kthread. Which means that the\ndev_put(ifp) should NOT be called in the success path of skb\ninitial code in aoecmd_cfg_pkts(). Otherwise tx() may run into\nuse-after-free because the net_device is freed.\n\nThis patch removed the dev_put(ifp) in the success path in\naoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26898", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26898" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:31:26Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dc0637e6b16158af85945425821bfd0151adb37" + }, + { + "url": "https://git.kernel.org/stable/c/56434e295bd446142025913bfdf1587f5e1970ad" + }, + { + "url": "https://git.kernel.org/stable/c/5f40fd6ca2cf0bfbc5a5c9e403dfce8ca899ba37" + }, + { + "url": "https://git.kernel.org/stable/c/94b0e65c75f4af888ab2dd6c90f060f762924e86" + }, + { + "url": "https://git.kernel.org/stable/c/479244d68f5d94f3903eced52b093c1e01ddb495" + }, + { + "url": "https://git.kernel.org/stable/c/2c9b943e9924cf1269e44289bc5e60e51b0f5270" + }, + { + "url": "https://git.kernel.org/stable/c/54c4ec5f8c471b7c1137a1f769648549c423c026" + }, + { + "url": "https://git.kernel.org/stable/c/21535ef0ac1945080198fe3e4347ea498205c99a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27000" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/54c4ec5f8c471b7c1137a1f769648549c423c026(6.9-rc5)" + } + ], + "bom-ref": "vuln-81", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27000" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: mxs-auart: add spinlock around changing cts state\n\nThe uart_handle_cts_change() function in serial_core expects the caller\nto hold uport->lock. For example, I have seen the below kernel splat,\nwhen the Bluetooth driver is loaded on an i.MX28 board.\n\n [ 85.119255] ------------[ cut here ]------------\n [ 85.124413] WARNING: CPU: 0 PID: 27 at /drivers/tty/serial/serial_core.c:3453 uart_handle_cts_change+0xb4/0xec\n [ 85.134694] Modules linked in: hci_uart bluetooth ecdh_generic ecc wlcore_sdio configfs\n [ 85.143314] CPU: 0 PID: 27 Comm: kworker/u3:0 Not tainted 6.6.3-00021-gd62a2f068f92 #1\n [ 85.151396] Hardware name: Freescale MXS (Device Tree)\n [ 85.156679] Workqueue: hci0 hci_power_on [bluetooth]\n (...)\n [ 85.191765] uart_handle_cts_change from mxs_auart_irq_handle+0x380/0x3f4\n [ 85.198787] mxs_auart_irq_handle from __handle_irq_event_percpu+0x88/0x210\n (...)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27000", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27000" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/25c6f49ef59b7a9b80a3f7ab9e95268a1b01a234" + }, + { + "url": "https://git.kernel.org/stable/c/be609c7002dd4504b15b069cb7582f4c778548d1" + }, + { + "url": "https://git.kernel.org/stable/c/f44f073c78112ff921a220d01b86d09f2ace59bc" + }, + { + "url": "https://git.kernel.org/stable/c/84770a996ad8d7f121ff2fb5a8d149aad52d64c1" + }, + { + "url": "https://git.kernel.org/stable/c/9003fa9a0198ce004b30738766c67eb7373479c9" + }, + { + "url": "https://git.kernel.org/stable/c/e4f4bac7d3b64eb75f70cd3345712de6f68a215d" + }, + { + "url": "https://git.kernel.org/stable/c/2adc886244dff60f948497b59affb6c6ebb3c348" + }, + { + "url": "https://git.kernel.org/stable/c/f11f0fd1ad6c11ae7856d4325fe9d05059767225" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52594" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2adc886244dff60f948497b59affb6c6ebb3c348(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-82", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52594" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()\n\nFix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug\noccurs when txs->cnt, data from a URB provided by a USB device, is\nbigger than the size of the array txs->txstatus, which is\nHTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug\nhandling code after the check. Make the function return if that is the\ncase.\n\nFound by a modified version of syzkaller.\n\nUBSAN: array-index-out-of-bounds in htc_drv_txrx.c\nindex 13 is out of range for type '__wmi_event_txstatus [12]'\nCall Trace:\n ath9k_htc_txstatus\n ath9k_wmi_event_tasklet\n tasklet_action_common\n __do_softirq\n irq_exit_rxu\n sysvec_apic_timer_interrupt", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52594", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52594" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/98bc7e26e14fbb26a6abf97603d59532475e97f8" + }, + { + "url": "https://git.kernel.org/stable/c/6f9f2e498eae7897ba5d3e33908917f68ff4abcc" + }, + { + "url": "https://git.kernel.org/stable/c/98e2b97acb875d65bdfc75fc408e67975cef3041" + }, + { + "url": "https://git.kernel.org/stable/c/0ff96ec22a84d80a18d7ae8ca7eb111c34ee33bb" + }, + { + "url": "https://git.kernel.org/stable/c/ec7256887d072f98c42cdbef4dcc80ddf84c7a70" + }, + { + "url": "https://git.kernel.org/stable/c/635594cca59f9d7a8e96187600c34facb8bc0682" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35940" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/98bc7e26e14fbb26a6abf97603d59532475e97f8(6.9-rc1)" + } + ], + "bom-ref": "vuln-83", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35940" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/zone: Add a null pointer check to the psz_kmsg_read\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35940", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35940" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e39a3a14eafcf17f03c037290b78c8f483529028" + }, + { + "url": "https://git.kernel.org/stable/c/424eba06ed405d557077339edb19ce0ebe39e7c7" + }, + { + "url": "https://git.kernel.org/stable/c/07161b2416f740a2cb87faa5566873f401440a61" + }, + { + "url": "https://git.kernel.org/stable/c/8a8b6a24684bc278036c3f159f7b3a31ad89546a" + }, + { + "url": "https://git.kernel.org/stable/c/f546cc19f9b82975238d0ba413adc27714750774" + }, + { + "url": "https://git.kernel.org/stable/c/9c402819620a842cbfe39359a3ddfaac9adc8384" + }, + { + "url": "https://git.kernel.org/stable/c/efba65777f98457773c5b65e3135c6132d3b015f" + }, + { + "url": "https://git.kernel.org/stable/c/6b4a39acafaf0186ed8e97c16e0aa6fca0e52009" + }, + { + "url": "https://git.kernel.org/stable/c/276873ae26c8d75b00747c1dadb9561d6ef20581" + }, + { + "url": "https://git.kernel.org/linus/07161b2416f740a2cb87faa5566873f401440a61(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26651" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-84", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26651" + } + } + ], + "created": "2024-03-27T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsr9800: Add check for usbnet_get_endpoints\n\nAdd check for usbnet_get_endpoints() and return the error if it fails\nin order to transfer the error.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26651", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26651" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c0c5ffaed73cbae6c317374dc32ba6cacc60895" + }, + { + "url": "https://git.kernel.org/stable/c/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c" + }, + { + "url": "https://git.kernel.org/stable/c/2f6d16f0520d6505241629ee2f5c131b547d5f9d" + }, + { + "url": "https://git.kernel.org/stable/c/16d3f507b0fa70453dc54550df093d6e9ac630c1" + }, + { + "url": "https://git.kernel.org/stable/c/7e9a8498658b398bf11b8e388005fa54e40aed81" + }, + { + "url": "https://git.kernel.org/stable/c/a3d90fb5c23f29ba59c04005ae76c5228cef2be9" + }, + { + "url": "https://git.kernel.org/stable/c/471c9ede8061357b43a116fa692e70d91941ac23" + }, + { + "url": "https://git.kernel.org/stable/c/71349abe3aba7fedcab5b3fcd7aa82371fb5ccbf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26825" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://git.kernel.org/linus/bfb007aebe6bff451f7f3a4be19f4f286d0d5d9c(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-85", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26825" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: free rx_data_reassembly skb on NCI device cleanup\n\nrx_data_reassembly skb is stored during NCI data exchange for processing\nfragmented packets. It is dropped only when the last fragment is processed\nor when an NTF packet with NCI_OP_RF_DEACTIVATE_NTF opcode is received.\nHowever, the NCI device may be deallocated before that which leads to skb\nleak.\n\nAs by design the rx_data_reassembly skb is bound to the NCI device and\nnothing prevents the device to be freed before the skb is processed in\nsome way and cleaned, free it on the NCI device cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26825", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26825" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + } + ], + "bom-ref": "vuln-86", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + } + }, + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" + } + } + ], + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "affects": [ + { + "ref": "comp-103" + } + ], + "id": "CVE-2023-5678", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/" + }, + { + "url": "https://www.python.org/dev/security/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6513-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5528" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-317.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2222.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1876.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-40217" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5992" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5531" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5993" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5990" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5991" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6068" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5472" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-319.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5998" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6823" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5996" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5997" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6885" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5994" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5995" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5456" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1816.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6290" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5462" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6793" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:5463" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPYTHON3.8-2023-010.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6513-2" + } + ], + "bom-ref": "vuln-87", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" + } + }, + { + "severity": "none", + "score": 0.00049, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40217" + } + } + ], + "created": "2023-08-25T01:15:09Z", + "description": "An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)", + "affects": [ + { + "ref": "comp-321" + } + ], + "id": "CVE-2023-40217", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40217" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:20:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T14:07:38Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dfb2ce952143de60dd756ed666901236c76cb3fa" + }, + { + "url": "https://git.kernel.org/stable/c/6be74b1e21f8de4c48af772c2f658b464bfe6145" + }, + { + "url": "https://git.kernel.org/stable/c/9c573cd313433f6c1f7236fe64b9b743500c1628" + }, + { + "url": "https://git.kernel.org/stable/c/300a2b9c2b28282974ee300bb5d5025cbbb1f64c" + }, + { + "url": "https://git.kernel.org/stable/c/e80b4980af2688d8ff69c157ffa773dd1f1eb02c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35918" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9c573cd313433f6c1f7236fe64b9b743500c1628(6.9-rc4)" + } + ], + "bom-ref": "vuln-88", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35918" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrandomize_kstack: Improve entropy diffusion\n\nThe kstack_offset variable was really only ever using the low bits for\nkernel stack offset entropy. Add a ror32() to increase bit diffusion.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35918", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35918" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7395dfacfff65e9938ac0889dafa1ab01e987d15" + }, + { + "url": "https://git.kernel.org/stable/c/383182db8d58c4237772ba0764cded4938a235c3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27397" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7395dfacfff65e9938ac0889dafa1ab01e987d15(6.8-rc4)" + } + ], + "bom-ref": "vuln-89", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27397" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: use timestamp to check for set element timeout\n\nAdd a timestamp field at the beginning of the transaction, store it\nin the nftables per-netns area.\n\nUpdate set backend .insert, .deactivate and sync gc path to use the\ntimestamp, this avoids that an element expires while control plane\ntransaction is still unfinished.\n\n.lookup and .update, which are used from packet path, still use the\ncurrent time to check if the element has expired. And .get path and dump\nalso since this runs lockless under rcu read size lock. Then, there is\nasync gc which also needs to check the current time since it runs\nasynchronously from a workqueue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27397" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a9f78b297e08ca8e88ae3ecff1f6fe2766dc5eb" + }, + { + "url": "https://git.kernel.org/stable/c/8eebff95ce9558be66a36aa7cfb43223f3ab4699" + }, + { + "url": "https://git.kernel.org/stable/c/8ffcd3ccdbda0c918c4a0f922ef1c17010f1b598" + }, + { + "url": "https://git.kernel.org/stable/c/c51f8b6930db3f259b8820b589f2459d2df3fc68" + }, + { + "url": "https://git.kernel.org/stable/c/44f9f1abb0ecc43023225ab9539167facbabf0ec" + }, + { + "url": "https://git.kernel.org/stable/c/cf7d8cba639ae792a42c2a137b495eac262ac36c" + }, + { + "url": "https://git.kernel.org/stable/c/4f37d3a7e004bbf560c21441ca9c022168017ec4" + }, + { + "url": "https://git.kernel.org/stable/c/d27e2da94a42655861ca4baea30c8cd65546f25d" + }, + { + "url": "https://git.kernel.org/stable/c/7bcc090c81116c66936a7415f2c6b1483a4bcfd9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26859" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d27e2da94a42655861ca4baea30c8cd65546f25d(6.9-rc1)" + } + ], + "bom-ref": "vuln-90", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26859" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/bnx2x: Prevent access to a freed page in page_pool\n\nFix race condition leading to system crash during EEH error handling\n\nDuring EEH error recovery, the bnx2x driver's transmit timeout logic\ncould cause a race condition when handling reset tasks. The\nbnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(),\nwhich ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload()\nSGEs are freed using bnx2x_free_rx_sge_range(). However, this could\noverlap with the EEH driver's attempt to reset the device using\nbnx2x_io_slot_reset(), which also tries to free SGEs. This race\ncondition can result in system crashes due to accessing freed memory\nlocations in bnx2x_free_rx_sge()\n\n799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp,\n800\t\t\t\tstruct bnx2x_fastpath *fp, u16 index)\n801 {\n802\tstruct sw_rx_page *sw_buf = &fp->rx_page_ring[index];\n803 struct page *page = sw_buf->page;\n....\nwhere sw_buf was set to NULL after the call to dma_unmap_page()\nby the preceding thread.\n\n EEH: Beginning: 'slot_reset'\n PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset()\n bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing...\n bnx2x 0011:01:00.0: enabling device (0140 -> 0142)\n bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc0080000025065fc\n Oops: Kernel access of bad area, sig: 11 [#1]\n .....\n Call Trace:\n [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable)\n [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0\n [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550\n [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60\n [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170\n [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0\n [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\n\nTo solve this issue, we need to verify page pool allocations before\nfreeing.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26859", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26859" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/45a0de41ec383c8b7c6d442734ba3852dd2fc4a7" + }, + { + "url": "https://git.kernel.org/stable/c/2c86b24095fcf72cf51bc72d12e4350163b4e11d" + }, + { + "url": "https://git.kernel.org/stable/c/c6e316ac05532febb0c966fa9b55f5258ed037be" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-91", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrivers: perf: Check find_first_bit() return value\n\nWe must check the return value of find_first_bit() before using the\nreturn value as an index array since it happens to overflow the array\nand then panic:\n\n[ 107.318430] Kernel BUG [#1]\n[ 107.319434] CPU: 3 PID: 1238 Comm: kill Tainted: G E 6.6.0-rc6ubuntu-defconfig #2\n[ 107.319465] Hardware name: riscv-virtio,qemu (DT)\n[ 107.319551] epc : pmu_sbi_ovf_handler+0x3a4/0x3ae\n[ 107.319840] ra : pmu_sbi_ovf_handler+0x52/0x3ae\n[ 107.319868] epc : ffffffff80a0a77c ra : ffffffff80a0a42a sp : ffffaf83fecda350\n[ 107.319884] gp : ffffffff823961a8 tp : ffffaf8083db1dc0 t0 : ffffaf83fecda480\n[ 107.319899] t1 : ffffffff80cafe62 t2 : 000000000000ff00 s0 : ffffaf83fecda520\n[ 107.319921] s1 : ffffaf83fecda380 a0 : 00000018fca29df0 a1 : ffffffffffffffff\n[ 107.319936] a2 : 0000000001073734 a3 : 0000000000000004 a4 : 0000000000000000\n[ 107.319951] a5 : 0000000000000040 a6 : 000000001d1c8774 a7 : 0000000000504d55\n[ 107.319965] s2 : ffffffff82451f10 s3 : ffffffff82724e70 s4 : 000000000000003f\n[ 107.319980] s5 : 0000000000000011 s6 : ffffaf8083db27c0 s7 : 0000000000000000\n[ 107.319995] s8 : 0000000000000001 s9 : 00007fffb45d6558 s10: 00007fffb45d81a0\n[ 107.320009] s11: ffffaf7ffff60000 t3 : 0000000000000004 t4 : 0000000000000000\n[ 107.320023] t5 : ffffaf7f80000000 t6 : ffffaf8000000000\n[ 107.320037] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003\n[ 107.320081] [] pmu_sbi_ovf_handler+0x3a4/0x3ae\n[ 107.320112] [] handle_percpu_devid_irq+0x9e/0x1a0\n[ 107.320131] [] generic_handle_domain_irq+0x28/0x36\n[ 107.320148] [] riscv_intc_irq+0x36/0x4e\n[ 107.320166] [] handle_riscv_irq+0x54/0x86\n[ 107.320189] [] do_irq+0x64/0x96\n[ 107.320271] Code: 85a6 855e b097 ff7f 80e7 9220 b709 9002 4501 bbd9 (9002) 6097\n[ 107.320585] ---[ end trace 0000000000000000 ]---\n[ 107.320704] Kernel panic - not syncing: Fatal exception in interrupt\n[ 107.320775] SMP: stopping secondary CPUs\n[ 107.321219] Kernel Offset: 0x0 from 0xffffffff80000000\n[ 107.333051] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52797", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52797" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6597a6687af54e2cb58371cf8f6ee4dd85c537de" + }, + { + "url": "https://git.kernel.org/stable/c/ae5876b3b7b2243d874e2afa099e7926122087a1" + }, + { + "url": "https://git.kernel.org/stable/c/1cca1bddf9ef080503c15378cecf4877f7510015" + }, + { + "url": "https://git.kernel.org/stable/c/805a1cdde82fec00c7471a393f4bb437b2741559" + }, + { + "url": "https://git.kernel.org/stable/c/138fdeac75fb7512a7f9f1c3b236cd2e754af793" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1cca1bddf9ef080503c15378cecf4877f7510015(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35938" + } + ], + "bom-ref": "vuln-92", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35938" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: decrease MHI channel buffer length to 8KB\n\nCurrently buf_len field of ath11k_mhi_config_qca6390 is assigned\nwith 0, making MHI use a default size, 64KB, to allocate channel\nbuffers. This is likely to fail in some scenarios where system\nmemory is highly fragmented and memory compaction or reclaim is\nnot allowed.\n\nThere is a fail report which is caused by it:\nkworker/u32:45: page allocation failure: order:4, mode:0x40c00(GFP_NOIO|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0\nCPU: 0 PID: 19318 Comm: kworker/u32:45 Not tainted 6.8.0-rc3-1.gae4495f-default #1 openSUSE Tumbleweed (unreleased) 493b6d5b382c603654d7a81fc3c144d59a1dfceb\nWorkqueue: events_unbound async_run_entry_fn\nCall Trace:\n \n dump_stack_lvl+0x47/0x60\n warn_alloc+0x13a/0x1b0\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? __alloc_pages_direct_compact+0xab/0x210\n __alloc_pages_slowpath.constprop.0+0xd3e/0xda0\n __alloc_pages+0x32d/0x350\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __kmalloc_large_node+0x72/0x110\n __kmalloc+0x37c/0x480\n ? mhi_map_single_no_bb+0x77/0xf0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n mhi_prepare_channel+0x127/0x2d0 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n __mhi_prepare_for_transfer+0x44/0x80 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n ? __pfx_____mhi_prepare_for_transfer+0x10/0x10 [mhi 40df44e07c05479f7a6e7b90fba9f0e0031a7814]\n device_for_each_child+0x5c/0xa0\n ? __pfx_pci_pm_resume+0x10/0x10\n ath11k_core_resume+0x65/0x100 [ath11k a5094e22d7223135c40d93c8f5321cf09fd85e4e]\n ? srso_alias_return_thunk+0x5/0xfbef5\n ath11k_pci_pm_resume+0x32/0x60 [ath11k_pci 830b7bfc3ea80ebef32e563cafe2cb55e9cc73ec]\n ? srso_alias_return_thunk+0x5/0xfbef5\n dpm_run_callback+0x8c/0x1e0\n device_resume+0x104/0x340\n ? __pfx_dpm_watchdog_handler+0x10/0x10\n async_resume+0x1d/0x30\n async_run_entry_fn+0x32/0x120\n process_one_work+0x168/0x330\n worker_thread+0x2f5/0x410\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe8/0x120\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nActually those buffers are used only by QMI target -> host communication.\nAnd for WCN6855 and QCA6390, the largest packet size for that is less\nthan 6KB. So change buf_len field to 8KB, which results in order 1\nallocation if page size is 4KB. In this way, we can at least save some\nmemory, and as well as decrease the possibility of allocation failure\nin those scenarios.\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35938", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35938" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6c6a45645a2e6a272dfde14eddbb6706de63c25d" + }, + { + "url": "https://git.kernel.org/stable/c/629b534c42d04f0797980f2d1ed105fdb8906975" + }, + { + "url": "https://git.kernel.org/stable/c/3895780fabd120d0fbd54354014e85207b25687c" + }, + { + "url": "https://git.kernel.org/stable/c/7dfed9855397d0df4c6f748d1f66547ab3bad766" + }, + { + "url": "https://git.kernel.org/stable/c/6661befe41009c210efa2c1bcd16a5cc4cff8a06" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26963" + }, + { + "url": "https://git.kernel.org/linus/6661befe41009c210efa2c1bcd16a5cc4cff8a06(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-93", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26963" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3-am62: fix module unload/reload behavior\n\nAs runtime PM is enabled, the module can be runtime\nsuspended when .remove() is called.\n\nDo a pm_runtime_get_sync() to make sure module is active\nbefore doing any register operations.\n\nDoing a pm_runtime_put_sync() should disable the refclk\nso no need to disable it again.\n\nFixes the below warning at module removel.\n\n[ 39.705310] ------------[ cut here ]------------\n[ 39.710004] clk:162:3 already disabled\n[ 39.713941] WARNING: CPU: 0 PID: 921 at drivers/clk/clk.c:1090 clk_core_disable+0xb0/0xb8\n\nWe called of_platform_populate() in .probe() so call the\ncleanup function of_platform_depopulate() in .remove().\nGet rid of the now unnnecessary dwc3_ti_remove_core().\nWithout this, module re-load doesn't work properly.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26963", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26963" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e" + }, + { + "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5" + }, + { + "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381" + }, + { + "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8" + }, + { + "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58" + }, + { + "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b" + }, + { + "url": "https://git.kernel.org/linus/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26906" + } + ], + "bom-ref": "vuln-94", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26906" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n \n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26906", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26906" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb5466783793e66272624cf71925ae1d1ba32083" + }, + { + "url": "https://git.kernel.org/stable/c/8b218e2f0a27a9f09428b1847b4580640b9d1e58" + }, + { + "url": "https://git.kernel.org/stable/c/38e921616320d159336b0ffadb09e9fb4945c7c3" + }, + { + "url": "https://git.kernel.org/stable/c/9cac69912052a4def571fedf1cb9bb4ec590e25a" + }, + { + "url": "https://git.kernel.org/stable/c/94965be37add0983672e48ecb33cdbda92b62579" + }, + { + "url": "https://git.kernel.org/stable/c/037d5a949b0455540ef9aab34c10ddf54b65d285" + }, + { + "url": "https://git.kernel.org/stable/c/43eccc5823732ba6daab2511ed32dfc545a666d8" + }, + { + "url": "https://git.kernel.org/stable/c/e21a2f17566cbd64926fb8f16323972f7a064444" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26840" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e21a2f17566cbd64926fb8f16323972f7a064444(6.8-rc6)" + } + ], + "bom-ref": "vuln-95", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26840" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix memory leak in cachefiles_add_cache()\n\nThe following memory leak was reported after unbinding /dev/cachefiles:\n\n==================================================================\nunreferenced object 0xffff9b674176e3c0 (size 192):\n comm \"cachefilesd2\", pid 680, jiffies 4294881224\n hex dump (first 32 bytes):\n 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc ea38a44b):\n [] kmem_cache_alloc+0x2d5/0x370\n [] prepare_creds+0x26/0x2e0\n [] cachefiles_determine_cache_security+0x1f/0x120\n [] cachefiles_add_cache+0x13c/0x3a0\n [] cachefiles_daemon_write+0x146/0x1c0\n [] vfs_write+0xcb/0x520\n [] ksys_write+0x69/0xf0\n [] do_syscall_64+0x72/0x140\n [] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n==================================================================\n\nPut the reference count of cache_cred in cachefiles_daemon_unbind() to\nfix the problem. And also put cache_cred in cachefiles_add_cache() error\nbranch to avoid memory leaks.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26840", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26840" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/916cd2fcbc1e344bcabf4b2a834cdf5a0417d30c" + }, + { + "url": "https://git.kernel.org/stable/c/8672ad663a22d0e4a325bb7d817b36ec412b967c" + }, + { + "url": "https://git.kernel.org/stable/c/a86e54a345139f1a7668c9f83bdc7ac6f91b6f78" + }, + { + "url": "https://git.kernel.org/stable/c/ab92e11b73b48b79f144421430891f3aa6242656" + }, + { + "url": "https://git.kernel.org/stable/c/e4e47e406d74cab601b2ab21ba5e3add811e05ae" + }, + { + "url": "https://git.kernel.org/stable/c/164be0a824387301312689bb29b2be92ab2cd39d" + }, + { + "url": "https://git.kernel.org/stable/c/347cca11bb78b9f3c29b45a9c52e70258bd008bf" + }, + { + "url": "https://git.kernel.org/stable/c/da3b75931bb737be74d6b4341e0080f233ed1409" + }, + { + "url": "https://git.kernel.org/stable/c/19f955ad9437a6859a529af34e2eafd903d5e7c1" + }, + { + "url": "https://git.kernel.org/stable/c/3afdcc4e1a00facad210f5c5891bb2fbc026067f" + }, + { + "url": "https://git.kernel.org/stable/c/9b319f4a88094b2e020e6db6e819c808d890098d" + }, + { + "url": "https://git.kernel.org/stable/c/9723602387217caa71d623ffcce314dc39e84a09" + }, + { + "url": "https://git.kernel.org/stable/c/2ff436b6399859e06539a2b9c667897d3cc85ad5" + }, + { + "url": "https://git.kernel.org/stable/c/5904411219601127ffdbd2d622bb5d67f9d8d16c" + }, + { + "url": "https://git.kernel.org/stable/c/339f83612f3a569b194680768b22bf113c26a29d" + }, + { + "url": "https://git.kernel.org/stable/c/7182175f565ffffa2ba1911726c5656bfc7a1bae" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35812" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/339f83612f3a569b194680768b22bf113c26a29d(6.9-rc2)" + } + ], + "bom-ref": "vuln-96", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35812" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-wdm: close race between read and workqueue\n\nwdm_read() cannot race with itself. However, in\nservice_outstanding_interrupt() it can race with the\nworkqueue, which can be triggered by error handling.\n\nHence we need to make sure that the WDM_RESPONDING\nflag is not just only set but tested.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/705c76fbf726c7a2f6ff9143d4013b18daaaebf1" + }, + { + "url": "https://git.kernel.org/stable/c/c868cabdf6fdd61bea54532271f4708254e57fc5" + }, + { + "url": "https://git.kernel.org/stable/c/a8344e2b69bde63f713b0aa796d70dbeadffddfb" + }, + { + "url": "https://git.kernel.org/stable/c/f92739fdd4522c4291277136399353d7c341fae4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35864" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/705c76fbf726c7a2f6ff9143d4013b18daaaebf1(6.9-rc3)" + } + ], + "bom-ref": "vuln-97", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35864" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_lease_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35864" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d83309e7e006cee8afca83523559017c824fbf7a" + }, + { + "url": "https://git.kernel.org/stable/c/9de787139b0258a5dd1f498780c26d76b61d2958" + }, + { + "url": "https://git.kernel.org/stable/c/f803982190f0265fd36cf84670aa6daefc2b0768" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-98", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: split initial and dynamic conditions for extent_cache\n\nLet's allocate the extent_cache tree without dynamic conditions to avoid a\nmissing condition causing a panic as below.\n\n # create a file w/ a compressed flag\n # disable the compression\n # panic while updating extent_cache\n\nF2FS-fs (dm-64): Swapfile: last extent is not aligned to section\nF2FS-fs (dm-64): Swapfile (3) is not align to section: 1) creat(), 2) ioctl(F2FS_IOC_SET_PIN_FILE), 3) fallocate(2097152 * N)\nAdding 124996k swap on ./swap-file. Priority:0 extents:2 across:17179494468k\n==================================================================\nBUG: KASAN: null-ptr-deref in instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\nBUG: KASAN: null-ptr-deref in atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\nBUG: KASAN: null-ptr-deref in queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\nBUG: KASAN: null-ptr-deref in __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\nBUG: KASAN: null-ptr-deref in _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\nWrite of size 4 at addr 0000000000000030 by task syz-executor154/3327\n\nCPU: 0 PID: 3327 Comm: syz-executor154 Tainted: G O 5.10.185 #1\nHardware name: emulation qemu-x86/qemu-x86, BIOS 2023.01-21885-gb3cc1cd24d 01/01/2023\nCall Trace:\n __dump_stack out/common/lib/dump_stack.c:77 [inline]\n dump_stack_lvl+0x17e/0x1c4 out/common/lib/dump_stack.c:118\n __kasan_report+0x16c/0x260 out/common/mm/kasan/report.c:415\n kasan_report+0x51/0x70 out/common/mm/kasan/report.c:428\n kasan_check_range+0x2f3/0x340 out/common/mm/kasan/generic.c:186\n __kasan_check_write+0x14/0x20 out/common/mm/kasan/shadow.c:37\n instrument_atomic_read_write out/common/include/linux/instrumented.h:101 [inline]\n atomic_try_cmpxchg_acquire out/common/include/asm-generic/atomic-instrumented.h:705 [inline]\n queued_write_lock out/common/include/asm-generic/qrwlock.h:92 [inline]\n __raw_write_lock out/common/include/linux/rwlock_api_smp.h:211 [inline]\n _raw_write_lock+0x5a/0x110 out/common/kernel/locking/spinlock.c:295\n __drop_extent_tree+0xdf/0x2f0 out/common/fs/f2fs/extent_cache.c:1155\n f2fs_drop_extent_tree+0x17/0x30 out/common/fs/f2fs/extent_cache.c:1172\n f2fs_insert_range out/common/fs/f2fs/file.c:1600 [inline]\n f2fs_fallocate+0x19fd/0x1f40 out/common/fs/f2fs/file.c:1764\n vfs_fallocate+0x514/0x9b0 out/common/fs/open.c:310\n ksys_fallocate out/common/fs/open.c:333 [inline]\n __do_sys_fallocate out/common/fs/open.c:341 [inline]\n __se_sys_fallocate out/common/fs/open.c:339 [inline]\n __x64_sys_fallocate+0xb8/0x100 out/common/fs/open.c:339\n do_syscall_64+0x35/0x50 out/common/arch/x86/entry/common.c:46", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52770", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52770" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/859175d4bc11af829e2fdd261a7effdaba9b5d8f" + }, + { + "url": "https://git.kernel.org/stable/c/f9c4d42464173b826190fae2283ed1a4bbae0c8b" + }, + { + "url": "https://git.kernel.org/stable/c/c13fbb5902bce848759385986d4833f5b90782c1" + }, + { + "url": "https://git.kernel.org/stable/c/c4309e5f8e80584715c814e1d012dbc3eee5a500" + }, + { + "url": "https://git.kernel.org/stable/c/4c02b9ccbb11862ee39850b2b285664cd579b039" + }, + { + "url": "https://git.kernel.org/stable/c/b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76" + }, + { + "url": "https://git.kernel.org/stable/c/d732b83251322ecd3b503e03442247745d6052ce" + }, + { + "url": "https://git.kernel.org/stable/c/b7d33e083f9d5d39445c0a91e7ad4f3e2c47fcb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27421" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b5dffcb8f71bdd02a4e5799985b51b12f4eeaf76(6.8)" + } + ], + "bom-ref": "vuln-99", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27421" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_routing_control\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27421", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27421" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7f7d39fe3d80d6143404940b2413010cf6527029" + }, + { + "url": "https://git.kernel.org/stable/c/1699fb915b9f61794d559b55114c09a390aaf234" + }, + { + "url": "https://git.kernel.org/stable/c/cda9c0d556283e2d4adaa9960b2dc19b16156bae" + }, + { + "url": "https://git.kernel.org/stable/c/a3f22feb2220a945d1c3282e34199e8bcdc5afc4" + }, + { + "url": "https://git.kernel.org/stable/c/d0647c3e81eff62b66d46fd4e475318cb8cb3610" + }, + { + "url": "https://git.kernel.org/linus/cda9c0d556283e2d4adaa9960b2dc19b16156bae(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48669" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-100", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48669" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix potential memleak in papr_get_attr()\n\n`buf` is allocated in papr_get_attr(), and krealloc() of `buf`\ncould fail. We need to free the original `buf` in the case of failure.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2022-48669", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48669" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c863cab0e9173f8b6c7bc328bee3b8625f131b5" + }, + { + "url": "https://git.kernel.org/stable/c/2e150ccea13129eb048679114808eb9770443e4d" + }, + { + "url": "https://git.kernel.org/stable/c/e96fddb32931d007db12b1fce9b5e8e4c080401b" + }, + { + "url": "https://git.kernel.org/linus/e96fddb32931d007db12b1fce9b5e8e4c080401b(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26662" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-101", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26662" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'\n\n'panel_cntl' structure used to control the display panel could be null,\ndereferencing it could lead to a null pointer access.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn21/dcn21_hwseq.c:269 dcn21_set_backlight_level() error: we previously assumed 'panel_cntl' could be null (see line 250)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26662", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26662" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6edefe1b6c29a9932f558a898968a9fcbeec5711" + }, + { + "url": "https://git.kernel.org/stable/c/2caa605079488da9601099fbda460cfc1702839f" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVVYSTEVMPYGF6GDSOD44MUXZXAZHOHB/" + }, + { + "url": "https://git.kernel.org/stable/c/a23ac1788e2c828c097119e9a3178f0b7e503fee" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSXNF4RLEFLH35BFUQGYXRRVHHUIVBAE/" + }, + { + "url": "https://git.kernel.org/stable/c/3bfe04c1273d30b866f4c7c238331ed3b08e5824" + }, + { + "url": "https://git.kernel.org/stable/c/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815" + }, + { + "url": "https://git.kernel.org/stable/c/7d930a4da17958f869ef679ee0e4a8729337affc" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6776-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26622" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815(6.8-rc7)" + } + ], + "bom-ref": "vuln-102", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26622" + } + } + ], + "created": "2024-03-04T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntomoyo: fix UAF write bug in tomoyo_write_control()\n\nSince tomoyo_write_control() updates head->write_buf when write()\nof long lines is requested, we need to fetch head->write_buf after\nhead->io_sem is held. Otherwise, concurrent write() requests can\ncause use-after-free-write and double-free problems.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26622", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26622" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-13T03:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7f615232556f3c6e3eeecef96ef2b00d0aa905bb" + }, + { + "url": "https://git.kernel.org/stable/c/dec82a8fc45c6ce494c2cb31f001a2aadb132b57" + }, + { + "url": "https://git.kernel.org/stable/c/7510b08c5f5ba15983da004b021fc6154eeb4047" + }, + { + "url": "https://git.kernel.org/stable/c/e041df5dc9e68adffcba5499ca28e1252bed6f4b" + }, + { + "url": "https://git.kernel.org/stable/c/392eb88416dcbc5f1d61b9a88d79d78dc8b27652" + }, + { + "url": "https://git.kernel.org/stable/c/bbc21f134b89535d1cf110c5f2b33ac54e5839c4" + }, + { + "url": "https://git.kernel.org/stable/c/7644df766006d4878a556e427e3ecc78c2d5606b" + }, + { + "url": "https://git.kernel.org/stable/c/958d6145a6d9ba9e075c921aead8753fb91c9101" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27430" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/958d6145a6d9ba9e075c921aead8753fb91c9101(6.8)" + } + ], + "bom-ref": "vuln-103", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27430" + } + } + ], + "created": "2024-05-17T12:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_default_path_quality\n\nWe need to protect the reader reading sysctl_netrom_default_path_quality\nbecause the value can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27430", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27430" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb8890318dde26fc89c6ea67d6e9070ab50b6e91" + }, + { + "url": "https://git.kernel.org/stable/c/25236c91b5ab4a26a56ba2e79b8060cf4e047839" + }, + { + "url": "https://git.kernel.org/stable/c/36f7371de977f805750748e80279be7e370df85c" + }, + { + "url": "https://git.kernel.org/stable/c/2a3d40b4025fcfe51b04924979f1653993b17669" + }, + { + "url": "https://git.kernel.org/stable/c/69e0f04460f4037e01e29f0d9675544f62aafca3" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26780" + } + ], + "bom-ref": "vuln-104", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26780" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC.\n\nsyzbot reported a task hung; at the same time, GC was looping infinitely\nin list_for_each_entry_safe() for OOB skb. [0]\n\nsyzbot demonstrated that the list_for_each_entry_safe() was not actually\nsafe in this case.\n\nA single skb could have references for multiple sockets. If we free such\na skb in the list_for_each_entry_safe(), the current and next sockets could\nbe unlinked in a single iteration.\n\nunix_notinflight() uses list_del_init() to unlink the socket, so the\nprefetched next socket forms a loop itself and list_for_each_entry_safe()\nnever stops.\n\nHere, we must use while() and make sure we always fetch the first socket.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 5065 Comm: syz-executor236 Not tainted 6.8.0-rc3-syzkaller-00136-g1f719a2f3fa6 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:preempt_count arch/x86/include/asm/preempt.h:26 [inline]\nRIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]\nRIP: 0010:__sanitizer_cov_trace_pc+0xd/0x60 kernel/kcov.c:207\nCode: cc cc cc cc 66 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 14 25 40 c2 03 00 <65> 8b 05 b4 7c 78 7e a9 00 01 ff 00 48 8b 34 24 74 0f f6 c4 01 74\nRSP: 0018:ffffc900033efa58 EFLAGS: 00000283\nRAX: ffff88807b077800 RBX: ffff88807b077800 RCX: 1ffffffff27b1189\nRDX: ffff88802a5a3b80 RSI: ffffffff8968488d RDI: ffff88807b077f70\nRBP: ffffc900033efbb0 R08: 0000000000000001 R09: fffffbfff27a900c\nR10: ffffffff93d48067 R11: ffffffff8ae000eb R12: ffff88807b077800\nR13: dffffc0000000000 R14: ffff88807b077e40 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000564f4fc1e3a8 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n unix_gc+0x563/0x13b0 net/unix/garbage.c:319\n unix_release_sock+0xa93/0xf80 net/unix/af_unix.c:683\n unix_release+0x91/0xf0 net/unix/af_unix.c:1064\n __sock_release+0xb0/0x270 net/socket.c:659\n sock_close+0x1c/0x30 net/socket.c:1421\n __fput+0x270/0xb80 fs/file_table.c:376\n task_work_run+0x14f/0x250 kernel/task_work.c:180\n exit_task_work include/linux/task_work.h:38 [inline]\n do_exit+0xa8a/0x2ad0 kernel/exit.c:871\n do_group_exit+0xd4/0x2a0 kernel/exit.c:1020\n __do_sys_exit_group kernel/exit.c:1031 [inline]\n __se_sys_exit_group kernel/exit.c:1029 [inline]\n __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1029\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f9d6cbdac09\nCode: Unable to access opcode bytes at 0x7f9d6cbdabdf.\nRSP: 002b:00007fff5952feb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9d6cbdac09\nRDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000\nRBP: 00007f9d6cc552b0 R08: ffffffffffffffb8 R09: 0000000000000006\nR10: 0000000000000006 R11: 0000000000000246 R12: 00007f9d6cc552b0\nR13: 0000000000000000 R14: 00007f9d6cc55d00 R15: 00007f9d6cbabe70\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26780", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26780" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/989af2f29342a9a7c7515523d879b698ac8465f4" + }, + { + "url": "https://git.kernel.org/stable/c/fdfa083549de5d50ebf7f6811f33757781e838c0" + }, + { + "url": "https://git.kernel.org/stable/c/5a5c039dac1b1b7ba3e91c791f4421052bf79b82" + }, + { + "url": "https://git.kernel.org/stable/c/84f1dac960cfa210a3b7a7522e6c2320ae91932b" + }, + { + "url": "https://git.kernel.org/stable/c/fe2a73d57319feab4b3b175945671ce43492172f" + }, + { + "url": "https://git.kernel.org/stable/c/c99a827d3cff9f84e1cb997b7cc6386d107aa74d" + }, + { + "url": "https://git.kernel.org/stable/c/aee4dcfe17219fe60f2821923adea98549060af8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26744" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fdfa083549de5d50ebf7f6811f33757781e838c0(6.8-rc6)" + } + ], + "bom-ref": "vuln-105", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26744" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/srpt: Support specifying the srpt_service_guid parameter\n\nMake loading ib_srpt with this parameter set work. The current behavior is\nthat setting that parameter while loading the ib_srpt kernel module\ntriggers the following kernel crash:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000000\nCall Trace:\n \n parse_one+0x18c/0x1d0\n parse_args+0xe1/0x230\n load_module+0x8de/0xa60\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x181/0x240\n __x64_sys_finit_module+0x5a/0xb0\n do_syscall_64+0x5f/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26744", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26744" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fabe2db7de32a881e437ee69db32e0de785a6209" + }, + { + "url": "https://git.kernel.org/stable/c/71d4186d470e9cda7cd1a0921b4afda737c6f641" + }, + { + "url": "https://git.kernel.org/stable/c/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea" + }, + { + "url": "https://git.kernel.org/stable/c/96aa40761673da045a7774f874487cdb50c6a2f7" + }, + { + "url": "https://git.kernel.org/stable/c/783d413f332a3ebec916664b366c28f58147f82c" + }, + { + "url": "https://git.kernel.org/stable/c/c855a1a5b7e3de57e6b1b29563113d5e3bfdb89a" + }, + { + "url": "https://git.kernel.org/stable/c/fec14d1cdd92f340b9ba2bd220abf96f9609f2a9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35845" + }, + { + "url": "https://git.kernel.org/linus/ea1d166fae14e05d49ffb0ea9fcd4658f8d3dcea(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-106", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35845" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dbg-tlv: ensure NUL termination\n\nThe iwl_fw_ini_debug_info_tlv is used as a string, so we must\nensure the string is terminated correctly before using it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35845", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35845" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/83ada89e4a86e2b28ea2b5113c76d6dc7560a4d0" + }, + { + "url": "https://git.kernel.org/stable/c/2c077fdfd09dffb31a890e5095c8ab205138a42e" + }, + { + "url": "https://git.kernel.org/stable/c/b457105309d388e4081c716cf7b81d517ff74db4" + }, + { + "url": "https://git.kernel.org/stable/c/9d1e795f754db1ac3344528b7af0b17b8146f321" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27003" + }, + { + "url": "https://git.kernel.org/linus/9d1e795f754db1ac3344528b7af0b17b8146f321(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-107", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27003" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree for clk_summary\n\nSimilar to the previous commit, we should make sure that all devices are\nruntime resumed before printing the clk_summary through debugfs. Failure\nto do so would result in a deadlock if the thread is resuming a device\nto print clk state and that device is also runtime resuming in another\nthread, e.g the screen is turning on and the display driver is starting\nup. We remove the calls to clk_pm_runtime_{get,put}() in this path\nbecause they're superfluous now that we know the devices are runtime\nresumed. This also squashes a bug where the return value of\nclk_pm_runtime_get() wasn't checked, leading to an RPM count underflow\non error paths.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27003", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27003" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cf54f66e1dd78990ec6b32177bca7e6ea2144a95" + }, + { + "url": "https://git.kernel.org/stable/c/3abc2d160ed8213948b147295d77d44a22c88fa3" + }, + { + "url": "https://git.kernel.org/stable/c/1daf52b5ffb24870fbeda20b4967526d8f9e12ab" + }, + { + "url": "https://git.kernel.org/stable/c/e25447c35f8745337ea8bc0c9697fcac14df8605" + }, + { + "url": "https://git.kernel.org/stable/c/80d24b308b7ee7037fc90d8ac99f6f78df0a256f" + }, + { + "url": "https://git.kernel.org/stable/c/4595d90b5d2ea5fa4d318d13f59055aa4bf3e7f5" + }, + { + "url": "https://git.kernel.org/stable/c/17f46b803d4f23c66cacce81db35fef3adb8f2af" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26958" + }, + { + "url": "https://git.kernel.org/linus/17f46b803d4f23c66cacce81db35fef3adb8f2af(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-108", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26958" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we have been hitting the following warning consistently\n\n------------[ cut here ]------------\nrefcount_t: underflow; use-after-free.\nWARNING: CPU: 17 PID: 1800359 at lib/refcount.c:28 refcount_warn_saturate+0x9c/0xe0\nWorkqueue: nfsiod nfs_direct_write_schedule_work [nfs]\nRIP: 0010:refcount_warn_saturate+0x9c/0xe0\nPKRU: 55555554\nCall Trace:\n \n ? __warn+0x9f/0x130\n ? refcount_warn_saturate+0x9c/0xe0\n ? report_bug+0xcc/0x150\n ? handle_bug+0x3d/0x70\n ? exc_invalid_op+0x16/0x40\n ? asm_exc_invalid_op+0x16/0x20\n ? refcount_warn_saturate+0x9c/0xe0\n nfs_direct_write_schedule_work+0x237/0x250 [nfs]\n process_one_work+0x12f/0x4a0\n worker_thread+0x14e/0x3b0\n ? ZSTD_getCParams_internal+0x220/0x220\n kthread+0xdc/0x120\n ? __btf_name_valid+0xa0/0xa0\n ret_from_fork+0x1f/0x30\n\nThis is because we're completing the nfs_direct_request twice in a row.\n\nThe source of this is when we have our commit requests to submit, we\nprocess them and send them off, and then in the completion path for the\ncommit requests we have\n\nif (nfs_commit_end(cinfo.mds))\n\tnfs_direct_write_complete(dreq);\n\nHowever since we're submitting asynchronous requests we sometimes have\none that completes before we submit the next one, so we end up calling\ncomplete on the nfs_direct_request twice.\n\nThe only other place we use nfs_generic_commit_list() is in\n__nfs_commit_inode, which wraps this call in a\n\nnfs_commit_begin();\nnfs_commit_end();\n\nWhich is a common pattern for this style of completion handling, one\nthat is also repeated in the direct code with get_dreq()/put_dreq()\ncalls around where we process events as well as in the completion paths.\n\nFix this by using the same pattern for the commit requests.\n\nBefore with my 200 node rocksdb stress running this warning would pop\nevery 10ish minutes. With my patch the stress test has been running for\nseveral hours without popping.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26958", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26958" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b775ced05489f4b77a35fe203e9aeb22f428e38f" + }, + { + "url": "https://git.kernel.org/stable/c/65ee90efc928410c6f73b3d2e0afdd762652c09d" + }, + { + "url": "https://git.kernel.org/stable/c/8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4" + }, + { + "url": "https://git.kernel.org/stable/c/f549f340c91f08b938d60266e792ff7748dae483" + }, + { + "url": "https://git.kernel.org/stable/c/cfe3550ea5df292c9e2d608e8c4560032391847e" + }, + { + "url": "https://git.kernel.org/stable/c/38cc1605338d99205a263707f4dde76408d3e0e8" + }, + { + "url": "https://git.kernel.org/stable/c/0f501dae16b7099e69ee9b0d5c70b8f40fd30e98" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26673" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-109", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26673" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations\n\n- Disallow families other than NFPROTO_{IPV4,IPV6,INET}.\n- Disallow layer 4 protocol with no ports, since destination port is a\n mandatory attribute for this object.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26673", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26673" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7a71f61ebf95cedd3f245db6da397822971d8db5" + }, + { + "url": "https://git.kernel.org/stable/c/61c81872815f46006982bb80460c0c80a949b35b" + }, + { + "url": "https://git.kernel.org/stable/c/3419ee39e3d3162ab2ec9942bb537613ed5b6311" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35945" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/61c81872815f46006982bb80460c0c80a949b35b(6.9-rc1)" + } + ], + "bom-ref": "vuln-110", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35945" + } + } + ], + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: phy_device: Prevent nullptr exceptions on ISR\n\nIf phydev->irq is set unconditionally, check\nfor valid interrupt handler or fall back to polling mode to prevent\nnullptr exceptions in interrupt service routine.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35945", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35945" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/60ff482c4205a5aac3b0595ab794cfd62295dab5" + }, + { + "url": "https://git.kernel.org/stable/c/115554862294397590088ba02f11f2aba6d5016c" + }, + { + "url": "https://git.kernel.org/stable/c/4af115f1a20a3d9093586079206ee37c2ac55123" + }, + { + "url": "https://git.kernel.org/stable/c/e581cf5d216289ef292d1a4036d53ce90e122469" + }, + { + "url": "https://git.kernel.org/stable/c/a424e713e0cc33d4b969cfda25b9f46df4d7b5bc" + }, + { + "url": "https://git.kernel.org/stable/c/a29ec0465dce0b871003698698ac6fa92c9a5034" + }, + { + "url": "https://git.kernel.org/stable/c/253ab38d1ee652a596942156978a233970d185ba" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27004" + }, + { + "url": "https://git.kernel.org/linus/e581cf5d216289ef292d1a4036d53ce90e122469(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-111", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27004" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: Get runtime PM before walking tree during disable_unused\n\nDoug reported [1] the following hung task:\n\n INFO: task swapper/0:1 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:swapper/0 state:D stack: 0 pid: 1 ppid: 0 flags:0x00000008\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n rpm_resume+0xe0/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n clk_pm_runtime_get+0x30/0xb0\n clk_disable_unused_subtree+0x58/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused_subtree+0x38/0x208\n clk_disable_unused+0x4c/0xe4\n do_one_initcall+0xcc/0x2d8\n do_initcall_level+0xa4/0x148\n do_initcalls+0x5c/0x9c\n do_basic_setup+0x24/0x30\n kernel_init_freeable+0xec/0x164\n kernel_init+0x28/0x120\n ret_from_fork+0x10/0x20\n INFO: task kworker/u16:0:9 blocked for more than 122 seconds.\n Not tainted 5.15.149-21875-gf795ebc40eb8 #1\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/u16:0 state:D stack: 0 pid: 9 ppid: 2 flags:0x00000008\n Workqueue: events_unbound deferred_probe_work_func\n Call trace:\n __switch_to+0xf4/0x1f4\n __schedule+0x418/0xb80\n schedule+0x5c/0x10c\n schedule_preempt_disabled+0x2c/0x48\n __mutex_lock+0x238/0x488\n __mutex_lock_slowpath+0x1c/0x28\n mutex_lock+0x50/0x74\n clk_prepare_lock+0x7c/0x9c\n clk_core_prepare_lock+0x20/0x44\n clk_prepare+0x24/0x30\n clk_bulk_prepare+0x40/0xb0\n mdss_runtime_resume+0x54/0x1c8\n pm_generic_runtime_resume+0x30/0x44\n __genpd_runtime_resume+0x68/0x7c\n genpd_runtime_resume+0x108/0x1f4\n __rpm_callback+0x84/0x144\n rpm_callback+0x30/0x88\n rpm_resume+0x1f4/0x52c\n rpm_resume+0x178/0x52c\n __pm_runtime_resume+0x58/0x98\n __device_attach+0xe0/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n device_add+0x644/0x814\n mipi_dsi_device_register_full+0xe4/0x170\n devm_mipi_dsi_device_register_full+0x28/0x70\n ti_sn_bridge_probe+0x1dc/0x2c0\n auxiliary_bus_probe+0x4c/0x94\n really_probe+0xcc/0x2c8\n __driver_probe_device+0xa8/0x130\n driver_probe_device+0x48/0x110\n __device_attach_driver+0xa4/0xcc\n bus_for_each_drv+0x8c/0xd8\n __device_attach+0xf8/0x170\n device_initial_probe+0x1c/0x28\n bus_probe_device+0x3c/0x9c\n deferred_probe_work_func+0x9c/0xd8\n process_one_work+0x148/0x518\n worker_thread+0x138/0x350\n kthread+0x138/0x1e0\n ret_from_fork+0x10/0x20\n\nThe first thread is walking the clk tree and calling\nclk_pm_runtime_get() to power on devices required to read the clk\nhardware via struct clk_ops::is_enabled(). This thread holds the clk\nprepare_lock, and is trying to runtime PM resume a device, when it finds\nthat the device is in the process of resuming so the thread schedule()s\naway waiting for the device to finish resuming before continuing. The\nsecond thread is runtime PM resuming the same device, but the runtime\nresume callback is calling clk_prepare(), trying to grab the\nprepare_lock waiting on the first thread.\n\nThis is a classic ABBA deadlock. To properly fix the deadlock, we must\nnever runtime PM resume or suspend a device with the clk prepare_lock\nheld. Actually doing that is near impossible today because the global\nprepare_lock would have to be dropped in the middle of the tree, the\ndevice runtime PM resumed/suspended, and then the prepare_lock grabbed\nagain to ensure consistency of the clk tree topology. If anything\nchanges with the clk tree in the meantime, we've lost and will need to\nstart the operation all over again.\n\nLuckily, most of the time we're simply incrementing or decrementing the\nruntime PM count on an active device, so we don't have the chance to\nschedule away with the prepare_lock held. Let's fix this immediate\nproblem that can be\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5a33420599fa0288792537e6872fd19cc8607ea6" + }, + { + "url": "https://git.kernel.org/stable/c/6335c0cdb2ea0ea02c999e04d34fd84f69fb27ff" + }, + { + "url": "https://git.kernel.org/stable/c/dc904345e3771aa01d0b8358b550802fdc6fe00b" + }, + { + "url": "https://git.kernel.org/stable/c/f6564fce256a3944aa1bc76cb3c40e792d97c1eb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26639" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f6564fce256a3944aa1bc76cb3c40e792d97c1eb(6.8-rc3)" + } + ], + "bom-ref": "vuln-112", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26639" + } + } + ], + "created": "2024-03-18T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm, kmsan: fix infinite recursion due to RCU critical section\n\nAlexander Potapenko writes in [1]: \"For every memory access in the code\ninstrumented by KMSAN we call kmsan_get_metadata() to obtain the metadata\nfor the memory being accessed. For virtual memory the metadata pointers\nare stored in the corresponding `struct page`, therefore we need to call\nvirt_to_page() to get them.\n\nAccording to the comment in arch/x86/include/asm/page.h,\nvirt_to_page(kaddr) returns a valid pointer iff virt_addr_valid(kaddr) is\ntrue, so KMSAN needs to call virt_addr_valid() as well.\n\nTo avoid recursion, kmsan_get_metadata() must not call instrumented code,\ntherefore ./arch/x86/include/asm/kmsan.h forks parts of\narch/x86/mm/physaddr.c to check whether a virtual address is valid or not.\n\nBut the introduction of rcu_read_lock() to pfn_valid() added instrumented\nRCU API calls to virt_to_page_or_null(), which is called by\nkmsan_get_metadata(), so there is an infinite recursion now. I do not\nthink it is correct to stop that recursion by doing\nkmsan_enter_runtime()/kmsan_exit_runtime() in kmsan_get_metadata(): that\nwould prevent instrumented functions called from within the runtime from\ntracking the shadow values, which might introduce false positives.\"\n\nFix the issue by switching pfn_valid() to the _sched() variant of\nrcu_read_lock/unlock(), which does not require calling into RCU. Given\nthe critical section in pfn_valid() is very small, this is a reasonable\ntrade-off (with preemptible RCU).\n\nKMSAN further needs to be careful to suppress calls into the scheduler,\nwhich would be another source of recursion. This can be done by wrapping\nthe call to pfn_valid() into preempt_disable/enable_no_resched(). The\ndownside is that this sacrifices breaking scheduling guarantees; however,\na kernel compiled with KMSAN has already given up any performance\nguarantees due to being heavily instrumented.\n\nNote, KMSAN code already disables tracing via Makefile, and since mmzone.h\nis included, it is not necessary to use the notrace variant, which is\ngenerally preferred in all other cases.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26639", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26639" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4fc82cd907ac075648789cc3a00877778aa1838b" + }, + { + "url": "https://git.kernel.org/stable/c/f873b85ec762c5a6abe94a7ddb31df5d3ba07d85" + }, + { + "url": "https://git.kernel.org/stable/c/c04f2780919f20e2cc4846764221f5e802555868" + }, + { + "url": "https://git.kernel.org/stable/c/34a7b30f56d30114bf4d436e4dc793afe326fbcf" + }, + { + "url": "https://git.kernel.org/stable/c/d70f1c85113cd8c2aa8373f491ca5d1b22ec0554" + }, + { + "url": "https://git.kernel.org/stable/c/025bc6b41e020aeb1e71f84ae3ffce945026de05" + }, + { + "url": "https://git.kernel.org/stable/c/2b74b2a92e524d7c8dec8e02e95ecf18b667c062" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26891" + }, + { + "url": "https://git.kernel.org/linus/4fc82cd907ac075648789cc3a00877778aa1838b(6.9-rc1)" + } + ], + "bom-ref": "vuln-113", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26891" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Don't issue ATS Invalidation request when device is disconnected\n\nFor those endpoint devices connect to system via hotplug capable ports,\nusers could request a hot reset to the device by flapping device's link\nthrough setting the slot's link control register, as pciehp_ist() DLLSC\ninterrupt sequence response, pciehp will unload the device driver and\nthen power it off. thus cause an IOMMU device-TLB invalidation (Intel\nVT-d spec, or ATS Invalidation in PCIe spec r6.1) request for non-existence\ntarget device to be sent and deadly loop to retry that request after ITE\nfault triggered in interrupt context.\n\nThat would cause following continuous hard lockup warning and system hang\n\n[ 4211.433662] pcieport 0000:17:01.0: pciehp: Slot(108): Link Down\n[ 4211.433664] pcieport 0000:17:01.0: pciehp: Slot(108): Card not present\n[ 4223.822591] NMI watchdog: Watchdog detected hard LOCKUP on cpu 144\n[ 4223.822622] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822623] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822623] RIP: 0010:qi_submit_sync+0x2c0/0x490\n[ 4223.822624] Code: 48 be 00 00 00 00 00 08 00 00 49 85 74 24 20 0f 95 c1 48 8b\n 57 10 83 c1 04 83 3c 1a 03 0f 84 a2 01 00 00 49 8b 04 24 8b 70 34 <40> f6 c6 1\n0 74 17 49 8b 04 24 8b 80 80 00 00 00 89 c2 d3 fa 41 39\n[ 4223.822624] RSP: 0018:ffffc4f074f0bbb8 EFLAGS: 00000093\n[ 4223.822625] RAX: ffffc4f040059000 RBX: 0000000000000014 RCX: 0000000000000005\n[ 4223.822625] RDX: ffff9f3841315800 RSI: 0000000000000000 RDI: ffff9f38401a8340\n[ 4223.822625] RBP: ffff9f38401a8340 R08: ffffc4f074f0bc00 R09: 0000000000000000\n[ 4223.822626] R10: 0000000000000010 R11: 0000000000000018 R12: ffff9f384005e200\n[ 4223.822626] R13: 0000000000000004 R14: 0000000000000046 R15: 0000000000000004\n[ 4223.822626] FS: 0000000000000000(0000) GS:ffffa237ae400000(0000)\nknlGS:0000000000000000\n[ 4223.822627] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4223.822627] CR2: 00007ffe86515d80 CR3: 000002fd3000a001 CR4: 0000000000770ee0\n[ 4223.822627] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4223.822628] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 4223.822628] PKRU: 55555554\n[ 4223.822628] Call Trace:\n[ 4223.822628] qi_flush_dev_iotlb+0xb1/0xd0\n[ 4223.822628] __dmar_remove_one_dev_info+0x224/0x250\n[ 4223.822629] dmar_remove_one_dev_info+0x3e/0x50\n[ 4223.822629] intel_iommu_release_device+0x1f/0x30\n[ 4223.822629] iommu_release_device+0x33/0x60\n[ 4223.822629] iommu_bus_notifier+0x7f/0x90\n[ 4223.822630] blocking_notifier_call_chain+0x60/0x90\n[ 4223.822630] device_del+0x2e5/0x420\n[ 4223.822630] pci_remove_bus_device+0x70/0x110\n[ 4223.822630] pciehp_unconfigure_device+0x7c/0x130\n[ 4223.822631] pciehp_disable_slot+0x6b/0x100\n[ 4223.822631] pciehp_handle_presence_or_link_change+0xd8/0x320\n[ 4223.822631] pciehp_ist+0x176/0x180\n[ 4223.822631] ? irq_finalize_oneshot.part.50+0x110/0x110\n[ 4223.822632] irq_thread_fn+0x19/0x50\n[ 4223.822632] irq_thread+0x104/0x190\n[ 4223.822632] ? irq_forced_thread_fn+0x90/0x90\n[ 4223.822632] ? irq_thread_check_affinity+0xe0/0xe0\n[ 4223.822633] kthread+0x114/0x130\n[ 4223.822633] ? __kthread_cancel_work+0x40/0x40\n[ 4223.822633] ret_from_fork+0x1f/0x30\n[ 4223.822633] Kernel panic - not syncing: Hard LOCKUP\n[ 4223.822634] CPU: 144 PID: 1422 Comm: irq/57-pciehp Kdump: loaded Tainted: G S\n OE kernel version xxxx\n[ 4223.822634] Hardware name: vendorname xxxx 666-106,\nBIOS 01.01.02.03.01 05/15/2023\n[ 4223.822634] Call Trace:\n[ 4223.822634] \n[ 4223.822635] dump_stack+0x6d/0x88\n[ 4223.822635] panic+0x101/0x2d0\n[ 4223.822635] ? ret_from_fork+0x11/0x30\n[ 4223.822635] nmi_panic.cold.14+0xc/0xc\n[ 4223.822636] watchdog_overflow_callback.cold.8+0x6d/0x81\n[ 4223.822636] __perf_event_overflow+0x4f/0xf0\n[ 4223.822636] handle_pmi_common\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26891", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26891" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84" + }, + { + "url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8" + }, + { + "url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4" + }, + { + "url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef" + }, + { + "url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9" + }, + { + "url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35871" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d14fa1fcf69db9d070e75f1c4425211fa619dfc8(6.9-rc3)" + } + ], + "bom-ref": "vuln-114", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35871" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35871", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35871" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04a4a017b9ffd7b0f427b8c376688d14cb614651" + }, + { + "url": "https://git.kernel.org/stable/c/1e71b6449d55179170efc8dee8664510bb813b42" + }, + { + "url": "https://git.kernel.org/stable/c/ec73e079729258a05452356cf6d098bf1504d5a6" + }, + { + "url": "https://git.kernel.org/stable/c/03505e3344b0576fd619416793a31eae9c5b73bf" + }, + { + "url": "https://git.kernel.org/stable/c/3fe0ac10bd117df847c93408a9d428a453cd60e5" + }, + { + "url": "https://git.kernel.org/stable/c/810cd4bb53456d0503cc4e7934e063835152c1b7" + }, + { + "url": "https://git.kernel.org/stable/c/3dd9be6cb55e0f47544e7cdda486413f7134e3b3" + }, + { + "url": "https://git.kernel.org/stable/c/6fe478d855b20ac1eb5da724afe16af5a2aaaa40" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26810" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-115", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26810" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Lock external INTx masking ops\n\nMask operations through config space changes to DisINTx may race INTx\nconfiguration changes via ioctl. Create wrappers that add locking for\npaths outside of the core interrupt code.\n\nIn particular, irq_type is updated holding igate, therefore testing\nis_intx() requires holding igate. For example clearing DisINTx from\nconfig space can otherwise race changes of the interrupt configuration.\n\nThis aligns interfaces which may trigger the INTx eventfd into two\ncamps, one side serialized by igate and the other only enabled while\nINTx is configured. A subsequent patch introduces synchronization for\nthe latter flows.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26810", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26810" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/440f059837418fac1695b65d3ebc6080d33be877" + }, + { + "url": "https://git.kernel.org/stable/c/ad76fd30557d6a106c481e4606a981221ca525f7" + }, + { + "url": "https://git.kernel.org/stable/c/ff28893c96c5e0927a4da10cd24a3522ca663515" + }, + { + "url": "https://git.kernel.org/stable/c/d346b3e5b25c95d504478507eb867cd3818775ab" + }, + { + "url": "https://git.kernel.org/stable/c/cf114d8d4a8d78df272116a745bb43b48cef65f4" + }, + { + "url": "https://git.kernel.org/stable/c/4b09715f1504f1b6e8dff0e9643630610bc05141" + }, + { + "url": "https://git.kernel.org/stable/c/eb9327af3621d26b1d83f767c97a3fe8191a3a65" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27045" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4b09715f1504f1b6e8dff0e9643630610bc05141(6.9-rc1)" + } + ], + "bom-ref": "vuln-116", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27045" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'\n\nTell snprintf() to store at most 10 bytes in the output buffer\ninstead of 30.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c:1508 dp_dsc_clock_en_read() error: snprintf() is printing too much 30 vs 10", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27045", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27045" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7590ba9057c6d74c66f3b909a383ec47cd2f27fb" + }, + { + "url": "https://git.kernel.org/stable/c/4508ec17357094e2075f334948393ddedbb75157" + }, + { + "url": "https://git.kernel.org/stable/c/c2aa2718cda2d56b4a551cb40043e9abc9684626" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26822" + }, + { + "url": "https://git.kernel.org/linus/4508ec17357094e2075f334948393ddedbb75157(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-117", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26822" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: set correct id, uid and cruid for multiuser automounts\n\nWhen uid, gid and cruid are not specified, we need to dynamically\nset them into the filesystem context used for automounting otherwise\nthey'll end up reusing the values from the parent mount.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26822", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26822" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9256ab9232e35a16af9c30fa4e522e6d1bd3605a" + }, + { + "url": "https://git.kernel.org/stable/c/2d17cf10179a7de6d8f0128168b84ad0b4a1863f" + }, + { + "url": "https://git.kernel.org/stable/c/13b57b5cd591d5b22f9bbf047b2922967de411f3" + }, + { + "url": "https://git.kernel.org/stable/c/8762785f459be1cfe6fcf7285c123aad6a3703f0" + }, + { + "url": "https://git.kernel.org/stable/c/a6cafdb49a7bbf4a88367db209703eee6941e023" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26834" + }, + { + "url": "https://git.kernel.org/linus/8762785f459be1cfe6fcf7285c123aad6a3703f0(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-118", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26834" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: release dst in case direct xmit path is used\n\nDirect xmit does not use it since it calls dev_queue_xmit() to send\npackets, hence it calls dst_release().\n\nkmemleak reports:\n\nunreferenced object 0xffff88814f440900 (size 184):\n comm \"softirq\", pid 0, jiffies 4294951896\n hex dump (first 32 bytes):\n 00 60 5b 04 81 88 ff ff 00 e6 e8 82 ff ff ff ff .`[.............\n 21 0b 50 82 ff ff ff ff 00 00 00 00 00 00 00 00 !.P.............\n backtrace (crc cb2bf5d6):\n [<000000003ee17107>] kmem_cache_alloc+0x286/0x340\n [<0000000021a5de2c>] dst_alloc+0x43/0xb0\n [<00000000f0671159>] rt_dst_alloc+0x2e/0x190\n [<00000000fe5092c9>] __mkroute_output+0x244/0x980\n [<000000005fb96fb0>] ip_route_output_flow+0xc0/0x160\n [<0000000045367433>] nf_ip_route+0xf/0x30\n [<0000000085da1d8e>] nf_route+0x2d/0x60\n [<00000000d1ecd1cb>] nft_flow_route+0x171/0x6a0 [nft_flow_offload]\n [<00000000d9b2fb60>] nft_flow_offload_eval+0x4e8/0x700 [nft_flow_offload]\n [<000000009f447dbb>] expr_call_ops_eval+0x53/0x330 [nf_tables]\n [<00000000072e1be6>] nft_do_chain+0x17c/0x840 [nf_tables]\n [<00000000d0551029>] nft_do_chain_inet+0xa1/0x210 [nf_tables]\n [<0000000097c9d5c6>] nf_hook_slow+0x5b/0x160\n [<0000000005eccab1>] ip_forward+0x8b6/0x9b0\n [<00000000553a269b>] ip_rcv+0x221/0x230\n [<00000000412872e5>] __netif_receive_skb_one_core+0xfe/0x110", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26834", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26834" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d250a81ba813a93563be68072c563aa1e346346d" + }, + { + "url": "https://git.kernel.org/stable/c/1c981792e4ccbc134b468797acdd7781959e6893" + }, + { + "url": "https://git.kernel.org/stable/c/be147926140ac48022c9605d7ab0a67387e4b404" + }, + { + "url": "https://git.kernel.org/stable/c/73d9629e1c8c1982f13688c4d1019c3994647ccc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26830" + }, + { + "url": "https://git.kernel.org/linus/73d9629e1c8c1982f13688c4d1019c3994647ccc(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-119", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26830" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not allow untrusted VF to remove administratively set MAC\n\nCurrently when PF administratively sets VF's MAC address and the VF\nis put down (VF tries to delete all MACs) then the MAC is removed\nfrom MAC filters and primary VF MAC is zeroed.\n\nDo not allow untrusted VF to remove primary MAC when it was set\nadministratively by PF.\n\nReproducer:\n1) Create VF\n2) Set VF interface up\n3) Administratively set the VF's MAC\n4) Put VF interface down\n\n[root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs\n[root@host ~]# ip link set enp2s0f0v0 up\n[root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off\n[root@host ~]# ip link set enp2s0f0v0 down\n[root@host ~]# ip link show enp2s0f0\n23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000\n link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff\n vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26830", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26830" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/96436365e5d80d0106ea785a4f80a58e7c9edff8" + }, + { + "url": "https://git.kernel.org/stable/c/b7f5aed55829f376e4f7e5ea5b80ccdcb023e983" + }, + { + "url": "https://git.kernel.org/stable/c/44214d744be32a4769faebba764510888f1eb19e" + }, + { + "url": "https://git.kernel.org/stable/c/e803040b368d046434fbc8a91945c690332c4fcf" + }, + { + "url": "https://git.kernel.org/stable/c/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d" + }, + { + "url": "https://git.kernel.org/stable/c/ba6a9970ce9e284cbc04099361c58731e308596a" + }, + { + "url": "https://git.kernel.org/stable/c/4af837db0fd3679fabc7b7758397090b0c06dced" + }, + { + "url": "https://git.kernel.org/stable/c/98e60b538e66c90b9a856828c71d4e975ebfa797" + }, + { + "url": "https://git.kernel.org/linus/31edf4bbe0ba27fd03ac7d87eb2ee3d2a231af6d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27025" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-120", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27025" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: null check for nla_nest_start\n\nnla_nest_start() may fail and return NULL. Insert a check and set errno\nbased on other call sites within the same source code.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27025", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27025" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ed35a509390ef4011ea2226da5dd6f62b73873b5" + }, + { + "url": "https://git.kernel.org/stable/c/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27056" + }, + { + "url": "https://git.kernel.org/linus/78f65fbf421a61894c14a1b91fe2fb4437b3fe5f(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-121", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27056" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: ensure offloading TID queue exists\n\nThe resume code path assumes that the TX queue for the offloading TID\nhas been configured. At resume time it then tries to sync the write\npointer as it may have been updated by the firmware.\n\nIn the unusual event that no packets have been send on TID 0, the queue\nwill not have been allocated and this causes a crash. Fix this by\nensuring the queue exist at suspend time.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27056", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27056" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/718f446e60316bf606946f7f42367d691d21541e" + }, + { + "url": "https://git.kernel.org/stable/c/d15cc0f66884ef2bed28c7ccbb11c102aa3a0760" + }, + { + "url": "https://git.kernel.org/stable/c/f48bf9a83b1666d934247cb58a9887d7b3127b6f" + }, + { + "url": "https://git.kernel.org/stable/c/b383d4ea272fe5795877506dcce5aad1f6330e5e" + }, + { + "url": "https://git.kernel.org/stable/c/1b8adcc0e2c584fec778add7777fe28e20781e60" + }, + { + "url": "https://git.kernel.org/stable/c/577e4432f3ac810049cb7e6b71f4d96ec7c6e894" + }, + { + "url": "https://git.kernel.org/linus/577e4432f3ac810049cb7e6b71f4d96ec7c6e894(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26640" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-122", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26640" + } + } + ], + "created": "2024-03-18T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: add sanity checks to rx zerocopy\n\nTCP rx zerocopy intent is to map pages initially allocated\nfrom NIC drivers, not pages owned by a fs.\n\nThis patch adds to can_map_frag() these additional checks:\n\n- Page must not be a compound one.\n- page->mapping must be NULL.\n\nThis fixes the panic reported by ZhangPeng.\n\nsyzbot was able to loopback packets built with sendfile(),\nmapping pages owned by an ext4 file to TCP rx zerocopy.\n\nr3 = socket$inet_tcp(0x2, 0x1, 0x0)\nmmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)\nr4 = socket$inet_tcp(0x2, 0x1, 0x0)\nbind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)\nconnect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)\nr5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)\nfallocate(r5, 0x0, 0x0, 0x85b8)\nsendfile(r4, r5, 0x0, 0x8ba0)\ngetsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,\n &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0, 0x0,\n 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x40)\nr6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\\x00',\n 0x181e42, 0x0)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26640", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26640" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c7f2240d9835a7823d87f7460d8eae9f4e504c7" + }, + { + "url": "https://git.kernel.org/stable/c/19ff8fed3338898b70b2aad831386c78564912e1" + }, + { + "url": "https://git.kernel.org/stable/c/c31baa07f01307b7ae05f3ce32b89d8e2ba0cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/fdfbf54d128ab6ab255db138488f9650485795a2" + }, + { + "url": "https://git.kernel.org/stable/c/b26aa765f7437e1bbe8db4c1641b12bd5dd378f0" + }, + { + "url": "https://git.kernel.org/stable/c/bf02d9fe00632d22fa91d34749c7aacf397b6cde" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35958" + }, + { + "url": "https://git.kernel.org/linus/bf02d9fe00632d22fa91d34749c7aacf397b6cde(6.9-rc4)" + } + ], + "bom-ref": "vuln-123", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35958" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: Fix incorrect descriptor free behavior\n\nENA has two types of TX queues:\n- queues which only process TX packets arriving from the network stack\n- queues which only process TX packets forwarded to it by XDP_REDIRECT\n or XDP_TX instructions\n\nThe ena_free_tx_bufs() cycles through all descriptors in a TX queue\nand unmaps + frees every descriptor that hasn't been acknowledged yet\nby the device (uncompleted TX transactions).\nThe function assumes that the processed TX queue is necessarily from\nthe first category listed above and ends up using napi_consume_skb()\nfor descriptors belonging to an XDP specific queue.\n\nThis patch solves a bug in which, in case of a VF reset, the\ndescriptors aren't freed correctly, leading to crashes.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35958", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35958" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3268" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-34397" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6768-1" + }, + { + "url": "https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/1" + } + ], + "bom-ref": "vuln-124", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34397" + } + } + ], + "created": "2024-05-07T18:15:08Z", + "description": "An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.", + "affects": [ + { + "ref": "comp-341" + } + ], + "id": "CVE-2024-34397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34397" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T20:07:58Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-341", + "value": "0:2.74.6-2+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/037e48ceccf163899374b601afb6ae8d0bf1d2ac" + }, + { + "url": "https://git.kernel.org/stable/c/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee" + }, + { + "url": "https://git.kernel.org/stable/c/0fb74c00d140a66128afc0003785dcc57e69d312" + }, + { + "url": "https://git.kernel.org/stable/c/7a7650b3ac23e5fc8c990f00e94f787dc84e3175" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26992" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9e985cbf2942a1bb8fcef9adc2a17d90fd7ca8ee(6.9-rc5)" + } + ], + "bom-ref": "vuln-125", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26992" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/pmu: Disable support for adaptive PEBS\n\nDrop support for virtualizing adaptive PEBS, as KVM's implementation is\narchitecturally broken without an obvious/easy path forward, and because\nexposing adaptive PEBS can leak host LBRs to the guest, i.e. can leak\nhost kernel addresses to the guest.\n\nBug #1 is that KVM doesn't account for the upper 32 bits of\nIA32_FIXED_CTR_CTRL when (re)programming fixed counters, e.g\nfixed_ctrl_field() drops the upper bits, reprogram_fixed_counters()\nstores local variables as u8s and truncates the upper bits too, etc.\n\nBug #2 is that, because KVM _always_ sets precise_ip to a non-zero value\nfor PEBS events, perf will _always_ generate an adaptive record, even if\nthe guest requested a basic record. Note, KVM will also enable adaptive\nPEBS in individual *counter*, even if adaptive PEBS isn't exposed to the\nguest, but this is benign as MSR_PEBS_DATA_CFG is guaranteed to be zero,\ni.e. the guest will only ever see Basic records.\n\nBug #3 is in perf. intel_pmu_disable_fixed() doesn't clear the upper\nbits either, i.e. leaves ICL_FIXED_0_ADAPTIVE set, and\nintel_pmu_enable_fixed() effectively doesn't clear ICL_FIXED_0_ADAPTIVE\neither. I.e. perf _always_ enables ADAPTIVE counters, regardless of what\nKVM requests.\n\nBug #4 is that adaptive PEBS *might* effectively bypass event filters set\nby the host, as \"Updated Memory Access Info Group\" records information\nthat might be disallowed by userspace via KVM_SET_PMU_EVENT_FILTER.\n\nBug #5 is that KVM doesn't ensure LBR MSRs hold guest values (or at least\nzeros) when entering a vCPU with adaptive PEBS, which allows the guest\nto read host LBRs, i.e. host RIPs/addresses, by enabling \"LBR Entries\"\nrecords.\n\nDisable adaptive PEBS support as an immediate fix due to the severity of\nthe LBR leak in particular, and because fixing all of the bugs will be\nnon-trivial, e.g. not suitable for backporting to stable kernels.\n\nNote! This will break live migration, but trying to make KVM play nice\nwith live migration would be quite complicated, wouldn't be guaranteed to\nwork (i.e. KVM might still kill/confuse the guest), and it's not clear\nthat there are any publicly available VMMs that support adaptive PEBS,\nlet alone live migrate VMs that support adaptive PEBS, e.g. QEMU doesn't\nsupport PEBS in any capacity.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26992", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26992" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a276c595c3a629170b0f052a3724f755d7c6adc6" + }, + { + "url": "https://git.kernel.org/stable/c/f52d7663a10a1266a2d3871a6dd8fd111edc549f" + }, + { + "url": "https://git.kernel.org/stable/c/b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee" + }, + { + "url": "https://git.kernel.org/stable/c/fde2497d2bc3a063d8af88b258dbadc86bd7b57c" + }, + { + "url": "https://git.kernel.org/stable/c/74f852654b8b7866f15323685f1e178d3386c688" + }, + { + "url": "https://git.kernel.org/stable/c/9840d1897e28f8733cc1e38f97e044f987dc0a63" + }, + { + "url": "https://git.kernel.org/stable/c/03a7e3f2ba3ca25f1da1d3898709a08db14c1abb" + }, + { + "url": "https://git.kernel.org/stable/c/c8cc05de8e6b5612b6e9f92c385c1a064b0db375" + }, + { + "url": "https://git.kernel.org/stable/c/cdd33d54e789d229d6d5007cbf3f53965ca1a5c6" + }, + { + "url": "https://git.kernel.org/linus/fde2497d2bc3a063d8af88b258dbadc86bd7b57c(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26973" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-126", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26973" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfat: fix uninitialized field in nostale filehandles\n\nWhen fat_encode_fh_nostale() encodes file handle without a parent it\nstores only first 10 bytes of the file handle. However the length of the\nfile handle must be a multiple of 4 so the file handle is actually 12\nbytes long and the last two bytes remain uninitialized. This is not\ngreat at we potentially leak uninitialized information with the handle\nto userspace. Properly initialize the full handle length.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26973", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26973" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c26591afd33adce296c022e3480dea4282b7ef91" + }, + { + "url": "https://git.kernel.org/stable/c/5dbdbe1133911ca7d8466bb86885adec32ad9438" + }, + { + "url": "https://git.kernel.org/stable/c/5b012f77abde89bf0be8a0547636184fea618137" + }, + { + "url": "https://git.kernel.org/stable/c/03170e657f62c26834172742492a8cb8077ef792" + }, + { + "url": "https://git.kernel.org/stable/c/dd681710ab77c8beafe2e263064cb1bd0e2d6ca9" + }, + { + "url": "https://git.kernel.org/stable/c/aa44d21574751a7d6bca892eb8e0e9ac68372e52" + }, + { + "url": "https://git.kernel.org/stable/c/b72d2b1448b682844f995e660b77f2a1fabc1662" + }, + { + "url": "https://git.kernel.org/stable/c/f5417ff561b8ac9a7e53c747b8627a7ab58378ae" + }, + { + "url": "https://git.kernel.org/linus/c26591afd33adce296c022e3480dea4282b7ef91(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35847" + } + ], + "bom-ref": "vuln-127", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35847" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Prevent double free on error\n\nThe error handling path in its_vpe_irq_domain_alloc() causes a double free\nwhen its_vpe_init() fails after successfully allocating at least one\ninterrupt. This happens because its_vpe_irq_domain_free() frees the\ninterrupts along with the area bitmap and the vprop_page and\nits_vpe_irq_domain_alloc() subsequently frees the area bitmap and the\nvprop_page again.\n\nFix this by unconditionally invoking its_vpe_irq_domain_free() which\nhandles all cases correctly and by removing the bitmap/vprop_page freeing\nfrom its_vpe_irq_domain_alloc().\n\n[ tglx: Massaged change log ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35847", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35847" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d153e8b154f9746ac969c85a4e6474760453647c" + }, + { + "url": "https://git.kernel.org/stable/c/3cac6eebea9b4bc5f041e157e45c76e212ad6759" + }, + { + "url": "https://git.kernel.org/stable/c/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27057" + }, + { + "url": "https://git.kernel.org/linus/c40aad7c81e5fba34b70123ed7ce3397fa62a4d2(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-128", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27057" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend\n\nWhen the system is suspended while audio is active, the\nsof_ipc4_pcm_hw_free() is invoked to reset the pipelines since during\nsuspend the DSP is turned off, streams will be re-started after resume.\n\nIf the firmware crashes during while audio is running (or when we reset\nthe stream before suspend) then the sof_ipc4_set_multi_pipeline_state()\nwill fail with IPC error and the state change is interrupted.\nThis will cause misalignment between the kernel and firmware state on next\nDSP boot resulting errors returned by firmware for IPC messages, eventually\nfailing the audio resume.\nOn stream close the errors are ignored so the kernel state will be\ncorrected on the next DSP boot, so the second boot after the DSP panic.\n\nIf sof_ipc4_trigger_pipelines() is called from sof_ipc4_pcm_hw_free() then\nstate parameter is SOF_IPC4_PIPE_RESET and only in this case.\n\nTreat a forced pipeline reset similarly to how we treat a pcm_free by\nignoring error on state sending to allow the kernel's state to be\nconsistent with the state the firmware will have after the next boot.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27057", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27057" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef846cdbd100f7f9dc045e8bcd7fe4b3a3713c03" + }, + { + "url": "https://git.kernel.org/stable/c/6b2c73111a252263807b7598682663dc33aa4b4c" + }, + { + "url": "https://git.kernel.org/stable/c/a0f77b5d6067285b8eca0ee3bd1e448a6258026f" + }, + { + "url": "https://git.kernel.org/stable/c/7664ee8bd80309b90d53488b619764f0a057f2b7" + }, + { + "url": "https://git.kernel.org/stable/c/e2dbfea520e60d58e0c498ba41bde10452257779" + }, + { + "url": "https://git.kernel.org/stable/c/92b051b87658df7649ffcdef522593f21a2b296b" + }, + { + "url": "https://git.kernel.org/stable/c/a766761d206e7c36d7526e0ae749949d17ca582c" + }, + { + "url": "https://git.kernel.org/stable/c/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70" + }, + { + "url": "https://git.kernel.org/linus/f90ce1e04cbcc76639d6cba0fdbd820cd80b3c70(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35825" + } + ], + "bom-ref": "vuln-129", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35825" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Fix handling of zero block length packets\n\nWhile connecting to a Linux host with CDC_NCM_NTB_DEF_SIZE_TX\nset to 65536, it has been observed that we receive short packets,\nwhich come at interval of 5-10 seconds sometimes and have block\nlength zero but still contain 1-2 valid datagrams present.\n\nAccording to the NCM spec:\n\n\"If wBlockLength = 0x0000, the block is terminated by a\nshort packet. In this case, the USB transfer must still\nbe shorter than dwNtbInMaxSize or dwNtbOutMaxSize. If\nexactly dwNtbInMaxSize or dwNtbOutMaxSize bytes are sent,\nand the size is a multiple of wMaxPacketSize for the\ngiven pipe, then no ZLP shall be sent.\n\nwBlockLength= 0x0000 must be used with extreme care, because\nof the possibility that the host and device may get out of\nsync, and because of test issues.\n\nwBlockLength = 0x0000 allows the sender to reduce latency by\nstarting to send a very large NTB, and then shortening it when\nthe sender discovers that there’s not sufficient data to justify\nsending a large NTB\"\n\nHowever, there is a potential issue with the current implementation,\nas it checks for the occurrence of multiple NTBs in a single\ngiveback by verifying if the leftover bytes to be processed is zero\nor not. If the block length reads zero, we would process the same\nNTB infintely because the leftover bytes is never zero and it leads\nto a crash. Fix this by bailing out if block length reads zero.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35825", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35825" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b65fb50e04a95eec34a9d1bc138454a98a5578d8" + }, + { + "url": "https://git.kernel.org/stable/c/c448a9fd50f77e8fb9156ff64848aa4295eb3003" + }, + { + "url": "https://git.kernel.org/stable/c/29e94f295bad5be59cf4271a93e22cdcf5536722" + }, + { + "url": "https://git.kernel.org/stable/c/5095b93021b899f54c9355bebf36d78854c33a22" + }, + { + "url": "https://git.kernel.org/stable/c/21bfca822cfc1e71796124e93b46e0d9fa584401" + }, + { + "url": "https://git.kernel.org/stable/c/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e" + }, + { + "url": "https://git.kernel.org/stable/c/0561b65fbd53d3e788c5b0222d9112ca016fd6a1" + }, + { + "url": "https://git.kernel.org/stable/c/418c5575d56410c6e186ab727bf32ae32447d497" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35997" + }, + { + "url": "https://git.kernel.org/linus/9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-130", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35997" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up\n\nThe flag I2C_HID_READ_PENDING is used to serialize I2C operations.\nHowever, this is not necessary, because I2C core already has its own\nlocking for that.\n\nMore importantly, this flag can cause a lock-up: if the flag is set in\ni2c_hid_xfer() and an interrupt happens, the interrupt handler\n(i2c_hid_irq) will check this flag and return immediately without doing\nanything, then the interrupt handler will be invoked again in an\ninfinite loop.\n\nSince interrupt handler is an RT task, it takes over the CPU and the\nflag-clearing task never gets scheduled, thus we have a lock-up.\n\nDelete this unnecessary flag.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35997", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35997" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176858" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-150.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1745.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6200-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1289" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2014.html" + } + ], + "bom-ref": "vuln-131", + "ratings": [ + { + "severity": "none", + "score": 0.00089, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1289" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1289" + } + } + ], + "created": "2023-03-23T20:15:14Z", + "description": "A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in \"/tmp,\" resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2023-1289", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1289" + }, + "cwes": [ + 20 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-22T11:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T04:12:02Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6901" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + }, + { + "url": "https://lore.kernel.org/lkml/Yz/mfJ1gjgshF19t@hirez.programming.kicks-ass.net/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6235-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0597" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6206-1" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-0597" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1188" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6300-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6311-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6332-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7077" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6583" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6347-1" + } + ], + "bom-ref": "vuln-132", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0597" + } + } + ], + "created": "2023-02-23T20:15:12Z", + "description": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-0597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + }, + "cwes": [ + 401, + 200 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-07-28T15:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:26:23Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13ddaf26be324a7f951891ecd9ccd04466d27458" + }, + { + "url": "https://git.kernel.org/stable/c/2dedda77d4493f3e92e414b272bfa60f1f51ed95" + }, + { + "url": "https://git.kernel.org/stable/c/305152314df82b22cf9b181f3dc5fc411002079a" + }, + { + "url": "https://git.kernel.org/stable/c/d183a4631acfc7af955c02a02e739cec15f5234d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26759" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/13ddaf26be324a7f951891ecd9ccd04466d27458(6.8-rc6)" + } + ], + "bom-ref": "vuln-133", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26759" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/swap: fix race when skipping swapcache\n\nWhen skipping swapcache for SWP_SYNCHRONOUS_IO, if two or more threads\nswapin the same entry at the same time, they get different pages (A, B). \nBefore one thread (T0) finishes the swapin and installs page (A) to the\nPTE, another thread (T1) could finish swapin of page (B), swap_free the\nentry, then swap out the possibly modified page reusing the same entry. \nIt breaks the pte_same check in (T0) because PTE value is unchanged,\ncausing ABA problem. Thread (T0) will install a stalled page (A) into the\nPTE and cause data corruption.\n\nOne possible callstack is like this:\n\nCPU0 CPU1\n---- ----\ndo_swap_page() do_swap_page() with same entry\n \n \nswap_read_folio() <- read to page A swap_read_folio() <- read to page B\n \n... set_pte_at()\n swap_free() <- entry is free\n \n \npte_same() <- Check pass, PTE seems\n unchanged, but page A\n is stalled!\nswap_free() <- page B content lost!\nset_pte_at() <- staled page A installed!\n\nAnd besides, for ZRAM, swap_free() allows the swap device to discard the\nentry content, so even if page (B) is not modified, if swap_read_folio()\non CPU0 happens later than swap_free() on CPU1, it may also cause data\nloss.\n\nTo fix this, reuse swapcache_prepare which will pin the swap entry using\nthe cache flag, and allow only one thread to swap it in, also prevent any\nparallel code from putting the entry in the cache. Release the pin after\nPT unlocked.\n\nRacers just loop and wait since it's a rare and very short event. A\nschedule_timeout_uninterruptible(1) call is added to avoid repeated page\nfaults wasting too much CPU, causing livelock or adding too much noise to\nperf statistics. A similar livelock issue was described in commit\n029c4628b2eb (\"mm: swap: get rid of livelock in swapin readahead\")\n\nReproducer:\n\nThis race issue can be triggered easily using a well constructed\nreproducer and patched brd (with a delay in read path) [1]:\n\nWith latest 6.8 mainline, race caused data loss can be observed easily:\n$ gcc -g -lpthread test-thread-swap-race.c && ./a.out\n Polulating 32MB of memory region...\n Keep swapping out...\n Starting round 0...\n Spawning 65536 workers...\n 32746 workers spawned, wait for done...\n Round 0: Error on 0x5aa00, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x395200, expected 32746, got 32743, 3 data loss!\n Round 0: Error on 0x3fd000, expected 32746, got 32737, 9 data loss!\n Round 0 Failed, 15 data loss!\n\nThis reproducer spawns multiple threads sharing the same memory region\nusing a small swap device. Every two threads updates mapped pages one by\none in opposite direction trying to create a race, with one dedicated\nthread keep swapping out the data out using madvise.\n\nThe reproducer created a reproduce rate of about once every 5 minutes, so\nthe race should be totally possible in production.\n\nAfter this patch, I ran the reproducer for over a few hundred rounds and\nno data loss observed.\n\nPerformance overhead is minimal, microbenchmark swapin 10G from 32G\nzram:\n\nBefore: 10934698 us\nAfter: 11157121 us\nCached: 13155355 us (Dropping SWP_SYNCHRONOUS_IO flag)\n\n[kasong@tencent.com: v4]\n Link: https://lkml.kernel.org/r/20240219082040.7495-1-ryncsn@gmail.com", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26759", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26759" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e" + }, + { + "url": "https://git.kernel.org/stable/c/edcf92bc66d8361c51dff953a55210e5cfd95587" + }, + { + "url": "https://git.kernel.org/stable/c/abd34206f396d3ae50cddbd5aa840b8cd7f68c63" + }, + { + "url": "https://git.kernel.org/stable/c/b39b4d207d4f236a74e20d291f6356f2231fd9ee" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52660" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ffb635bb398fc07cb38f8a7b4a82cbe5f412f08e(6.8-rc5)" + } + ], + "bom-ref": "vuln-134", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52660" + } + } + ], + "created": "2024-05-17T13:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ handling due to shared interrupts\n\nThe driver requests the interrupts as IRQF_SHARED, so the interrupt\nhandlers can be called at any time. If such a call happens while the ISP\nis powered down, the SoC will hang as the driver tries to access the\nISP registers.\n\nThis can be reproduced even without the platform sharing the IRQ line:\nEnable CONFIG_DEBUG_SHIRQ and unload the driver, and the board will\nhang.\n\nFix this by adding a new field, 'irqs_enabled', which is used to bail\nout from the interrupt handler when the ISP is not operational.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52660", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52660" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/16b7d785775eb03929766819415055e367398f49" + }, + { + "url": "https://git.kernel.org/stable/c/1e12f0d5c66f07c934041621351973a116fa13c7" + }, + { + "url": "https://git.kernel.org/stable/c/0865ffefea197b437ba78b5dd8d8e256253efd65" + }, + { + "url": "https://git.kernel.org/stable/c/c3cf8b74c57924c0985e49a1fdf02d3395111f39" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35867" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0865ffefea197b437ba78b5dd8d8e256253efd65(6.9-rc3)" + } + ], + "bom-ref": "vuln-135", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35867" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35867", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35867" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/32f2a0afa95fae0d1ceec2ff06e0e816939964b8" + }, + { + "url": "https://git.kernel.org/stable/c/c04709b2cc99ae31c346f79f0211752d7b74df01" + }, + { + "url": "https://git.kernel.org/stable/c/9ed46144cff3598a5cf79955630e795ff9af5b97" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26669" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/32f2a0afa95fae0d1ceec2ff06e0e816939964b8(6.8-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-136", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26669" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: Fix chain template offload\n\nWhen a qdisc is deleted from a net device the stack instructs the\nunderlying driver to remove its flow offload callback from the\nassociated filter block using the 'FLOW_BLOCK_UNBIND' command. The stack\nthen continues to replay the removal of the filters in the block for\nthis driver by iterating over the chains in the block and invoking the\n'reoffload' operation of the classifier being used. In turn, the\nclassifier in its 'reoffload' operation prepares and emits a\n'FLOW_CLS_DESTROY' command for each filter.\n\nHowever, the stack does not do the same for chain templates and the\nunderlying driver never receives a 'FLOW_CLS_TMPLT_DESTROY' command when\na qdisc is deleted. This results in a memory leak [1] which can be\nreproduced using [2].\n\nFix by introducing a 'tmplt_reoffload' operation and have the stack\ninvoke it with the appropriate arguments as part of the replay.\nImplement the operation in the sole classifier that supports chain\ntemplates (flower) by emitting the 'FLOW_CLS_TMPLT_{CREATE,DESTROY}'\ncommand based on whether a flow offload callback is being bound to a\nfilter block or being unbound from one.\n\nAs far as I can tell, the issue happens since cited commit which\nreordered tcf_block_offload_unbind() before tcf_block_flush_all_chains()\nin __tcf_block_put(). The order cannot be reversed as the filter block\nis expected to be freed after flushing all the chains.\n\n[1]\nunreferenced object 0xffff888107e28800 (size 2048):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n b1 a6 7c 11 81 88 ff ff e0 5b b3 10 81 88 ff ff ..|......[......\n 01 00 00 00 00 00 00 00 e0 aa b0 84 ff ff ff ff ................\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc+0x4e/0x90\n [] mlxsw_sp_acl_ruleset_get+0x34d/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n [] ___sys_sendmsg+0x13a/0x1e0\n [] __sys_sendmsg+0x11c/0x1f0\n [] do_syscall_64+0x40/0xe0\nunreferenced object 0xffff88816d2c0400 (size 1024):\n comm \"tc\", pid 1079, jiffies 4294958525 (age 3074.287s)\n hex dump (first 32 bytes):\n 40 00 00 00 00 00 00 00 57 f6 38 be 00 00 00 00 @.......W.8.....\n 10 04 2c 6d 81 88 ff ff 10 04 2c 6d 81 88 ff ff ..,m......,m....\n backtrace:\n [] __kmem_cache_alloc_node+0x1e8/0x320\n [] __kmalloc_node+0x51/0x90\n [] kvmalloc_node+0xa6/0x1f0\n [] bucket_table_alloc.isra.0+0x83/0x460\n [] rhashtable_init+0x43b/0x7c0\n [] mlxsw_sp_acl_ruleset_get+0x428/0x7a0\n [] mlxsw_sp_flower_tmplt_create+0x145/0x180\n [] mlxsw_sp_flow_block_cb+0x1ea/0x280\n [] tc_setup_cb_call+0x183/0x340\n [] fl_tmplt_create+0x3da/0x4c0\n [] tc_ctl_chain+0xa15/0x1170\n [] rtnetlink_rcv_msg+0x3cc/0xed0\n [] netlink_rcv_skb+0x170/0x440\n [] netlink_unicast+0x540/0x820\n [] netlink_sendmsg+0x8d8/0xda0\n [] ____sys_sendmsg+0x30f/0xa80\n\n[2]\n # tc qdisc add dev swp1 clsact\n # tc chain add dev swp1 ingress proto ip chain 1 flower dst_ip 0.0.0.0/32\n # tc qdisc del dev\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26669", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26669" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/989b0ff35fe5fc9652ee5bafbe8483db6f27b137" + }, + { + "url": "https://git.kernel.org/stable/c/23d05d563b7e7b0314e65c8e882bc27eac2da8e7" + }, + { + "url": "https://git.kernel.org/stable/c/cd1022eaf87be8e6151435bd4df4c242c347e083" + }, + { + "url": "https://git.kernel.org/stable/c/95b3904a261a9f810205da560e802cc326f50d77" + }, + { + "url": "https://git.kernel.org/stable/c/8f8f185643747fbb448de6aab0efa51c679909a3" + }, + { + "url": "https://git.kernel.org/stable/c/6c53e8547687d9c767c139cd4b50af566f58c29a" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://git.kernel.org/linus/23d05d563b7e7b0314e65c8e882bc27eac2da8e7(6.7-rc6)" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52435" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-137", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52435" + } + } + ], + "created": "2024-02-20T20:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: prevent mss overflow in skb_segment()\n\nOnce again syzbot is able to crash the kernel in skb_segment() [1]\n\nGSO_BY_FRAGS is a forbidden value, but unfortunately the following\ncomputation in skb_segment() can reach it quite easily :\n\n\tmss = mss * partial_segs;\n\n65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to\na bad final result.\n\nMake sure to limit segmentation so that the new mss value is smaller\nthan GSO_BY_FRAGS.\n\n[1]\n\ngeneral protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]\nCPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff\nR10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0\nR13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046\nFS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\nudp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109\nipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120\nskb_mac_gso_segment+0x290/0x610 net/core/gso.c:53\n__skb_gso_segment+0x339/0x710 net/core/gso.c:124\nskb_gso_segment include/net/gso.h:83 [inline]\nvalidate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626\n__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338\ndev_queue_xmit include/linux/netdevice.h:3134 [inline]\npacket_xmit+0x257/0x380 net/packet/af_packet.c:276\npacket_snd net/packet/af_packet.c:3087 [inline]\npacket_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119\nsock_sendmsg_nosec net/socket.c:730 [inline]\n__sock_sendmsg+0xd5/0x180 net/socket.c:745\n__sys_sendto+0x255/0x340 net/socket.c:2190\n__do_sys_sendto net/socket.c:2202 [inline]\n__se_sys_sendto net/socket.c:2198 [inline]\n__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198\ndo_syscall_x64 arch/x86/entry/common.c:52 [inline]\ndo_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\nentry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7f8692032aa9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9\nRDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003\nRBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014\nR10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480\nR13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003\n\nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551\nCode: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00\nRSP: 0018:ffffc900043473d0 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597\nRDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070\nRBP: ffffc90004347578 R0\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52435", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52435" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-15T14:06:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T19:50:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ee0088101beee10fa809716d6245d915b09c37c7" + }, + { + "url": "https://git.kernel.org/stable/c/4e3fdeecec5707678b0d1f18c259dadb97262e9d" + }, + { + "url": "https://git.kernel.org/stable/c/06a939f72a24a7d8251f84cf4c042df86c6666ac" + }, + { + "url": "https://git.kernel.org/stable/c/17af420545a750f763025149fa7b833a4fc8b8f0" + }, + { + "url": "https://git.kernel.org/stable/c/1db7fcb2b290c47c202b79528824f119fa28937d" + }, + { + "url": "https://git.kernel.org/stable/c/e54a0c79cdc2548729dd7e2e468b08c5af4d0df5" + }, + { + "url": "https://git.kernel.org/stable/c/b14b9f9503ec823ca75be766dcaeff4f0bfeca85" + }, + { + "url": "https://git.kernel.org/stable/c/0ac328a5a4138a6c03dfc3f46017bd5c19167446" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35888" + }, + { + "url": "https://git.kernel.org/linus/17af420545a750f763025149fa7b833a4fc8b8f0(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-138", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35888" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: make sure erspan_base_hdr is present in skb->head\n\nsyzbot reported a problem in ip6erspan_rcv() [1]\n\nIssue is that ip6erspan_rcv() (and erspan_rcv()) no longer make\nsure erspan_base_hdr is present in skb linear part (skb->head)\nbefore getting @ver field from it.\n\nAdd the missing pskb_may_pull() calls.\n\nv2: Reload iph pointer in erspan_rcv() after pskb_may_pull()\n because skb->head might have changed.\n\n[1]\n\n BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]\n BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]\n pskb_may_pull include/linux/skbuff.h:2756 [inline]\n ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]\n gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610\n ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:460 [inline]\n ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5538 [inline]\n __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652\n netif_receive_skb_internal net/core/dev.c:5738 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5798\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549\n tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n tun_alloc_skb drivers/net/tun.c:1525 [inline]\n tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2108 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb63/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xe0 fs/read_write.c:652\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35888", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35888" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://people.redhat.com/~hkario/marvin/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://securitypitfalls.wordpress.com/2023/10/16/experiment-with-side-channel-attacks-yourself/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2250843" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6240" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6240" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-139", + "ratings": [ + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + } + }, + { + "severity": "none", + "score": 0.00101, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6240" + } + } + ], + "created": "2024-02-04T14:15:47Z", + "description": "A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel. This issue may allow a network attacker to decrypt ciphertexts or forge signatures, limiting the services that use that private key.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-6240", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6240" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-08T13:15:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a1227b27fcccc99dc44f912b479e01a17e2d7d31" + }, + { + "url": "https://git.kernel.org/stable/c/831bc2728fb48a8957a824cba8c264b30dca1425" + }, + { + "url": "https://git.kernel.org/stable/c/b9fbc44159dfc3e9a7073032752d9e03f5194a6f" + }, + { + "url": "https://git.kernel.org/stable/c/167d8642daa6a44b51de17f8ff0f584e1e762db7" + }, + { + "url": "https://git.kernel.org/stable/c/882a51a10ecf24ce135d573afa0872aef02c5125" + }, + { + "url": "https://git.kernel.org/stable/c/743ad091fb46e622f1b690385bb15e3cd3daf874" + }, + { + "url": "https://git.kernel.org/stable/c/f2261eb994aa5757c1da046b78e3229a3ece0ad9" + }, + { + "url": "https://git.kernel.org/linus/743ad091fb46e622f1b690385bb15e3cd3daf874(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27414" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-140", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27414" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back\n\nIn the commit d73ef2d69c0d (\"rtnetlink: let rtnl_bridge_setlink checks\nIFLA_BRIDGE_MODE length\"), an adjustment was made to the old loop logic\nin the function `rtnl_bridge_setlink` to enable the loop to also check\nthe length of the IFLA_BRIDGE_MODE attribute. However, this adjustment\nremoved the `break` statement and led to an error logic of the flags\nwriting back at the end of this function.\n\nif (have_flags)\n memcpy(nla_data(attr), &flags, sizeof(flags));\n // attr should point to IFLA_BRIDGE_FLAGS NLA !!!\n\nBefore the mentioned commit, the `attr` is granted to be IFLA_BRIDGE_FLAGS.\nHowever, this is not necessarily true fow now as the updated loop will let\nthe attr point to the last NLA, even an invalid NLA which could cause\noverflow writes.\n\nThis patch introduces a new variable `br_flag` to save the NLA pointer\nthat points to IFLA_BRIDGE_FLAGS and uses it to resolve the mentioned\nerror logic.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27414", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27414" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a04410b0bc7e056e0843ac598825dd359246d18" + }, + { + "url": "https://git.kernel.org/stable/c/0671f42a9c1084db10d68ac347d08dbf6689ecb3" + }, + { + "url": "https://git.kernel.org/stable/c/2823db0010c400e4b2b12d02aa5d0d3ecb15d7c7" + }, + { + "url": "https://git.kernel.org/stable/c/b988b1bb0053c0dcd26187d29ef07566a565cf55" + }, + { + "url": "https://git.kernel.org/stable/c/c87d7d910775a025e230fd6359b60627e392460f" + }, + { + "url": "https://git.kernel.org/stable/c/150a3a3871490e8c454ffbac2e60abeafcecff99" + }, + { + "url": "https://git.kernel.org/stable/c/732a3bea7aba5b15026ea42d14953c3425cc7dc2" + }, + { + "url": "https://git.kernel.org/stable/c/5e63c9ae8055109d805aacdaf2a4fe2c3b371ba1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b988b1bb0053c0dcd26187d29ef07566a565cf55(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52597" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-141", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52597" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: fix setting of fpc register\n\nkvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control\n(fpc) register of a guest cpu. The new value is tested for validity by\ntemporarily loading it into the fpc register.\n\nThis may lead to corruption of the fpc register of the host process:\nif an interrupt happens while the value is temporarily loaded into the fpc\nregister, and within interrupt context floating point or vector registers\nare used, the current fp/vx registers are saved with save_fpu_regs()\nassuming they belong to user space and will be loaded into fp/vx registers\nwhen returning to user space.\n\ntest_fp_ctl() restores the original user space / host process fpc register\nvalue, however it will be discarded, when returning to user space.\n\nIn result the host process will incorrectly continue to run with the value\nthat was supposed to be used for a guest cpu.\n\nFix this by simply removing the test. There is another test right before\nthe SIE context is entered which will handles invalid values.\n\nThis results in a change of behaviour: invalid values will now be accepted\ninstead of that the ioctl fails with -EINVAL. This seems to be acceptable,\ngiven that this interface is most likely not used anymore, and this is in\naddition the same behaviour implemented with the memory mapped interface\n(replace invalid values with zero) - see sync_regs() in kvm-s390.c.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52597" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/315552310c7de92baea4e570967066569937a843" + }, + { + "url": "https://git.kernel.org/stable/c/2ae7081bc10123b187e36a4f3a8e53768de31489" + }, + { + "url": "https://git.kernel.org/stable/c/15893975e9e382f8294ea8d926f08dc2d8d39ede" + }, + { + "url": "https://git.kernel.org/linus/315552310c7de92baea4e570967066569937a843(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52596" + } + ], + "bom-ref": "vuln-142", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52596" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysctl: Fix out of bounds access for empty sysctl registers\n\nWhen registering tables to the sysctl subsystem there is a check to see\nif header is a permanently empty directory (used for mounts). This check\nevaluates the first element of the ctl_table. This results in an out of\nbounds evaluation when registering empty directories.\n\nThe function register_sysctl_mount_point now passes a ctl_table of size\n1 instead of size 0. It now relies solely on the type to identify\na permanently empty register.\n\nMake sure that the ctl_table has at least one element before testing for\npermanent emptiness.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52596", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52596" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ca545b7f0823f19db0f1148d59bc5e1a56634502" + }, + { + "url": "https://git.kernel.org/stable/c/a65f2b56334ba4dc30bd5ee9ce5b2691b973344d" + }, + { + "url": "https://git.kernel.org/stable/c/229042314602db62559ecacba127067c22ee7b88" + }, + { + "url": "https://git.kernel.org/stable/c/3402faf78b2516b0af1259baff50cc8453ef0bd1" + }, + { + "url": "https://git.kernel.org/linus/ca545b7f0823f19db0f1148d59bc5e1a56634502(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26928" + } + ], + "bom-ref": "vuln-143", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26928" + } + } + ], + "created": "2024-04-28T12:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_debug_files_proc_show()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26928" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T12:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7e5ef49670766c9742ffcd9cead7cdb018268719" + }, + { + "url": "https://git.kernel.org/stable/c/cb88cb53badb8aeb3955ad6ce80b07b598e310b8" + }, + { + "url": "https://git.kernel.org/stable/c/58fbe665b097bf7b3144da7e7b91fb27aa8d0ae3" + }, + { + "url": "https://git.kernel.org/stable/c/56fae81633ccee307cfcb032f706bf1863a56982" + }, + { + "url": "https://git.kernel.org/stable/c/4fdb14ba89faff6e6969a4dffdc8e54235d6e5ed" + }, + { + "url": "https://git.kernel.org/stable/c/210d938f963dddc543b07e66a79b7d8d4bd00bd8" + }, + { + "url": "https://git.kernel.org/stable/c/4e2c4846b2507f6dfc9bea72b7567c2693a82a16" + }, + { + "url": "https://git.kernel.org/stable/c/b06e067e93fa4b98acfd3a9f38a398ab91bbc58b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26675" + }, + { + "url": "https://git.kernel.org/linus/cb88cb53badb8aeb3955ad6ce80b07b598e310b8(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-144", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26675" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp_async: limit MRU to 64K\n\nsyzbot triggered a warning [1] in __alloc_pages():\n\nWARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp)\n\nWillem fixed a similar issue in commit c0a2a1b0d631 (\"ppp: limit MRU to 64K\")\n\nAdopt the same sanity check for ppp_async_ioctl(PPPIOCSMRU)\n\n[1]:\n\n WARNING: CPU: 1 PID: 11 at mm/page_alloc.c:4543 __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\nModules linked in:\nCPU: 1 PID: 11 Comm: kworker/u4:0 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events_unbound flush_to_ldisc\npstate: 204000c5 (nzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n lr : __alloc_pages+0xc8/0x698 mm/page_alloc.c:4537\nsp : ffff800093967580\nx29: ffff800093967660 x28: ffff8000939675a0 x27: dfff800000000000\nx26: ffff70001272ceb4 x25: 0000000000000000 x24: ffff8000939675c0\nx23: 0000000000000000 x22: 0000000000060820 x21: 1ffff0001272ceb8\nx20: ffff8000939675e0 x19: 0000000000000010 x18: ffff800093967120\nx17: ffff800083bded5c x16: ffff80008ac97500 x15: 0000000000000005\nx14: 1ffff0001272cebc x13: 0000000000000000 x12: 0000000000000000\nx11: ffff70001272cec1 x10: 1ffff0001272cec0 x9 : 0000000000000001\nx8 : ffff800091c91000 x7 : 0000000000000000 x6 : 000000000000003f\nx5 : 00000000ffffffff x4 : 0000000000000000 x3 : 0000000000000020\nx2 : 0000000000000008 x1 : 0000000000000000 x0 : ffff8000939675e0\nCall trace:\n __alloc_pages+0x308/0x698 mm/page_alloc.c:4543\n __alloc_pages_node include/linux/gfp.h:238 [inline]\n alloc_pages_node include/linux/gfp.h:261 [inline]\n __kmalloc_large_node+0xbc/0x1fc mm/slub.c:3926\n __do_kmalloc_node mm/slub.c:3969 [inline]\n __kmalloc_node_track_caller+0x418/0x620 mm/slub.c:4001\n kmalloc_reserve+0x17c/0x23c net/core/skbuff.c:590\n __alloc_skb+0x1c8/0x3d8 net/core/skbuff.c:651\n __netdev_alloc_skb+0xb8/0x3e8 net/core/skbuff.c:715\n netdev_alloc_skb include/linux/skbuff.h:3235 [inline]\n dev_alloc_skb include/linux/skbuff.h:3248 [inline]\n ppp_async_input drivers/net/ppp/ppp_async.c:863 [inline]\n ppp_asynctty_receive+0x588/0x186c drivers/net/ppp/ppp_async.c:341\n tty_ldisc_receive_buf+0x12c/0x15c drivers/tty/tty_buffer.c:390\n tty_port_default_receive_buf+0x74/0xac drivers/tty/tty_port.c:37\n receive_buf drivers/tty/tty_buffer.c:444 [inline]\n flush_to_ldisc+0x284/0x6e4 drivers/tty/tty_buffer.c:494\n process_one_work+0x694/0x1204 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x938/0xef4 kernel/workqueue.c:2787\n kthread+0x288/0x310 kernel/kthread.c:388\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26675", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26675" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6652e20d7d783d060fe5f987eac7b5cabe31311" + }, + { + "url": "https://git.kernel.org/stable/c/343eecb4ff49a7b1cc1dfe86958a805cf2341cfb" + }, + { + "url": "https://git.kernel.org/stable/c/11d7a2e429c02d51e2dc90713823ea8b8d3d3a84" + }, + { + "url": "https://git.kernel.org/stable/c/b1690ced4d2d8b28868811fb81cd33eee5aefee1" + }, + { + "url": "https://git.kernel.org/stable/c/2886fe308a83968dde252302884a1e63351cf16d" + }, + { + "url": "https://git.kernel.org/stable/c/ab2d68655d0f04650bef09fee948ff80597c5fb9" + }, + { + "url": "https://git.kernel.org/stable/c/9845664b9ee47ce7ee7ea93caf47d39a9d4552c4" + }, + { + "url": "https://git.kernel.org/stable/c/f590040ce2b712177306b03c2a63b16f7d48d3c8" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26791" + } + ], + "bom-ref": "vuln-145", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26791" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: dev-replace: properly validate device names\n\nThere's a syzbot report that device name buffers passed to device\nreplace are not properly checked for string termination which could lead\nto a read out of bounds in getname_kernel().\n\nAdd a helper that validates both source and target device name buffers.\nFor devid as the source initialize the buffer to empty string in case\nsomething tries to read it later.\n\nThis was originally analyzed and fixed in a different way by Edward Adam\nDavis (see links).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26791", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26791" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T08:35:30Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda" + }, + { + "url": "https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a" + }, + { + "url": "https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996" + }, + { + "url": "https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2" + }, + { + "url": "https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835" + }, + { + "url": "https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26603" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-146", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26603" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:00:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T19:51:00Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49767b0df276f12e3e7184601e09ee7430e252dc" + }, + { + "url": "https://git.kernel.org/stable/c/10608161696c2768f53426642f78a42bcaaa53e8" + }, + { + "url": "https://git.kernel.org/stable/c/96c155943a703f0655c0c4cab540f67055960e91" + }, + { + "url": "https://git.kernel.org/stable/c/95c1016a2d92c4c28a9d1b6d09859c00b19c0ea4" + }, + { + "url": "https://git.kernel.org/linus/96c155943a703f0655c0c4cab540f67055960e91(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35891" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-147", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35891" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: micrel: Fix potential null pointer dereference\n\nIn lan8814_get_sig_rx() and lan8814_get_sig_tx() ptp_parse_header() may\nreturn NULL as ptp_header due to abnormal packet type or corrupted packet.\nFix this bug by adding ptp_header check.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35891", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35891" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/06e828b3f1b206de08ef520fc46a40b22e1869cb" + }, + { + "url": "https://git.kernel.org/stable/c/9d52865ff28245fc2134da9f99baff603a24407a" + }, + { + "url": "https://git.kernel.org/stable/c/23bfecb4d852751d5e403557dd500bb563313baf" + }, + { + "url": "https://git.kernel.org/stable/c/251a658bbfceafb4d58c76b77682c8bf7bcfad65" + }, + { + "url": "https://git.kernel.org/stable/c/80365c9f96015bbf048fdd6c8705d3f8770132bf" + }, + { + "url": "https://git.kernel.org/stable/c/4403438eaca6e91f02d272211c4d6b045092396b" + }, + { + "url": "https://git.kernel.org/stable/c/79cdcc765969d23f4e3d6ea115660c3333498768" + }, + { + "url": "https://git.kernel.org/linus/251a658bbfceafb4d58c76b77682c8bf7bcfad65(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26870" + } + ], + "bom-ref": "vuln-148", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26870" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102\n\nA call to listxattr() with a buffer size = 0 returns the actual\nsize of the buffer needed for a subsequent call. When size > 0,\nnfs4_listxattr() does not return an error because either\ngeneric_listxattr() or nfs4_listxattr_nfs4_label() consumes\nexactly all the bytes then size is 0 when calling\nnfs4_listxattr_nfs4_user() which then triggers the following\nkernel BUG:\n\n [ 99.403778] kernel BUG at mm/usercopy.c:102!\n [ 99.404063] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP\n [ 99.408463] CPU: 0 PID: 3310 Comm: python3 Not tainted 6.6.0-61.fc40.aarch64 #1\n [ 99.415827] Call trace:\n [ 99.415985] usercopy_abort+0x70/0xa0\n [ 99.416227] __check_heap_object+0x134/0x158\n [ 99.416505] check_heap_object+0x150/0x188\n [ 99.416696] __check_object_size.part.0+0x78/0x168\n [ 99.416886] __check_object_size+0x28/0x40\n [ 99.417078] listxattr+0x8c/0x120\n [ 99.417252] path_listxattr+0x78/0xe0\n [ 99.417476] __arm64_sys_listxattr+0x28/0x40\n [ 99.417723] invoke_syscall+0x78/0x100\n [ 99.417929] el0_svc_common.constprop.0+0x48/0xf0\n [ 99.418186] do_el0_svc+0x24/0x38\n [ 99.418376] el0_svc+0x3c/0x110\n [ 99.418554] el0t_64_sync_handler+0x120/0x130\n [ 99.418788] el0t_64_sync+0x194/0x198\n [ 99.418994] Code: aa0003e3 d000a3e0 91310000 97f49bdb (d4210000)\n\nIssue is reproduced when generic_listxattr() returns 'system.nfs4_acl',\nthus calling lisxattr() with size = 16 will trigger the bug.\n\nAdd check on nfs4_listxattr() to return ERANGE error when it is\ncalled with size > 0 and the return value is greater than size.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26870", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26870" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1973689" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037090" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3610" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6200-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-149", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610" + } + }, + { + "severity": "none", + "score": 0.00082, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3610" + } + } + ], + "created": "2022-02-24T19:15:09Z", + "description": "A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2021-3610", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3610" + }, + "cwes": [ + 125, + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-06-26T18:56:40Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-03-27T14:25:26Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96" + }, + { + "url": "https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5" + }, + { + "url": "https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df" + }, + { + "url": "https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26582" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-150", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26582" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26582", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-15T13:56:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T12:46:21Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34e1d5c4407c78de0e3473e1fbf8fb74dbe66d03" + }, + { + "url": "https://git.kernel.org/stable/c/32ce3bb57b6b402de2aec1012511e7ac4e7449dc" + }, + { + "url": "https://git.kernel.org/stable/c/03f1573c9587029730ca68503f5062105b122f61" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26807" + } + ], + "bom-ref": "vuln-151", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26807" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: cadence-qspi: fix pointer reference in runtime PM hooks\n\ndev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI\ncontroller. Neither embed the other; this lead to memory corruption.\n\nOn a given platform (Mobileye EyeQ5) the memory corruption is hidden\ninside cqspi->f_pdata. Also, this uninitialised memory is used as a\nmutex (ctlr->bus_lock_mutex) by spi_controller_suspend().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26807", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26807" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ad10289f68f45649816cc68eb93f45fd5ec48a15" + }, + { + "url": "https://git.kernel.org/stable/c/03ad5ad53e51abf3a4c7538c1bc67a5982b41dc5" + }, + { + "url": "https://git.kernel.org/stable/c/65e8fbde64520001abf1c8d0e573561b4746ef38" + }, + { + "url": "https://git.kernel.org/stable/c/f89bd27709376d37ff883067193320c58a8c1d5a" + }, + { + "url": "https://git.kernel.org/stable/c/69836d9329f0b4c58faaf3d886a7748ddb5bf718" + }, + { + "url": "https://git.kernel.org/stable/c/15a3fc5c8774c17589dabfe1d642d40685c985af" + }, + { + "url": "https://git.kernel.org/stable/c/360a7d1be8112654f1fb328ed3862be630bca3f4" + }, + { + "url": "https://git.kernel.org/stable/c/da7ece2197101b1469853e6b5e915be1e3896d52" + }, + { + "url": "https://git.kernel.org/stable/c/ef02d8edf738557af2865c5bfb66a03c4e071be7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26880" + }, + { + "url": "https://git.kernel.org/linus/65e8fbde64520001abf1c8d0e573561b4746ef38(6.9-rc1)" + } + ], + "bom-ref": "vuln-152", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26880" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: call the resume method on internal suspend\n\nThere is this reported crash when experimenting with the lvm2 testsuite.\nThe list corruption is caused by the fact that the postsuspend and resume\nmethods were not paired correctly; there were two consecutive calls to the\norigin_postsuspend function. The second call attempts to remove the\n\"hash_list\" entry from a list, while it was already removed by the first\ncall.\n\nFix __dm_internal_resume so that it calls the preresume and resume\nmethods of the table's targets.\n\nIf a preresume method of some target fails, we are in a tricky situation.\nWe can't return an error because dm_internal_resume isn't supposed to\nreturn errors. We can't return success, because then the \"resume\" and\n\"postsuspend\" methods would not be paired correctly. So, we set the\nDMF_SUSPENDED flag and we fake normal suspend - it may confuse userspace\ntools, but it won't cause a kernel crash.\n\n------------[ cut here ]------------\nkernel BUG at lib/list_debug.c:56!\ninvalid opcode: 0000 [#1] PREEMPT SMP\nCPU: 1 PID: 8343 Comm: dmsetup Not tainted 6.8.0-rc6 #4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014\nRIP: 0010:__list_del_entry_valid_or_report+0x77/0xc0\n\nRSP: 0018:ffff8881b831bcc0 EFLAGS: 00010282\nRAX: 000000000000004e RBX: ffff888143b6eb80 RCX: 0000000000000000\nRDX: 0000000000000001 RSI: ffffffff819053d0 RDI: 00000000ffffffff\nRBP: ffff8881b83a3400 R08: 00000000fffeffff R09: 0000000000000058\nR10: 0000000000000000 R11: ffffffff81a24080 R12: 0000000000000001\nR13: ffff88814538e000 R14: ffff888143bc6dc0 R15: ffffffffa02e4bb0\nFS: 00000000f7c0f780(0000) GS:ffff8893f0a40000(0000) knlGS:0000000000000000\nCS: 0010 DS: 002b ES: 002b CR0: 0000000080050033\nCR2: 0000000057fb5000 CR3: 0000000143474000 CR4: 00000000000006b0\nCall Trace:\n \n ? die+0x2d/0x80\n ? do_trap+0xeb/0xf0\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? do_error_trap+0x60/0x80\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? exc_invalid_op+0x49/0x60\n ? __list_del_entry_valid_or_report+0x77/0xc0\n ? asm_exc_invalid_op+0x16/0x20\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ? __list_del_entry_valid_or_report+0x77/0xc0\n origin_postsuspend+0x1a/0x50 [dm_snapshot]\n dm_table_postsuspend_targets+0x34/0x50 [dm_mod]\n dm_suspend+0xd8/0xf0 [dm_mod]\n dev_suspend+0x1f2/0x2f0 [dm_mod]\n ? table_deps+0x1b0/0x1b0 [dm_mod]\n ctl_ioctl+0x300/0x5f0 [dm_mod]\n dm_compat_ctl_ioctl+0x7/0x10 [dm_mod]\n __x64_compat_sys_ioctl+0x104/0x170\n do_syscall_64+0x184/0x1b0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\nRIP: 0033:0xf7e6aead\n\n---[ end trace 0000000000000000 ]---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26880", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26880" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f0363af9619c77730764f10360e36c6445c12f7b" + }, + { + "url": "https://git.kernel.org/stable/c/eaa7cb836659ced2d9f814ac32aa3ec193803ed6" + }, + { + "url": "https://git.kernel.org/stable/c/f562e4c4aab00986dde3093c4be919c3f2b85a4a" + }, + { + "url": "https://git.kernel.org/stable/c/2487007aa3b9fafbd2cb14068f49791ce1d7ede5" + }, + { + "url": "https://git.kernel.org/stable/c/3420b3ff1ff489c177ea1cb7bd9fbbc4e9a0be95" + }, + { + "url": "https://git.kernel.org/stable/c/5f4e51abfbe6eb444fa91906a5cd083044278297" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27431" + }, + { + "url": "https://git.kernel.org/linus/2487007aa3b9fafbd2cb14068f49791ce1d7ede5(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-153", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27431" + } + } + ], + "created": "2024-05-17T12:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpumap: Zero-initialise xdp_rxq_info struct before running XDP program\n\nWhen running an XDP program that is attached to a cpumap entry, we don't\ninitialise the xdp_rxq_info data structure being used in the xdp_buff\nthat backs the XDP program invocation. Tobias noticed that this leads to\nrandom values being returned as the xdp_md->rx_queue_index value for XDP\nprograms running in a cpumap.\n\nThis means we're basically returning the contents of the uninitialised\nmemory, which is bad. Fix this by zero-initialising the rxq data\nstructure before running the XDP program.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27431", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27431" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7eb322360b0266481e560d1807ee79e0cef5742b" + }, + { + "url": "https://git.kernel.org/stable/c/b7d1ce2cc7192e8a037faa3f5d3ba72c25976460" + }, + { + "url": "https://git.kernel.org/stable/c/07696415526bee0607e495017369c7303a4792e1" + }, + { + "url": "https://git.kernel.org/stable/c/c040b99461a5bfc14c2d0cbb1780fcc3a4706c7e" + }, + { + "url": "https://git.kernel.org/linus/7eb322360b0266481e560d1807ee79e0cef5742b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35892" + } + ], + "bom-ref": "vuln-154", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35892" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() is called with the qdisc lock held,\nnot RTNL.\n\nWe must use qdisc_lookup_rcu() instead of qdisc_lookup()\n\nsyzbot reported:\n\nWARNING: suspicious RCU usage\n6.1.74-syzkaller #0 Not tainted\n-----------------------------\nnet/sched/sch_api.c:305 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n3 locks held by udevd/1142:\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #0: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: net_tx_action+0x64a/0x970 net/core/dev.c:5282\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:350 [inline]\n #1: ffff888171861108 (&sch->q.lock){+.-.}-{2:2}, at: net_tx_action+0x754/0x970 net/core/dev.c:5297\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:306 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:747 [inline]\n #2: ffffffff87c729a0 (rcu_read_lock){....}-{1:2}, at: qdisc_tree_reduce_backlog+0x84/0x580 net/sched/sch_api.c:792\n\nstack backtrace:\nCPU: 1 PID: 1142 Comm: udevd Not tainted 6.1.74-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n [] __dump_stack lib/dump_stack.c:88 [inline]\n [] dump_stack_lvl+0x1b1/0x28f lib/dump_stack.c:106\n [] dump_stack+0x15/0x1e lib/dump_stack.c:113\n [] lockdep_rcu_suspicious+0x1b9/0x260 kernel/locking/lockdep.c:6592\n [] qdisc_lookup+0xac/0x6f0 net/sched/sch_api.c:305\n [] qdisc_tree_reduce_backlog+0x243/0x580 net/sched/sch_api.c:811\n [] pfifo_tail_enqueue+0x32c/0x4b0 net/sched/sch_fifo.c:51\n [] qdisc_enqueue include/net/sch_generic.h:833 [inline]\n [] netem_dequeue+0xeb3/0x15d0 net/sched/sch_netem.c:723\n [] dequeue_skb net/sched/sch_generic.c:292 [inline]\n [] qdisc_restart net/sched/sch_generic.c:397 [inline]\n [] __qdisc_run+0x249/0x1e60 net/sched/sch_generic.c:415\n [] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125\n [] net_tx_action+0x7c9/0x970 net/core/dev.c:5313\n [] __do_softirq+0x2bd/0x9bd kernel/softirq.c:616\n [] invoke_softirq kernel/softirq.c:447 [inline]\n [] __irq_exit_rcu+0xca/0x230 kernel/softirq.c:700\n [] irq_exit_rcu+0x9/0x20 kernel/softirq.c:712\n [] sysvec_apic_timer_interrupt+0x42/0x90 arch/x86/kernel/apic/apic.c:1107\n [] asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:656", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35892", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35892" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b54c4632946ae42f2b39ed38abd909bbf78cbcc2" + }, + { + "url": "https://git.kernel.org/stable/c/1b890ae474d19800a6be1696df7fb4d9a41676e4" + }, + { + "url": "https://git.kernel.org/stable/c/01fc53be672acae37e611c80cc0b4f3939584de3" + }, + { + "url": "https://git.kernel.org/stable/c/6dfd79ed04c578f1d9a9a41ba5b2015cf9f03fc3" + }, + { + "url": "https://git.kernel.org/stable/c/2f4a4d63a193be6fd530d180bb13c3592052904c" + }, + { + "url": "https://git.kernel.org/stable/c/6cb6b12b78dcd8867a3fdbb1b6d0ed1df2b208d1" + }, + { + "url": "https://git.kernel.org/stable/c/4949affd5288b867cdf115f5b08d6166b2027f87" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35995" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2f4a4d63a193be6fd530d180bb13c3592052904c(6.9-rc1)" + } + ], + "bom-ref": "vuln-155", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35995" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: CPPC: Use access_width over bit_width for system memory accesses\n\nTo align with ACPI 6.3+, since bit_width can be any 8-bit value, it\ncannot be depended on to be always on a clean 8b boundary. This was\nuncovered on the Cobalt 100 platform.\n\nSError Interrupt on CPU26, code 0xbe000011 -- SError\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)\n pc : cppc_get_perf_caps+0xec/0x410\n lr : cppc_get_perf_caps+0xe8/0x410\n sp : ffff8000155ab730\n x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078\n x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff\n x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000\n x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff\n x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008\n x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006\n x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec\n x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028\n x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff\n x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000\n Kernel panic - not syncing: Asynchronous SError Interrupt\n CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted\n5.15.2.1-13 #1\n Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION\n Call trace:\n dump_backtrace+0x0/0x1e0\n show_stack+0x24/0x30\n dump_stack_lvl+0x8c/0xb8\n dump_stack+0x18/0x34\n panic+0x16c/0x384\n add_taint+0x0/0xc0\n arm64_serror_panic+0x7c/0x90\n arm64_is_fatal_ras_serror+0x34/0xa4\n do_serror+0x50/0x6c\n el1h_64_error_handler+0x40/0x74\n el1h_64_error+0x7c/0x80\n cppc_get_perf_caps+0xec/0x410\n cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]\n cpufreq_online+0x2dc/0xa30\n cpufreq_add_dev+0xc0/0xd4\n subsys_interface_register+0x134/0x14c\n cpufreq_register_driver+0x1b0/0x354\n cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]\n do_one_initcall+0x50/0x250\n do_init_module+0x60/0x27c\n load_module+0x2300/0x2570\n __do_sys_finit_module+0xa8/0x114\n __arm64_sys_finit_module+0x2c/0x3c\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x180/0x1a0\n do_el0_svc+0x84/0xa0\n el0_svc+0x2c/0xc0\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n\nInstead, use access_width to determine the size and use the offset and\nwidth to shift and mask the bits to read/write out. Make sure to add a\ncheck for system memory since pcc redefines the access_width to\nsubspace id.\n\nIf access_width is not set, then fall back to using bit_width.\n\n[ rjw: Subject and changelog edits, comment adjustments ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35995", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35995" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/27978243f165b44e342f28f449b91327944ea071" + }, + { + "url": "https://git.kernel.org/stable/c/cf4b8c39b9a0bd81c47afc7ef62914a62dd5ec4d" + }, + { + "url": "https://git.kernel.org/stable/c/7601df8031fd67310af891897ef6cc0df4209305" + }, + { + "url": "https://git.kernel.org/linus/7601df8031fd67310af891897ef6cc0df4209305(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26686" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-156", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26686" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats\n\nlock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call\ndo_task_stat() at the same time and the process has NR_THREADS, it will\nspin with irqs disabled O(NR_CPUS * NR_THREADS) time.\n\nChange do_task_stat() to use sig->stats_lock to gather the statistics\noutside of ->siglock protected section, in the likely case this code will\nrun lockless.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26686", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26686" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34cab94f7473e7b09f5205d4583fb5096cb63b5b" + }, + { + "url": "https://git.kernel.org/stable/c/0866afaff19d8460308b022345ed116a12b1d0e1" + }, + { + "url": "https://git.kernel.org/stable/c/16d71319e29d5825ab53f263b59fdd8dc2d60ad4" + }, + { + "url": "https://git.kernel.org/stable/c/43464808669ba9d23996f0b6d875450191687caf" + }, + { + "url": "https://git.kernel.org/stable/c/bbf950a6e96a91cf8cf0c71117b94ed3fafc9dd3" + }, + { + "url": "https://git.kernel.org/stable/c/d380ce70058a4ccddc3e5f5c2063165dc07672c6" + }, + { + "url": "https://git.kernel.org/stable/c/f9055fa2b2931261d5f89948ee5bc315b6a22d4a" + }, + { + "url": "https://git.kernel.org/stable/c/d623fd5298d95b65d27ef5a618ebf39541074856" + }, + { + "url": "https://git.kernel.org/linus/d380ce70058a4ccddc3e5f5c2063165dc07672c6(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27419" + } + ], + "bom-ref": "vuln-157", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27419" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_net_busy_read\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27419", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27419" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0fbcf2366ba9888cf02eda23e35fde7f7fcc07c3" + }, + { + "url": "https://git.kernel.org/stable/c/f0b5225a7dfc1bf53c98215db8c2f0b4efd3f108" + }, + { + "url": "https://git.kernel.org/stable/c/b2bb19114c079dcfec1ea46e761f510e30505e70" + }, + { + "url": "https://git.kernel.org/stable/c/23ec1cec24293f9799c725941677d4e167997265" + }, + { + "url": "https://git.kernel.org/stable/c/11b998360d96f6c76f04a95f54b49f24d3c858e4" + }, + { + "url": "https://git.kernel.org/stable/c/b3cf70472a600bcb2efe24906bc9bc6014d4c6f6" + }, + { + "url": "https://git.kernel.org/linus/0fbcf2366ba9888cf02eda23e35fde7f7fcc07c3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26881" + } + ], + "bom-ref": "vuln-158", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26881" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix kernel crash when 1588 is received on HIP08 devices\n\nThe HIP08 devices does not register the ptp devices, so the\nhdev->ptp is NULL, but the hardware can receive 1588 messages,\nand set the HNS3_RXD_TS_VLD_B bit, so, if match this case, the\naccess of hdev->ptp->flags will cause a kernel crash:\n\n[ 5888.946472] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n[ 5888.946475] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018\n...\n[ 5889.266118] pc : hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.272612] lr : hclge_ptp_get_rx_hwts+0x34/0x170 [hclge]\n[ 5889.279101] sp : ffff800012c3bc50\n[ 5889.283516] x29: ffff800012c3bc50 x28: ffff2040002be040\n[ 5889.289927] x27: ffff800009116484 x26: 0000000080007500\n[ 5889.296333] x25: 0000000000000000 x24: ffff204001c6f000\n[ 5889.302738] x23: ffff204144f53c00 x22: 0000000000000000\n[ 5889.309134] x21: 0000000000000000 x20: ffff204004220080\n[ 5889.315520] x19: ffff204144f53c00 x18: 0000000000000000\n[ 5889.321897] x17: 0000000000000000 x16: 0000000000000000\n[ 5889.328263] x15: 0000004000140ec8 x14: 0000000000000000\n[ 5889.334617] x13: 0000000000000000 x12: 00000000010011df\n[ 5889.340965] x11: bbfeff4d22000000 x10: 0000000000000000\n[ 5889.347303] x9 : ffff800009402124 x8 : 0200f78811dfbb4d\n[ 5889.353637] x7 : 2200000000191b01 x6 : ffff208002a7d480\n[ 5889.359959] x5 : 0000000000000000 x4 : 0000000000000000\n[ 5889.366271] x3 : 0000000000000000 x2 : 0000000000000000\n[ 5889.372567] x1 : 0000000000000000 x0 : ffff20400095c080\n[ 5889.378857] Call trace:\n[ 5889.382285] hclge_ptp_get_rx_hwts+0x40/0x170 [hclge]\n[ 5889.388304] hns3_handle_bdinfo+0x324/0x410 [hns3]\n[ 5889.394055] hns3_handle_rx_bd+0x60/0x150 [hns3]\n[ 5889.399624] hns3_clean_rx_ring+0x84/0x170 [hns3]\n[ 5889.405270] hns3_nic_common_poll+0xa8/0x220 [hns3]\n[ 5889.411084] napi_poll+0xcc/0x264\n[ 5889.415329] net_rx_action+0xd4/0x21c\n[ 5889.419911] __do_softirq+0x130/0x358\n[ 5889.424484] irq_exit+0x134/0x154\n[ 5889.428700] __handle_domain_irq+0x88/0xf0\n[ 5889.433684] gic_handle_irq+0x78/0x2c0\n[ 5889.438319] el1_irq+0xb8/0x140\n[ 5889.442354] arch_cpu_idle+0x18/0x40\n[ 5889.446816] default_idle_call+0x5c/0x1c0\n[ 5889.451714] cpuidle_idle_call+0x174/0x1b0\n[ 5889.456692] do_idle+0xc8/0x160\n[ 5889.460717] cpu_startup_entry+0x30/0xfc\n[ 5889.465523] secondary_start_kernel+0x158/0x1ec\n[ 5889.470936] Code: 97ffab78 f9411c14 91408294 f9457284 (f9400c80)\n[ 5889.477950] SMP: stopping secondary CPUs\n[ 5890.514626] SMP: failed to stop secondary CPUs 0-69,71-95\n[ 5890.522951] Starting crashdump kernel...", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26881", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26881" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:37:30Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b" + }, + { + "url": "https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26596" + } + ], + "bom-ref": "vuln-159", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26596" + } + } + ], + "created": "2024-02-23T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26596", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T19:54:59Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0193e0660cc6689c794794b471492923cfd7bfbc" + }, + { + "url": "https://git.kernel.org/stable/c/6eecddd9c3c8d6e3a097531cdc6d500335b35e46" + }, + { + "url": "https://git.kernel.org/stable/c/d91964cdada76740811b7c621239f9c407820dbc" + }, + { + "url": "https://git.kernel.org/stable/c/ba5e1272142d051dcc57ca1d3225ad8a089f9858" + }, + { + "url": "https://git.kernel.org/linus/ba5e1272142d051dcc57ca1d3225ad8a089f9858(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26681" + } + ], + "bom-ref": "vuln-160", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26681" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetdevsim: avoid potential loop in nsim_dev_trap_report_work()\n\nMany syzbot reports include the following trace [1]\n\nIf nsim_dev_trap_report_work() can not grab the mutex,\nit should rearm itself at least one jiffie later.\n\n[1]\nSending NMI from CPU 1 to CPUs 0:\nNMI backtrace for cpu 0\nCPU: 0 PID: 32383 Comm: kworker/0:2 Not tainted 6.8.0-rc2-syzkaller-00031-g861c0981648f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\nWorkqueue: events nsim_dev_trap_report_work\n RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:89 [inline]\n RIP: 0010:memory_is_nonzero mm/kasan/generic.c:104 [inline]\n RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:129 [inline]\n RIP: 0010:memory_is_poisoned mm/kasan/generic.c:161 [inline]\n RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]\n RIP: 0010:kasan_check_range+0x101/0x190 mm/kasan/generic.c:189\nCode: 07 49 39 d1 75 0a 45 3a 11 b8 01 00 00 00 7c 0b 44 89 c2 e8 21 ed ff ff 83 f0 01 5b 5d 41 5c c3 48 85 d2 74 4f 48 01 ea eb 09 <48> 83 c0 01 48 39 d0 74 41 80 38 00 74 f2 eb b6 41 bc 08 00 00 00\nRSP: 0018:ffffc90012dcf998 EFLAGS: 00000046\nRAX: fffffbfff258af1e RBX: fffffbfff258af1f RCX: ffffffff8168eda3\nRDX: fffffbfff258af1f RSI: 0000000000000004 RDI: ffffffff92c578f0\nRBP: fffffbfff258af1e R08: 0000000000000000 R09: fffffbfff258af1e\nR10: ffffffff92c578f3 R11: ffffffff8acbcbc0 R12: 0000000000000002\nR13: ffff88806db38400 R14: 1ffff920025b9f42 R15: ffffffff92c578e8\nFS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000c00994e078 CR3: 000000002c250000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n instrument_atomic_read include/linux/instrumented.h:68 [inline]\n atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]\n queued_spin_is_locked include/asm-generic/qspinlock.h:57 [inline]\n debug_spin_unlock kernel/locking/spinlock_debug.c:101 [inline]\n do_raw_spin_unlock+0x53/0x230 kernel/locking/spinlock_debug.c:141\n __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline]\n _raw_spin_unlock_irqrestore+0x22/0x70 kernel/locking/spinlock.c:194\n debug_object_activate+0x349/0x540 lib/debugobjects.c:726\n debug_work_activate kernel/workqueue.c:578 [inline]\n insert_work+0x30/0x230 kernel/workqueue.c:1650\n __queue_work+0x62e/0x11d0 kernel/workqueue.c:1802\n __queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953\n queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989\n queue_delayed_work include/linux/workqueue.h:563 [inline]\n schedule_delayed_work include/linux/workqueue.h:677 [inline]\n nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842\n process_one_work+0x886/0x15d0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26681", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26681" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a5e31bdd3c1702b520506d9cf8c41085f75c7f2" + }, + { + "url": "https://git.kernel.org/stable/c/307fa8a75ab7423fa5c73573ec3d192de5027830" + }, + { + "url": "https://git.kernel.org/stable/c/54538752216bf89ee88d47ad07802063a498c299" + }, + { + "url": "https://git.kernel.org/stable/c/eef00a82c568944f113f2de738156ac591bbd5cd" + }, + { + "url": "https://git.kernel.org/stable/c/3266e638ba5cc1165f5e6989eb8c0720f1cc4b41" + }, + { + "url": "https://git.kernel.org/stable/c/caa064c3c2394d03e289ebd6b0be5102eb8a5b40" + }, + { + "url": "https://git.kernel.org/stable/c/88081ba415224cf413101def4343d660f56d082b" + }, + { + "url": "https://git.kernel.org/stable/c/5993f121fbc01dc2d734f0ff2628009b258fb1dd" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26679" + }, + { + "url": "https://git.kernel.org/linus/eef00a82c568944f113f2de738156ac591bbd5cd(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-161", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26679" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: read sk->sk_family once in inet_recv_error()\n\ninet_recv_error() is called without holding the socket lock.\n\nIPv6 socket could mutate to IPv4 with IPV6_ADDRFORM\nsocket option and trigger a KCSAN warning.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26679", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26679" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/20240207132416.1488485-1-aconole@redhat.com/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-1151" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262241" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-1151" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bd128f62c365(selftests)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-162", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1151" + } + } + ], + "created": "2024-02-11T15:15:07Z", + "description": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-1151", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-22T04:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24864" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-163", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24864" + } + } + ], + "created": "2024-02-05T08:15:45Z", + "description": "A race condition was found in the Linux kernel's media/dvb-core in dvbdmx_write() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-24864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24864" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:22Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/66b317a2fc45b2ef66527ee3f8fa08fb5beab88d" + }, + { + "url": "https://git.kernel.org/stable/c/e31546b0f34af21738c4ceac47d662c00ee6382f" + }, + { + "url": "https://git.kernel.org/stable/c/833775656d447c545133a744a0ed1e189ce61430" + }, + { + "url": "https://git.kernel.org/stable/c/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb" + }, + { + "url": "https://git.kernel.org/stable/c/3f5d47eb163bceb1b9e613c9003bae5fefc0046f" + }, + { + "url": "https://git.kernel.org/stable/c/5a172344bfdabb46458e03708735d7b1a918c468" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26727" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e03ee2fe873eb68c1f9ba5112fee70303ebf9dfb(6.8-rc4)" + } + ], + "bom-ref": "vuln-164", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26727" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not ASSERT() if the newly created subvolume already got read\n\n[BUG]\nThere is a syzbot crash, triggered by the ASSERT() during subvolume\ncreation:\n\n assertion failed: !anon_dev, in fs/btrfs/disk-io.c:1319\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/disk-io.c:1319!\n invalid opcode: 0000 [#1] PREEMPT SMP KASAN\n RIP: 0010:btrfs_get_root_ref.part.0+0x9aa/0xa60\n \n btrfs_get_new_fs_root+0xd3/0xf0\n create_subvol+0xd02/0x1650\n btrfs_mksubvol+0xe95/0x12b0\n __btrfs_ioctl_snap_create+0x2f9/0x4f0\n btrfs_ioctl_snap_create+0x16b/0x200\n btrfs_ioctl+0x35f0/0x5cf0\n __x64_sys_ioctl+0x19d/0x210\n do_syscall_64+0x3f/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n ---[ end trace 0000000000000000 ]---\n\n[CAUSE]\nDuring create_subvol(), after inserting root item for the newly created\nsubvolume, we would trigger btrfs_get_new_fs_root() to get the\nbtrfs_root of that subvolume.\n\nThe idea here is, we have preallocated an anonymous device number for\nthe subvolume, thus we can assign it to the new subvolume.\n\nBut there is really nothing preventing things like backref walk to read\nthe new subvolume.\nIf that happens before we call btrfs_get_new_fs_root(), the subvolume\nwould be read out, with a new anonymous device number assigned already.\n\nIn that case, we would trigger ASSERT(), as we really expect no one to\nread out that subvolume (which is not yet accessible from the fs).\nBut things like backref walk is still possible to trigger the read on\nthe subvolume.\n\nThus our assumption on the ASSERT() is not correct in the first place.\n\n[FIX]\nFix it by removing the ASSERT(), and just free the @anon_dev, reset it\nto 0, and continue.\n\nIf the subvolume tree is read out by something else, it should have\nalready get a new anon_dev assigned thus we only need to free the\npreallocated one.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b5909f197f3b26aebedca7d8ac7b688fd993a266" + }, + { + "url": "https://git.kernel.org/stable/c/8731fe001a60581794ed9cf65da8cd304846a6fb" + }, + { + "url": "https://git.kernel.org/stable/c/7535ec350a5f09b5756a7607f5582913f21200f4" + }, + { + "url": "https://git.kernel.org/stable/c/ccb88e9549e7cfd8bcd511c538f437e20026e983" + }, + { + "url": "https://git.kernel.org/stable/c/58054faf3bd29cd0b949b77efcb6157f66f401ed" + }, + { + "url": "https://git.kernel.org/stable/c/88aa493f393d2ee38ac140e1f6ac1881346e85d4" + }, + { + "url": "https://git.kernel.org/linus/ccb88e9549e7cfd8bcd511c538f437e20026e983(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26695" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-165", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26695" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked\n\nThe SEV platform device can be shutdown with a null psp_master,\ne.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:\n\n[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)\n[ 137.162647] ccp 0000:23:00.1: no command queues available\n[ 137.170598] ccp 0000:23:00.1: sev enabled\n[ 137.174645] ccp 0000:23:00.1: psp enabled\n[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI\n[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]\n[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311\n[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c\n[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216\n[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e\n[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0\n[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66\n[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28\n[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8\n[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000\n[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0\n[ 137.182693] Call Trace:\n[ 137.182693] \n[ 137.182693] ? show_regs+0x6c/0x80\n[ 137.182693] ? __die_body+0x24/0x70\n[ 137.182693] ? die_addr+0x4b/0x80\n[ 137.182693] ? exc_general_protection+0x126/0x230\n[ 137.182693] ? asm_exc_general_protection+0x2b/0x30\n[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180\n[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80\n[ 137.182693] sev_dev_destroy+0x49/0x100\n[ 137.182693] psp_dev_destroy+0x47/0xb0\n[ 137.182693] sp_destroy+0xbb/0x240\n[ 137.182693] sp_pci_remove+0x45/0x60\n[ 137.182693] pci_device_remove+0xaa/0x1d0\n[ 137.182693] device_remove+0xc7/0x170\n[ 137.182693] really_probe+0x374/0xbe0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] __driver_probe_device+0x199/0x460\n[ 137.182693] driver_probe_device+0x4e/0xd0\n[ 137.182693] __driver_attach+0x191/0x3d0\n[ 137.182693] ? __pfx___driver_attach+0x10/0x10\n[ 137.182693] bus_for_each_dev+0x100/0x190\n[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10\n[ 137.182693] ? __kasan_check_read+0x15/0x20\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? _raw_spin_unlock+0x27/0x50\n[ 137.182693] driver_attach+0x41/0x60\n[ 137.182693] bus_add_driver+0x2a8/0x580\n[ 137.182693] driver_register+0x141/0x480\n[ 137.182693] __pci_register_driver+0x1d6/0x2a0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] sp_pci_init+0x22/0x30\n[ 137.182693] sp_mod_init+0x14/0x30\n[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10\n[ 137.182693] do_one_initcall+0xd1/0x470\n[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10\n[ 137.182693] ? parameq+0x80/0xf0\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] ? __kmalloc+0x3b0/0x4e0\n[ 137.182693] ? kernel_init_freeable+0x92d/0x1050\n[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190\n[ 137.182693] ? srso_return_thunk+0x5/0x5f\n[ 137.182693] kernel_init_freeable+0xa64/0x1050\n[ 137.182693] ? __pfx_kernel_init+0x10/0x10\n[ 137.182693] kernel_init+0x24/0x160\n[ 137.182693] ? __switch_to_asm+0x3e/0x70\n[ 137.182693] ret_from_fork+0x40/0x80\n[ 137.182693] ? __pfx_kernel_init+0x1\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26695", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26695" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-166", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-416" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2000016bab499074e6248ea85aeea7dd762355d9" + }, + { + "url": "https://git.kernel.org/stable/c/67b8bcbaed4777871bb0dcc888fb02a614a98ab1" + }, + { + "url": "https://git.kernel.org/stable/c/120f7fa2008e3bd8b7680b4ab5df942decf60fd5" + }, + { + "url": "https://git.kernel.org/stable/c/a6efe6dbaaf504f5b3f8a5c3f711fe54e7dda0ba" + }, + { + "url": "https://git.kernel.org/stable/c/9c9c68d64fd3284f7097ed6ae057c8441f39fcd3" + }, + { + "url": "https://git.kernel.org/stable/c/2e1480538ef60bfee5473dfe02b1ecbaf1a4aa0d" + }, + { + "url": "https://git.kernel.org/stable/c/364a66be2abdcd4fd426ffa44d9b8f40aafb3caa" + }, + { + "url": "https://git.kernel.org/stable/c/5278c3eb6bf5896417572b52adb6be9d26e92f65" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/67b8bcbaed4777871bb0dcc888fb02a614a98ab1(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26697" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-167", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26697" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix data corruption in dsync block recovery for small block sizes\n\nThe helper function nilfs_recovery_copy_block() of\nnilfs_recovery_dsync_blocks(), which recovers data from logs created by\ndata sync writes during a mount after an unclean shutdown, incorrectly\ncalculates the on-page offset when copying repair data to the file's page\ncache. In environments where the block size is smaller than the page\nsize, this flaw can cause data corruption and leak uninitialized memory\nbytes during the recovery process.\n\nFix these issues by correcting this byte offset calculation on the page.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26697", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26697" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13b33feb2ebddc2b1aa607f553566b18a4af1d76" + }, + { + "url": "https://git.kernel.org/stable/c/fd203d2c671bdee9ab77090ff394d3b71b627927" + }, + { + "url": "https://git.kernel.org/stable/c/a69224223746ab96d43e5db9d22d136827b7e2d3" + }, + { + "url": "https://git.kernel.org/stable/c/f123dc86388cb669c3d6322702dc441abc35c31e" + }, + { + "url": "https://git.kernel.org/stable/c/674c1c4229e743070e09db63a23442950ff000d1" + }, + { + "url": "https://git.kernel.org/stable/c/89e8524135a3902e7563a5a59b7b5ec1bf4904ac" + }, + { + "url": "https://git.kernel.org/stable/c/53cb1e52c9db618c08335984d1ca80db220ccf09" + }, + { + "url": "https://git.kernel.org/stable/c/1b4fe801b5bedec2b622ddb18e5c9bf26c63d79f" + }, + { + "url": "https://git.kernel.org/linus/f123dc86388cb669c3d6322702dc441abc35c31e(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52699" + } + ], + "bom-ref": "vuln-168", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52699" + } + } + ], + "created": "2024-05-19T11:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsysv: don't call sb_bread() with pointers_lock held\n\nsyzbot is reporting sleep in atomic context in SysV filesystem [1], for\nsb_bread() is called with rw_spinlock held.\n\nA \"write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock\" bug\nand a \"sb_bread() with write_lock(&pointers_lock)\" bug were introduced by\n\"Replace BKL for chain locking with sysvfs-private rwlock\" in Linux 2.5.12.\n\nThen, \"[PATCH] err1-40: sysvfs locking fix\" in Linux 2.6.8 fixed the\nformer bug by moving pointers_lock lock to the callers, but instead\nintroduced a \"sb_bread() with read_lock(&pointers_lock)\" bug (which made\nthis problem easier to hit).\n\nAl Viro suggested that why not to do like get_branch()/get_block()/\nfind_shared() in Minix filesystem does. And doing like that is almost a\nrevert of \"[PATCH] err1-40: sysvfs locking fix\" except that get_branch()\n from with find_shared() is called without write_lock(&pointers_lock).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52699", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52699" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/baa0aaac16432019651e0d60c41cd34a0c3c3477" + }, + { + "url": "https://git.kernel.org/stable/c/58eb5c07f41704464b9acc09ab0707b6769db6c0" + }, + { + "url": "https://git.kernel.org/stable/c/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/832dd634bd1b4e3bbe9f10b9c9ba5db6f6f2b97f(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26670" + } + ], + "bom-ref": "vuln-169", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26670" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n\nCurrently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn't\nquite right, as it is supposed to be applied after the last explicit\nmemory access, but is immediately followed by an LDR.\n\nThe ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround is used to\nhandle Cortex-A520 erratum 2966298 and Cortex-A510 erratum 3117295,\nwhich are described in:\n\n* https://developer.arm.com/documentation/SDEN2444153/0600/?lang=en\n* https://developer.arm.com/documentation/SDEN1873361/1600/?lang=en\n\nIn both cases the workaround is described as:\n\n| If pagetable isolation is disabled, the context switch logic in the\n| kernel can be updated to execute the following sequence on affected\n| cores before exiting to EL0, and after all explicit memory accesses:\n|\n| 1. A non-shareable TLBI to any context and/or address, including\n| unused contexts or addresses, such as a `TLBI VALE1 Xzr`.\n|\n| 2. A DSB NSH to guarantee completion of the TLBI.\n\nThe important part being that the TLBI+DSB must be placed \"after all\nexplicit memory accesses\".\n\nUnfortunately, as-implemented, the TLBI+DSB is immediately followed by\nan LDR, as we have:\n\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| alternative_if_not ARM64_UNMAP_KERNEL_AT_EL0\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n| \teret\n| alternative_else_nop_endif\n|\n| [ ... KPTI exception return path ... ]\n\nThis patch fixes this by reworking the logic to place the TLBI+DSB\nimmediately before the ERET, after all explicit memory accesses.\n\nThe ERET is currently in a separate alternative block, and alternatives\ncannot be nested. To account for this, the alternative block for\nARM64_UNMAP_KERNEL_AT_EL0 is replaced with a single alternative branch\nto skip the KPTI logic, with the new shape of the logic being:\n\n| alternative_insn \"b .L_skip_tramp_exit_\\@\", nop, ARM64_UNMAP_KERNEL_AT_EL0\n| \t[ ... KPTI exception return path ... ]\n| .L_skip_tramp_exit_\\@:\n|\n| \tldr\tlr, [sp, #S_LR]\n| \tadd\tsp, sp, #PT_REGS_SIZE\t\t// restore sp\n|\n| alternative_if ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD\n| \ttlbi\tvale1, xzr\n| \tdsb\tnsh\n| alternative_else_nop_endif\n| \teret\n\nThe new structure means that the workaround is only applied when KPTI is\nnot in use; this is fine as noted in the documented implications of the\nerratum:\n\n| Pagetable isolation between EL0 and higher level ELs prevents the\n| issue from occurring.\n\n... and as per the workaround description quoted above, the workaround\nis only necessary \"If pagetable isolation is disabled\".", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26670", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26670" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24855" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6700-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6699-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6702-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-4" + }, + { + "url": "https://lore.kernel.org/all/20230630024748.1035993-1-islituo@gmail.com/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6700-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6702-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6701-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6705-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6716-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6704-3" + } + ], + "bom-ref": "vuln-170", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24855" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-24855", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:40Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dceb683ab87ca3666a9bb5c0158528b646faedc4" + }, + { + "url": "https://git.kernel.org/stable/c/3f59ac29dea0921637053908fe99268d157bbb9d" + }, + { + "url": "https://git.kernel.org/stable/c/b13db0d16bc7b2a52abcf5cb71334f63faa5dbd6" + }, + { + "url": "https://git.kernel.org/stable/c/751de2012eafa4d46d8081056761fa0e9cc8a178" + }, + { + "url": "https://git.kernel.org/stable/c/43193174510ea4f3ce09b796e559a2fd9f148615" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27018" + }, + { + "url": "https://git.kernel.org/linus/751de2012eafa4d46d8081056761fa0e9cc8a178(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-171", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27018" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook for promisc packets\n\nFor historical reasons, when bridge device is in promisc mode, packets\nthat are directed to the taps follow bridge input hook path. This patch\nadds a workaround to reset conntrack for these packets.\n\nJianbo Liu reports warning splats in their test infrastructure where\ncloned packets reach the br_netfilter input hook to confirm the\nconntrack object.\n\nScratch one bit from BR_INPUT_SKB_CB to annotate that this packet has\nreached the input hook because it is passed up to the bridge device to\nreach the taps.\n\n[ 57.571874] WARNING: CPU: 1 PID: 0 at net/bridge/br_netfilter_hooks.c:616 br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.572749] Modules linked in: xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat xt_addrtype xt_conntrack nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_isc si ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5ctl mlx5_core\n[ 57.575158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.8.0+ #19\n[ 57.575700] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n[ 57.576662] RIP: 0010:br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.577195] Code: fe ff ff 41 bd 04 00 00 00 be 04 00 00 00 e9 4a ff ff ff be 04 00 00 00 48 89 ef e8 f3 a9 3c e1 66 83 ad b4 00 00 00 04 eb 91 <0f> 0b e9 f1 fe ff ff 0f 0b e9 df fe ff ff 48 89 df e8 b3 53 47 e1\n[ 57.578722] RSP: 0018:ffff88885f845a08 EFLAGS: 00010202\n[ 57.579207] RAX: 0000000000000002 RBX: ffff88812dfe8000 RCX: 0000000000000000\n[ 57.579830] RDX: ffff88885f845a60 RSI: ffff8881022dc300 RDI: 0000000000000000\n[ 57.580454] RBP: ffff88885f845a60 R08: 0000000000000001 R09: 0000000000000003\n[ 57.581076] R10: 00000000ffff1300 R11: 0000000000000002 R12: 0000000000000000\n[ 57.581695] R13: ffff8881047ffe00 R14: ffff888108dbee00 R15: ffff88814519b800\n[ 57.582313] FS: 0000000000000000(0000) GS:ffff88885f840000(0000) knlGS:0000000000000000\n[ 57.583040] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 57.583564] CR2: 000000c4206aa000 CR3: 0000000103847001 CR4: 0000000000370eb0\n[ 57.584194] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[ 57.584820] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[ 57.585440] Call Trace:\n[ 57.585721] \n[ 57.585976] ? __warn+0x7d/0x130\n[ 57.586323] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.586811] ? report_bug+0xf1/0x1c0\n[ 57.587177] ? handle_bug+0x3f/0x70\n[ 57.587539] ? exc_invalid_op+0x13/0x60\n[ 57.587929] ? asm_exc_invalid_op+0x16/0x20\n[ 57.588336] ? br_nf_local_in+0x157/0x180 [br_netfilter]\n[ 57.588825] nf_hook_slow+0x3d/0xd0\n[ 57.589188] ? br_handle_vlan+0x4b/0x110\n[ 57.589579] br_pass_frame_up+0xfc/0x150\n[ 57.589970] ? br_port_flags_change+0x40/0x40\n[ 57.590396] br_handle_frame_finish+0x346/0x5e0\n[ 57.590837] ? ipt_do_table+0x32e/0x430\n[ 57.591221] ? br_handle_local_finish+0x20/0x20\n[ 57.591656] br_nf_hook_thresh+0x4b/0xf0 [br_netfilter]\n[ 57.592286] ? br_handle_local_finish+0x20/0x20\n[ 57.592802] br_nf_pre_routing_finish+0x178/0x480 [br_netfilter]\n[ 57.593348] ? br_handle_local_finish+0x20/0x20\n[ 57.593782] ? nf_nat_ipv4_pre_routing+0x25/0x60 [nf_nat]\n[ 57.594279] br_nf_pre_routing+0x24c/0x550 [br_netfilter]\n[ 57.594780] ? br_nf_hook_thresh+0xf0/0xf0 [br_netfilter]\n[ 57.595280] br_handle_frame+0x1f3/0x3d0\n[ 57.595676] ? br_handle_local_finish+0x20/0x20\n[ 57.596118] ? br_handle_frame_finish+0x5e0/0x5e0\n[ 57.596566] __netif_receive_skb_core+0x25b/0xfc0\n[ 57.597017] ? __napi_build_skb+0x37/0x40\n[ 57.597418] __netif_receive_skb_list_core+0xfb/0x220", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27018", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27018" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/539d51ac48bcfcfa1b3d4a85f8df92fa22c1d41c" + }, + { + "url": "https://git.kernel.org/stable/c/79f988d3ffc1aa778fc5181bdfab312e57956c6b" + }, + { + "url": "https://git.kernel.org/stable/c/38762a0763c10c24a4915feee722d7aa6e73eb98" + }, + { + "url": "https://git.kernel.org/stable/c/1fe60ee709436550f8cfbab01295936b868d5baa" + }, + { + "url": "https://git.kernel.org/stable/c/cca330c59c54207567a648357835f59df9a286bb" + }, + { + "url": "https://git.kernel.org/stable/c/67f34f093c0f7bf33f5b4ae64d3d695a3b978285" + }, + { + "url": "https://git.kernel.org/stable/c/7b8c7bd2296e95b38a6ff346242356a2e7190239" + }, + { + "url": "https://git.kernel.org/stable/c/4ee0941da10e8fdcdb34756b877efd3282594c1f" + }, + { + "url": "https://git.kernel.org/linus/38762a0763c10c24a4915feee722d7aa6e73eb98(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27401" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-172", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27401" + } + } + ], + "created": "2024-05-14T15:12:29Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirewire: nosy: ensure user_length is taken into account when fetching packet contents\n\nEnsure that packet_buffer_get respects the user_length provided. If\nthe length of the head packet exceeds the user_length, packet_buffer_get\nwill now return 0 to signify to the user that no data were read\nand a larger buffer size is required. Helps prevent user space overflows.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27401", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27401" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2db9a8c0a01fa1c762c1e61a13c212c492752994" + }, + { + "url": "https://git.kernel.org/stable/c/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2" + }, + { + "url": "https://git.kernel.org/stable/c/eaa5e164a2110d2fb9e16c8a29e4501882235137" + }, + { + "url": "https://git.kernel.org/stable/c/35880c3fa6f8fe281a19975d2992644588ca33d3" + }, + { + "url": "https://git.kernel.org/stable/c/589523cf0b384164e445dd5db8d5b1bf97982424" + }, + { + "url": "https://git.kernel.org/stable/c/9048616553c65e750d43846f225843ed745ec0d4" + }, + { + "url": "https://git.kernel.org/stable/c/edee0758747d7c219e29db9ed1d4eb33e8d32865" + }, + { + "url": "https://git.kernel.org/stable/c/bca6fa2d9a9f560e6b89fd5190b05cc2f5d422c1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27395" + }, + { + "url": "https://git.kernel.org/linus/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-173", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27395" + } + } + ], + "created": "2024-05-14T15:12:27Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: openvswitch: Fix Use-After-Free in ovs_ct_exit\n\nSince kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof ovs_ct_limit_exit, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27395", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27395" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/42442f74314d41ddc68227047036fa3e78940054" + }, + { + "url": "https://git.kernel.org/stable/c/a938eab9586eea31cfd129a507f552efae14d738" + }, + { + "url": "https://git.kernel.org/stable/c/efdd665ce1a1634b8c1dad5e7f6baaef3e131d0a" + }, + { + "url": "https://git.kernel.org/stable/c/58fca355ad37dcb5f785d9095db5f748b79c5dc2" + }, + { + "url": "https://git.kernel.org/stable/c/cd9bd10c59e3c1446680514fd3097c5b00d3712d" + }, + { + "url": "https://git.kernel.org/linus/58fca355ad37dcb5f785d9095db5f748b79c5dc2(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26660" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-174", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26660" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Implement bounds check for stream encoder creation in DCN301\n\n'stream_enc_regs' array is an array of dcn10_stream_enc_registers\nstructures. The array is initialized with four elements, corresponding\nto the four calls to stream_enc_regs() in the array initializer. This\nmeans that valid indices for this array are 0, 1, 2, and 3.\n\nThe error message 'stream_enc_regs' 4 <= 5 below, is indicating that\nthere is an attempt to access this array with an index of 5, which is\nout of bounds. This could lead to undefined behavior\n\nHere, eng_id is used as an index to access the stream_enc_regs array. If\neng_id is 5, this would result in an out-of-bounds access on the\nstream_enc_regs array.\n\nThus fixing Buffer overflow error in dcn301_stream_encoder_create\nreported by Smatch:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26660", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26660" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/62b5ae00c2b835639002ce898ccb5d82c51073ae" + }, + { + "url": "https://git.kernel.org/stable/c/6379b44cdcd67f5f5d986b73953e99700591edfa" + }, + { + "url": "https://git.kernel.org/linus/6379b44cdcd67f5f5d986b73953e99700591edfa(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26972" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-175", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26972" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: ubifs_symlink: Fix memleak of inode->i_link in error path\n\nFor error handling path in ubifs_symlink(), inode will be marked as\nbad first, then iput() is invoked. If inode->i_link is initialized by\nfscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't\nbe freed by callchain ubifs_free_inode -> fscrypt_free_inode in error\nhandling path, because make_bad_inode() has changed 'inode->i_mode' as\n'S_IFREG'.\nFollowing kmemleak is easy to be reproduced by injecting error in\nubifs_jnl_update() when doing symlink in encryption scenario:\n unreferenced object 0xffff888103da3d98 (size 8):\n comm \"ln\", pid 1692, jiffies 4294914701 (age 12.045s)\n backtrace:\n kmemdup+0x32/0x70\n __fscrypt_encrypt_symlink+0xed/0x1c0\n ubifs_symlink+0x210/0x300 [ubifs]\n vfs_symlink+0x216/0x360\n do_symlinkat+0x11a/0x190\n do_syscall_64+0x3b/0xe0\nThere are two ways fixing it:\n 1. Remove make_bad_inode() in error handling path. We can do that\n because ubifs_evict_inode() will do same processes for good\n symlink inode and bad symlink inode, for inode->i_nlink checking\n is before is_bad_inode().\n 2. Free inode->i_link before marking inode bad.\nMethod 2 is picked, it has less influence, personally, I think.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26972", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26972" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f83b9abee9faa4868a6fac4669b86f4c215dae25" + }, + { + "url": "https://git.kernel.org/stable/c/475426ad1ae0bfdfd8f160ed9750903799392438" + }, + { + "url": "https://git.kernel.org/stable/c/339ddc983bc1622341d95f244c361cda3da3a4ff" + }, + { + "url": "https://git.kernel.org/stable/c/c41336f4d69057cbf88fed47951379b384540df5" + }, + { + "url": "https://git.kernel.org/stable/c/3cd1d92ee1dbf3e8f988767eb75f26207397792b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52645" + }, + { + "url": "https://git.kernel.org/linus/c41336f4d69057cbf88fed47951379b384540df5(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-176", + "ratings": [ + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52645" + } + } + ], + "created": "2024-04-17T16:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: mediatek: fix race conditions with genpd\n\nIf the power domains are registered first with genpd and *after that*\nthe driver attempts to power them on in the probe sequence, then it is\npossible that a race condition occurs if genpd tries to power them on\nin the same time.\nThe same is valid for powering them off before unregistering them\nfrom genpd.\nAttempt to fix race conditions by first removing the domains from genpd\nand *after that* powering down domains.\nAlso first power up the domains and *after that* register them\nto genpd.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52645", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52645" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:13:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301" + }, + { + "url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308" + }, + { + "url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512" + }, + { + "url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26828" + }, + { + "url": "https://git.kernel.org/linus/cffe487026be13eaf37ea28b783d9638ab147204(6.8-rc5)" + } + ], + "bom-ref": "vuln-177", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26828" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26828", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/620b6cf2f1a270f48d38e6b8ce199c1acb3e90f4" + }, + { + "url": "https://git.kernel.org/stable/c/962300a360d24c5be5a188cda48da58a37e4304d" + }, + { + "url": "https://git.kernel.org/stable/c/b2c898469dfc388f619c6c972a28466cbb1442ea" + }, + { + "url": "https://git.kernel.org/stable/c/4a49d24fdec0a802aa686a567a3989a9fdf4e5dd" + }, + { + "url": "https://git.kernel.org/stable/c/7b6cc33593d7ccfc3011b290849cfa899db46757" + }, + { + "url": "https://git.kernel.org/stable/c/be95cc6d71dfd0cba66e3621c65413321b398052" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26964" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/be95cc6d71dfd0cba66e3621c65413321b398052(6.9-rc1)" + } + ], + "bom-ref": "vuln-178", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26964" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Add error handling in xhci_map_urb_for_dma\n\nCurrently xhci_map_urb_for_dma() creates a temporary buffer and copies\nthe SG list to the new linear buffer. But if the kzalloc_node() fails,\nthen the following sg_pcopy_to_buffer() can lead to crash since it\ntries to memcpy to NULL pointer.\n\nSo return -ENOMEM if kzalloc returns null pointer.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26964", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26964" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ac68d9fa09e410fa3ed20fb721d56aa558695e16" + }, + { + "url": "https://git.kernel.org/stable/c/755e53bbc61bc1aff90eafa64c8c2464fd3dfa3c" + }, + { + "url": "https://git.kernel.org/stable/c/03fe259649a551d336a7f20919b641ea100e3fff" + }, + { + "url": "https://git.kernel.org/stable/c/11387b2effbb55f58dc2111ef4b4b896f2756240" + }, + { + "url": "https://git.kernel.org/stable/c/a946ebee45b09294c8b0b0e77410b763c4d2817a" + }, + { + "url": "https://git.kernel.org/stable/c/8948e30de81faee87eeee01ef42a1f6008f5a83a" + }, + { + "url": "https://git.kernel.org/stable/c/d24b03535e5eb82e025219c2f632b485409c898f" + }, + { + "url": "https://git.kernel.org/stable/c/b51ec7fc9f877ef869c01d3ea6f18f6a64e831a7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35915" + }, + { + "url": "https://git.kernel.org/linus/d24b03535e5eb82e025219c2f632b485409c898f(6.9-rc2)" + } + ], + "bom-ref": "vuln-179", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35915" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet\n\nsyzbot reported the following uninit-value access issue [1][2]:\n\nnci_rx_work() parses and processes received packet. When the payload\nlength is zero, each message type handler reads uninitialized payload\nand KMSAN detects this issue. The receipt of a packet with a zero-size\npayload is considered unexpected, and therefore, such packets should be\nsilently discarded.\n\nThis patch resolved this issue by checking payload size before calling\neach message type handler codes.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35915", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35915" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-180", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-332" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fc126c1d51e9552eacd2d717b9ffe9262a8a4cd6" + }, + { + "url": "https://git.kernel.org/stable/c/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486" + }, + { + "url": "https://git.kernel.org/stable/c/5b3b67f731296027cceb3efad881ae281213f86f" + }, + { + "url": "https://git.kernel.org/stable/c/2eeab8c47c3c0276e0746bc382f405c9a236a5ad" + }, + { + "url": "https://git.kernel.org/stable/c/d225b0ac96dc40d7e8ae2bc227eb2c56e130975f" + }, + { + "url": "https://git.kernel.org/linus/ed4cccef64c1d0d5b91e69f7a8a6697c3a865486(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35890" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-181", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35890" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngro: fix ownership transfer\n\nIf packets are GROed with fraglist they might be segmented later on and\ncontinue their journey in the stack. In skb_segment_list those skbs can\nbe reused as-is. This is an issue as their destructor was removed in\nskb_gro_receive_list but not the reference to their socket, and then\nthey can't be orphaned. Fix this by also removing the reference to the\nsocket.\n\nFor example this could be observed,\n\n kernel BUG at include/linux/skbuff.h:3131! (skb_orphan)\n RIP: 0010:ip6_rcv_core+0x11bc/0x19a0\n Call Trace:\n ipv6_list_rcv+0x250/0x3f0\n __netif_receive_skb_list_core+0x49d/0x8f0\n netif_receive_skb_list_internal+0x634/0xd40\n napi_complete_done+0x1d2/0x7d0\n gro_cell_poll+0x118/0x1f0\n\nA similar construction is found in skb_gro_receive, apply the same\nchange there.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35890", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35890" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/47ac11db93e74ac49cd6c3fc69bcbc5964c4a8b4" + }, + { + "url": "https://git.kernel.org/stable/c/e67b652d8e8591d3b1e569dbcdfcee15993e91fa" + }, + { + "url": "https://git.kernel.org/stable/c/d111e30d9cd846bb368faf3637dc0f71fcbcf822" + }, + { + "url": "https://git.kernel.org/stable/c/99044c01ed5329e73651c054d8a4baacdbb1a27c" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e67b652d8e8591d3b1e569dbcdfcee15993e91fa(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52653" + } + ], + "bom-ref": "vuln-182", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52653" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix a memleak in gss_import_v2_context\n\nThe ctx->mech_used.data allocated by kmemdup is not freed in neither\ngss_import_v2_context nor it only caller gss_krb5_import_sec_context,\nwhich frees ctx on error.\n\nThus, this patch reform the last call of gss_import_v2_context to the\ngss_krb5_import_ctx_v2, preventing the memleak while keepping the return\nformation.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52653", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52653" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0e6521b0f93ff350434ed4ae61a250907e65d397" + }, + { + "url": "https://git.kernel.org/stable/c/276af8efb05c8e47acf2738a5609dd72acfc703f" + }, + { + "url": "https://git.kernel.org/stable/c/b56a793f267679945d1fdb9a280013bd2d0ed7f9" + }, + { + "url": "https://git.kernel.org/stable/c/62c3ecd2833cff0eff4a82af4082c44ca8d2518a" + }, + { + "url": "https://git.kernel.org/stable/c/e6378314bb920acb39013051fa65d8f9f8030430" + }, + { + "url": "https://git.kernel.org/stable/c/584c2a9184a33a40fceee838f856de3cffa19be3" + }, + { + "url": "https://git.kernel.org/stable/c/a62168653774c36398d65846a98034436ee66d03" + }, + { + "url": "https://git.kernel.org/stable/c/dd199e5b759ffe349622a4b8fbcafc51fc51b1ec" + }, + { + "url": "https://git.kernel.org/stable/c/af25c5180b2b1796342798f6c56fcfd12f5035bd" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/584c2a9184a33a40fceee838f856de3cffa19be3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35806" + } + ], + "bom-ref": "vuln-183", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35806" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Always disable interrupts when taking cgr_lock\n\nsmp_call_function_single disables IRQs when executing the callback. To\nprevent deadlocks, we must disable IRQs when taking cgr_lock elsewhere.\nThis is already done by qman_update_cgr and qman_delete_cgr; fix the\nother lockers.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35806", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35806" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1936.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6597" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070135" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-616.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-617.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2541.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + } + ], + "bom-ref": "vuln-184", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6597" + } + } + ], + "created": "2024-03-19T16:15:08Z", + "description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.\n", + "affects": [ + { + "ref": "comp-321" + } + ], + "id": "CVE-2023-6597", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6597" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2023-5341" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LICYTADFJAFPZW3Y2MKNCJIUYODPAG4L/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241774" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAULDP3GG5KI3XITQ5XSMRSILCBZS2VK/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6621-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2289.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5341" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-379.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1856.html" + } + ], + "bom-ref": "vuln-185", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5341" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341" + } + } + ], + "created": "2023-11-19T10:15:49Z", + "description": "A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2023-5341", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-22T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bea82355df9e1c299625405b1947fc9b26b4c6d4" + }, + { + "url": "https://git.kernel.org/stable/c/55f8ea6731aa64871ee6aef7dba53ee9f9f3b2f6" + }, + { + "url": "https://git.kernel.org/stable/c/766ec94cc57492eab97cbbf1595bd516ab0cb0e4" + }, + { + "url": "https://git.kernel.org/stable/c/62b1f837b15cf3ec2835724bdf8577e47d14c753" + }, + { + "url": "https://git.kernel.org/stable/c/1784053cf10a14c4ebd8a890bad5cfe1bee51713" + }, + { + "url": "https://git.kernel.org/stable/c/c10fed329c1c104f375a75ed97ea3abef0786d62" + }, + { + "url": "https://git.kernel.org/stable/c/bcfcdf19698024565eff427706ebbd8df65abd11" + }, + { + "url": "https://git.kernel.org/stable/c/a20ad45008a7c82f1184dc6dee280096009ece55" + }, + { + "url": "https://git.kernel.org/stable/c/2342b05ec5342a519e00524a507f7a6ea6791a38" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27028" + }, + { + "url": "https://git.kernel.org/linus/a20ad45008a7c82f1184dc6dee280096009ece55(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-186", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27028" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: spi-mt65xx: Fix NULL pointer access in interrupt handler\n\nThe TX buffer in spi_transfer can be a NULL pointer, so the interrupt\nhandler may end up writing to the invalid memory and cause crashes.\n\nAdd a check to trans->tx_buf before using it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27028", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27028" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/20fdb21eabaeb8f78f8f701f56d14ea0836ec861" + }, + { + "url": "https://git.kernel.org/stable/c/6417684315087904fffe8966d27ca74398c57dd6" + }, + { + "url": "https://git.kernel.org/stable/c/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b" + }, + { + "url": "https://git.kernel.org/stable/c/f13edd1871d4fb4ab829aff629d47914e251bae3" + }, + { + "url": "https://git.kernel.org/stable/c/b69f577308f1070004cafac106dd1a44099e5483" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26946" + }, + { + "url": "https://git.kernel.org/linus/4e51653d5d871f40f1bd5cf95cc7f2d8b33d063b(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-187", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26946" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address\n\nRead from an unsafe address with copy_from_kernel_nofault() in\narch_adjust_kprobe_addr() because this function is used before checking\nthe address is in text or not. Syzcaller bot found a bug and reported\nthe case if user specifies inaccessible data area,\narch_adjust_kprobe_addr() will cause a kernel panic.\n\n[ mingo: Clarified the comment. ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26946", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26946" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/105f72cc48c4c93f4578fcc61e06276471858e92" + }, + { + "url": "https://git.kernel.org/stable/c/27571c64f1855881753e6f33c3186573afbab7ba" + }, + { + "url": "https://git.kernel.org/stable/c/0a23f95af7f28dae7c0f7c82578ca5e1a239d461" + }, + { + "url": "https://git.kernel.org/stable/c/75baad63c033b3b900d822bffbc96c9d3649bc75" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52648" + }, + { + "url": "https://git.kernel.org/linus/27571c64f1855881753e6f33c3186573afbab7ba(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-188", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52648" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\n\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\n\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\n\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? exc_page_fault+0x7f/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\n drm_atomic_helper_cleanup_planes+0x9b/0xc0\n commit_tail+0xd1/0x130\n drm_atomic_helper_commit+0x11a/0x140\n drm_atomic_commit+0x97/0xd0\n ? __pfx___drm_printfn_info+0x10/0x10\n drm_atomic_helper_update_plane+0xf5/0x160\n drm_mode_cursor_universal+0x10e/0x270\n drm_mode_cursor_common+0x102/0x230\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n drm_ioctl_kernel+0xb2/0x110\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n ? __pfx_drm_ioctl+0x10/0x10\n vmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x61/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? __x64_sys_ioctl+0xaf/0xd0\n ? syscall_exit_to_user_mode+0x2b/0x40\n ? do_syscall_64+0x70/0xe0\n ? exc_page_fault+0x7f/0x180\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n \nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52648", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52648" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6547-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-317.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7024" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:6494" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-41105" + } + ], + "bom-ref": "vuln-189", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105" + } + }, + { + "severity": "none", + "score": 0.00055, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-41105" + } + } + ], + "created": "2023-08-23T07:15:08Z", + "description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", + "affects": [ + { + "ref": "comp-321" + } + ], + "id": "CVE-2023-41105", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41105" + }, + "cwes": [ + 426 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:20:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T13:59:51Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6f7d0f5fd8e440c3446560100ac4ff9a55eec340" + }, + { + "url": "https://git.kernel.org/stable/c/2bfbe1e0aed00ba51d58573c79452fada3f62ed4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26836" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/6f7d0f5fd8e440c3446560100ac4ff9a55eec340(6.8-rc6)" + } + ], + "bom-ref": "vuln-190", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26836" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: think-lmi: Fix password opcode ordering for workstations\n\nThe Lenovo workstations require the password opcode to be run before\nthe attribute value is changed (if Admin password is enabled).\n\nTested on some Thinkpads to confirm they are OK with this order too.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26836", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26836" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/334a8348b2df26526f3298848ad6864285592caf" + }, + { + "url": "https://git.kernel.org/stable/c/729bc77af438a6e67914c97f6f3d3af8f72c0131" + }, + { + "url": "https://git.kernel.org/stable/c/f8c4a6b850882bc47aaa864b720c7a2ee3102f39" + }, + { + "url": "https://git.kernel.org/stable/c/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26741" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/66b60b0c8c4a163b022a9f0ad6769b0fd3dc662f(6.8-rc6)" + } + ], + "bom-ref": "vuln-191", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26741" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndccp/tcp: Unhash sk from ehash for tb2 alloc failure after check_estalblished().\n\nsyzkaller reported a warning [0] in inet_csk_destroy_sock() with no\nrepro.\n\n WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);\n\nHowever, the syzkaller's log hinted that connect() failed just before\nthe warning due to FAULT_INJECTION. [1]\n\nWhen connect() is called for an unbound socket, we search for an\navailable ephemeral port. If a bhash bucket exists for the port, we\ncall __inet_check_established() or __inet6_check_established() to check\nif the bucket is reusable.\n\nIf reusable, we add the socket into ehash and set inet_sk(sk)->inet_num.\n\nLater, we look up the corresponding bhash2 bucket and try to allocate\nit if it does not exist.\n\nAlthough it rarely occurs in real use, if the allocation fails, we must\nrevert the changes by check_established(). Otherwise, an unconnected\nsocket could illegally occupy an ehash entry.\n\nNote that we do not put tw back into ehash because sk might have\nalready responded to a packet for tw and it would be better to free\ntw earlier under such memory presure.\n\n[0]:\nWARNING: CPU: 0 PID: 350830 at net/ipv4/inet_connection_sock.c:1193 inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nModules linked in:\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nRIP: 0010:inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\nCode: 41 5c 41 5d 41 5e e9 2d 4a 3d fd e8 28 4a 3d fd 48 89 ef e8 f0 cd 7d ff 5b 5d 41 5c 41 5d 41 5e e9 13 4a 3d fd e8 0e 4a 3d fd <0f> 0b e9 61 fe ff ff e8 02 4a 3d fd 4c 89 e7 be 03 00 00 00 e8 05\nRSP: 0018:ffffc9000b21fd38 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000009e78 RCX: ffffffff840bae40\nRDX: ffff88806e46c600 RSI: ffffffff840bb012 RDI: ffff88811755cca8\nRBP: ffff88811755c880 R08: 0000000000000003 R09: 0000000000000000\nR10: 0000000000009e78 R11: 0000000000000000 R12: ffff88811755c8e0\nR13: ffff88811755c892 R14: ffff88811755c918 R15: 0000000000000000\nFS: 00007f03e5243800(0000) GS:ffff88811ae00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000001b32f21000 CR3: 0000000112ffe001 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n \n ? inet_csk_destroy_sock (net/ipv4/inet_connection_sock.c:1193)\n dccp_close (net/dccp/proto.c:1078)\n inet_release (net/ipv4/af_inet.c:434)\n __sock_release (net/socket.c:660)\n sock_close (net/socket.c:1423)\n __fput (fs/file_table.c:377)\n __fput_sync (fs/file_table.c:462)\n __x64_sys_close (fs/open.c:1557 fs/open.c:1539 fs/open.c:1539)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\nRIP: 0033:0x7f03e53852bb\nCode: 03 00 00 00 0f 05 48 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 43 c9 f5 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 c9 f5 ff 8b 44\nRSP: 002b:00000000005dfba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003\nRAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f03e53852bb\nRDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000167c\nR10: 0000000008a79680 R11: 0000000000000293 R12: 00007f03e4e43000\nR13: 00007f03e4e43170 R14: 00007f03e4e43178 R15: 00007f03e4e43170\n \n\n[1]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 0 PID: 350833 Comm: syz-executor.1 Not tainted 6.7.0-12272-g2121c43f88f5 #9\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3748)\n kmem_cache_alloc (mm/slub.c:3763 mm/slub.c:3842 mm/slub.c:3867)\n inet_bind2_bucket_create \n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26741", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26741" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/34925d01baf3ee62ab21c21efd9e2c44c24c004a" + }, + { + "url": "https://git.kernel.org/stable/c/b5085b5ac1d96ea2a8a6240f869655176ce44197" + }, + { + "url": "https://git.kernel.org/stable/c/26ebeffff238488466fa578be3b35b8a46e69906" + }, + { + "url": "https://git.kernel.org/stable/c/bcf4a115a5068f3331fafb8c176c1af0da3d8b19" + }, + { + "url": "https://git.kernel.org/stable/c/56cfbe60710772916a5ba092c99542332b48e870" + }, + { + "url": "https://git.kernel.org/stable/c/0958b33ef5a04ed91f61cef4760ac412080c4e08" + }, + { + "url": "https://git.kernel.org/stable/c/4b001ef14baab16b553a002cb9979e31b8fc0c6b" + }, + { + "url": "https://git.kernel.org/stable/c/2450a69d2ee75d1f0112d509ac82ef98f5ad6b5f" + }, + { + "url": "https://git.kernel.org/stable/c/6022c065c9ec465d84cebff8f480db083e4ee06b" + }, + { + "url": "https://git.kernel.org/stable/c/8ffd5590f4d6ef5460acbeac7fbdff7025f9b419" + }, + { + "url": "https://git.kernel.org/stable/c/2a3073d58382157ab396734ed4e421ba9e969db1" + }, + { + "url": "https://git.kernel.org/stable/c/36be97e9eb535fe3008a5cb040b1e56f29f2e398" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26920" + }, + { + "url": "https://git.kernel.org/linus/0958b33ef5a04ed91f61cef4760ac412080c4e08(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-192", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26920" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/trigger: Fix to return error if failed to alloc snapshot\n\nFix register_snapshot_trigger() to return error code if it failed to\nallocate a snapshot instead of 0 (success). Unless that, it will register\nsnapshot trigger without an error.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26920", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26920" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/51b7841f3fe84606ec0bd8da859d22e05e5419ec" + }, + { + "url": "https://git.kernel.org/stable/c/7cfee26d1950250b14c5cb0a37b142f3fcc6396a" + }, + { + "url": "https://git.kernel.org/stable/c/09e6bb53217bf388a0d2fd7fb21e74ab9dffc173" + }, + { + "url": "https://git.kernel.org/stable/c/97e93367e82752e475a33839a80b33bdbef1209f" + }, + { + "url": "https://git.kernel.org/stable/c/1341e4b32e1fb1b0acd002ccd56f07bd32f2abc6" + }, + { + "url": "https://git.kernel.org/stable/c/04c35ab3bdae7fefbd7c7a7355f29fa03a035221" + }, + { + "url": "https://git.kernel.org/stable/c/c2b2430b48f3c9eaccd2c3d2ad75bb540d4952f4" + }, + { + "url": "https://git.kernel.org/stable/c/f18681daaec9665a15c5e7e0f591aad5d0ac622b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35877" + }, + { + "url": "https://git.kernel.org/linus/04c35ab3bdae7fefbd7c7a7355f29fa03a035221(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-193", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35877" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm/pat: fix VM_PAT handling in COW mappings\n\nPAT handling won't do the right thing in COW mappings: the first PTE (or,\nin fact, all PTEs) can be replaced during write faults to point at anon\nfolios. Reliably recovering the correct PFN and cachemode using\nfollow_phys() from PTEs will not work in COW mappings.\n\nUsing follow_phys(), we might just get the address+protection of the anon\nfolio (which is very wrong), or fail on swap/nonswap entries, failing\nfollow_phys() and triggering a WARN_ON_ONCE() in untrack_pfn() and\ntrack_pfn_copy(), not properly calling free_pfn_range().\n\nIn free_pfn_range(), we either wouldn't call memtype_free() or would call\nit with the wrong range, possibly leaking memory.\n\nTo fix that, let's update follow_phys() to refuse returning anon folios,\nand fallback to using the stored PFN inside vma->vm_pgoff for COW mappings\nif we run into that.\n\nWe will now properly handle untrack_pfn() with COW mappings, where we\ndon't need the cachemode. We'll have to fail fork()->track_pfn_copy() if\nthe first page was replaced by an anon folio, though: we'd have to store\nthe cachemode in the VMA to make this work, likely growing the VMA size.\n\nFor now, lets keep it simple and let track_pfn_copy() just fail in that\ncase: it would have failed in the past with swap/nonswap entries already,\nand it would have done the wrong thing with anon folios.\n\nSimple reproducer to trigger the WARN_ON_ONCE() in untrack_pfn():\n\n<--- C reproducer --->\n #include \n #include \n #include \n #include \n\n int main(void)\n {\n struct io_uring_params p = {};\n int ring_fd;\n size_t size;\n char *map;\n\n ring_fd = io_uring_setup(1, &p);\n if (ring_fd < 0) {\n perror(\"io_uring_setup\");\n return 1;\n }\n size = p.sq_off.array + p.sq_entries * sizeof(unsigned);\n\n /* Map the submission queue ring MAP_PRIVATE */\n map = mmap(0, size, PROT_READ | PROT_WRITE, MAP_PRIVATE,\n ring_fd, IORING_OFF_SQ_RING);\n if (map == MAP_FAILED) {\n perror(\"mmap\");\n return 1;\n }\n\n /* We have at least one page. Let's COW it. */\n *map = 0;\n pause();\n return 0;\n }\n<--- C reproducer --->\n\nOn a system with 16 GiB RAM and swap configured:\n # ./iouring &\n # memhog 16G\n # killall iouring\n[ 301.552930] ------------[ cut here ]------------\n[ 301.553285] WARNING: CPU: 7 PID: 1402 at arch/x86/mm/pat/memtype.c:1060 untrack_pfn+0xf4/0x100\n[ 301.553989] Modules linked in: binfmt_misc nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_g\n[ 301.558232] CPU: 7 PID: 1402 Comm: iouring Not tainted 6.7.5-100.fc38.x86_64 #1\n[ 301.558772] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebu4\n[ 301.559569] RIP: 0010:untrack_pfn+0xf4/0x100\n[ 301.559893] Code: 75 c4 eb cf 48 8b 43 10 8b a8 e8 00 00 00 3b 6b 28 74 b8 48 8b 7b 30 e8 ea 1a f7 000\n[ 301.561189] RSP: 0018:ffffba2c0377fab8 EFLAGS: 00010282\n[ 301.561590] RAX: 00000000ffffffea RBX: ffff9208c8ce9cc0 RCX: 000000010455e047\n[ 301.562105] RDX: 07fffffff0eb1e0a RSI: 0000000000000000 RDI: ffff9208c391d200\n[ 301.562628] RBP: 0000000000000000 R08: ffffba2c0377fab8 R09: 0000000000000000\n[ 301.563145] R10: ffff9208d2292d50 R11: 0000000000000002 R12: 00007fea890e0000\n[ 301.563669] R13: 0000000000000000 R14: ffffba2c0377fc08 R15: 0000000000000000\n[ 301.564186] FS: 0000000000000000(0000) GS:ffff920c2fbc0000(0000) knlGS:0000000000000000\n[ 301.564773] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 301.565197] CR2: 00007fea88ee8a20 CR3: 00000001033a8000 CR4: 0000000000750ef0\n[ 301.565725] PKRU: 55555554\n[ 301.565944] Call Trace:\n[ 301.566148] \n[ 301.566325] ? untrack_pfn+0xf4/0x100\n[ 301.566618] ? __warn+0x81/0x130\n[ 301.566876] ? untrack_pfn+0xf4/0x100\n[ 3\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35877", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35877" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/17c2650de14842c25c569cbb2126c421489a3a24" + }, + { + "url": "https://git.kernel.org/stable/c/c915c46a25c3efb084c4f5e69a053d7f7a635496" + }, + { + "url": "https://git.kernel.org/stable/c/b8505a1aee8f1edc9d16d72ae09c93de086e2a1a" + }, + { + "url": "https://git.kernel.org/stable/c/4f1490a5d7a0472ee5d9f36547bc4ba46be755c7" + }, + { + "url": "https://git.kernel.org/stable/c/610f20e5cf35ca9c0992693cae0dd8643ce932e7" + }, + { + "url": "https://git.kernel.org/stable/c/87399f1ff92203d65f1febf5919429f4bb613a02" + }, + { + "url": "https://git.kernel.org/stable/c/edbb3226c985469a2f8eb69885055c9f5550f468" + }, + { + "url": "https://git.kernel.org/stable/c/daf21394f9898fb9f0698c3e50de08132d2164e6" + }, + { + "url": "https://git.kernel.org/stable/c/8ba8db9786b55047df5ad3db3e01dd886687a77d" + }, + { + "url": "https://git.kernel.org/linus/87399f1ff92203d65f1febf5919429f4bb613a02(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35830" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-194", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35830" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: tc358743: register v4l2 async device only after successful setup\n\nEnsure the device has been setup correctly before registering the v4l2\nasync device, thus allowing userspace to access.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35830", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35830" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e8dc5cffc844dacfa79f056dea88002312f253f" + }, + { + "url": "https://git.kernel.org/stable/c/de0139719cdda82806a47580ca0df06fc85e0bd2" + }, + { + "url": "https://git.kernel.org/stable/c/7aaee12b804c5e0374e7b132b6ec2158ff33dd64" + }, + { + "url": "https://git.kernel.org/stable/c/7c6782ad4911cbee874e85630226ed389ff2e453" + }, + { + "url": "https://git.kernel.org/stable/c/5cf5337ef701830f173b4eec00a4f984adeb57a0" + }, + { + "url": "https://git.kernel.org/stable/c/adf67a03af39095f05d82050f15813d6f700159d" + }, + { + "url": "https://git.kernel.org/stable/c/1263b0b26077b1183c3c45a0a2479573a351d423" + }, + { + "url": "https://git.kernel.org/stable/c/3d90ca9145f6b97b38d0c2b6b30f6ca6af9c1801" + }, + { + "url": "https://git.kernel.org/linus/7c6782ad4911cbee874e85630226ed389ff2e453(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35960" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-195", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35960" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Properly link new fs rules into the tree\n\nPreviously, add_rule_fg would only add newly created rules from the\nhandle into the tree when they had a refcount of 1. On the other hand,\ncreate_flow_handle tries hard to find and reference already existing\nidentical rules instead of creating new ones.\n\nThese two behaviors can result in a situation where create_flow_handle\n1) creates a new rule and references it, then\n2) in a subsequent step during the same handle creation references it\n again,\nresulting in a rule with a refcount of 2 that is not linked into the\ntree, will have a NULL parent and root and will result in a crash when\nthe flow group is deleted because del_sw_hw_rule, invoked on rule\ndeletion, assumes node->parent is != NULL.\n\nThis happened in the wild, due to another bug related to incorrect\nhandling of duplicate pkt_reformat ids, which lead to the code in\ncreate_flow_handle incorrectly referencing a just-added rule in the same\nflow handle, resulting in the problem described above. Full details are\nat [1].\n\nThis patch changes add_rule_fg to add new rules without parents into\nthe tree, properly initializing them and avoiding the crash. This makes\nit more consistent with how rules are added to an FTE in\ncreate_flow_handle.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35960", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35960" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/14f109bf74dd67e1d0469fed859c8e506b0df53f" + }, + { + "url": "https://git.kernel.org/stable/c/45284ff733e4caf6c118aae5131eb7e7cf3eea5a" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/45284ff733e4caf6c118aae5131eb7e7cf3eea5a(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52586" + } + ], + "bom-ref": "vuln-196", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52586" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Add mutex lock in control vblank irq\n\nAdd a mutex lock to control vblank irq to synchronize vblank\nenable/disable operations happening from different threads to prevent\nrace conditions while registering/unregistering the vblank irq callback.\n\nv4: -Removed vblank_ctl_lock from dpu_encoder_virt, so it is only a\n parameter of dpu_encoder_phys.\n -Switch from atomic refcnt to a simple int counter as mutex has\n now been added\nv3: Mistakenly did not change wording in last version. It is done now.\nv2: Slightly changed wording of commit message\n\nPatchwork: https://patchwork.freedesktop.org/patch/571854/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52586", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52586" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5735a2671ffb70ea29ca83969fe01316ee2ed6fc" + }, + { + "url": "https://git.kernel.org/stable/c/0a9bab391e336489169b95cb0d4553d921302189" + }, + { + "url": "https://git.kernel.org/stable/c/0c45a20cbe68bc4d681734f5c03891124a274257" + }, + { + "url": "https://git.kernel.org/stable/c/30884a44e0cedc3dfda8c22432f3ba4078ec2d94" + }, + { + "url": "https://git.kernel.org/linus/0a9bab391e336489169b95cb0d4553d921302189(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26718" + } + ], + "bom-ref": "vuln-197", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26718" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt, dm-verity: disable tasklets\n\nTasklets have an inherent problem with memory corruption. The function\ntasklet_action_common calls tasklet_trylock, then it calls the tasklet\ncallback and then it calls tasklet_unlock. If the tasklet callback frees\nthe structure that contains the tasklet or if it calls some code that may\nfree it, tasklet_unlock will write into free memory.\n\nThe commits 8e14f610159d and d9a02e016aaf try to fix it for dm-crypt, but\nit is not a sufficient fix and the data corruption can still happen [1].\nThere is no fix for dm-verity and dm-verity will write into free memory\nwith every tasklet-processed bio.\n\nThere will be atomic workqueues implemented in the kernel 6.9 [2]. They\nwill have better interface and they will not suffer from the memory\ncorruption problem.\n\nBut we need something that stops the memory corruption now and that can be\nbackported to the stable kernels. So, I'm proposing this commit that\ndisables tasklets in both dm-crypt and dm-verity. This commit doesn't\nremove the tasklet support, because the tasklet code will be reused when\natomic workqueues will be implemented.\n\n[1] https://lore.kernel.org/all/d390d7ee-f142-44d3-822a-87949e14608b@suse.de/T/\n[2] https://lore.kernel.org/lkml/20240130091300.2968534-1-tj@kernel.org/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26718", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26718" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b9ea86e662035a886ccb5c76d56793cba618827" + }, + { + "url": "https://git.kernel.org/stable/c/af7bbdac89739e2e7380387fda598848d3b7010f" + }, + { + "url": "https://git.kernel.org/stable/c/f6abd5e17da33eba15df2bddc93413e76c2b55f7" + }, + { + "url": "https://git.kernel.org/stable/c/a2c6206f18104fba7f887bf4dbbfe4c41adc4339" + }, + { + "url": "https://git.kernel.org/stable/c/9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41" + }, + { + "url": "https://git.kernel.org/stable/c/95bc866c11974d3e4a9d922275ea8127ff809cf7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52618" + }, + { + "url": "https://git.kernel.org/linus/9e4bf6a08d1e127bcc4bd72557f2dfafc6bc7f41(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-198", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52618" + } + } + ], + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock/rnbd-srv: Check for unlikely string overflow\n\nSince \"dev_search_path\" can technically be as large as PATH_MAX,\nthere was a risk of truncation when copying it and a second string\ninto \"full_path\" since it was also PATH_MAX sized. The W=1 builds were\nreporting this warning:\n\ndrivers/block/rnbd/rnbd-srv.c: In function 'process_msg_open.isra':\ndrivers/block/rnbd/rnbd-srv.c:616:51: warning: '%s' directive output may be truncated writing up to 254 bytes into a region of size between 0 and 4095 [-Wformat-truncation=]\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~\nIn function 'rnbd_srv_get_full_path',\n inlined from 'process_msg_open.isra' at drivers/block/rnbd/rnbd-srv.c:721:14: drivers/block/rnbd/rnbd-srv.c:616:17: note: 'snprintf' output between 2 and 4351 bytes into a destination of size 4096\n 616 | snprintf(full_path, PATH_MAX, \"%s/%s\",\n | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n 617 | dev_search_path, dev_name);\n | ~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo fix this, unconditionally check for truncation (as was already done\nfor the case where \"%SESSNAME%\" was present).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52618", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52618" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1581dafaf0d34bc9c428a794a22110d7046d186d" + }, + { + "url": "https://git.kernel.org/stable/c/994a1e583c0c206c8ca7d03334a65b79f4d8bc51" + }, + { + "url": "https://git.kernel.org/stable/c/2933b1e4757a0a5c689cf48d80b1a2a85f237ff1" + }, + { + "url": "https://git.kernel.org/stable/c/1ce408f75ccf1e25b3fddef75cca878b55f2ac90" + }, + { + "url": "https://git.kernel.org/stable/c/ff7342090c1e8c5a37015c89822a68b275b46f8a" + }, + { + "url": "https://git.kernel.org/stable/c/7529cbd8b5f6697b369803fe1533612c039cabda" + }, + { + "url": "https://git.kernel.org/stable/c/0190d19d7651c08abc187dac3819c61b726e7e3f" + }, + { + "url": "https://git.kernel.org/stable/c/fc7dfe3d123f00e720be80b920da287810a1f37d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35823" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1581dafaf0d34bc9c428a794a22110d7046d186d(6.8)" + } + ], + "bom-ref": "vuln-199", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35823" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvt: fix unicode buffer corruption when deleting characters\n\nThis is the same issue that was fixed for the VGA text buffer in commit\n39cdb68c64d8 (\"vt: fix memory overlapping when deleting chars in the\nbuffer\"). The cure is also the same i.e. replace memcpy() with memmove()\ndue to the overlaping buffers.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35823", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35823" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/79ce2e54cc0ae366f45516c00bf1b19aa43e9abe" + }, + { + "url": "https://git.kernel.org/stable/c/cae3303257950d03ffec2df4a45e836f10d26c24" + }, + { + "url": "https://git.kernel.org/stable/c/61b34f73cdbdb8eaf9ea12e9e2eb3b29716c4dda" + }, + { + "url": "https://git.kernel.org/stable/c/394334fe2ae3b9f1e2332b873857e84cb28aac18" + }, + { + "url": "https://git.kernel.org/stable/c/ed883060c38721ed828061f6c0c30e5147326c9a" + }, + { + "url": "https://git.kernel.org/stable/c/685f7d531264599b3f167f1e94bbd22f120e5fab" + }, + { + "url": "https://git.kernel.org/stable/c/664f9c647260cc9d68b4e31d9899530d89dd045e" + }, + { + "url": "https://git.kernel.org/stable/c/31ea5bcc7d4cd1423de6be327a2c034725704136" + }, + { + "url": "https://git.kernel.org/linus/685f7d531264599b3f167f1e94bbd22f120e5fab(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26852" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-200", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26852" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/ipv6: avoid possible UAF in ip6_route_mpath_notify()\n\nsyzbot found another use-after-free in ip6_route_mpath_notify() [1]\n\nCommit f7225172f25a (\"net/ipv6: prevent use after free in\nip6_route_mpath_notify\") was not able to fix the root cause.\n\nWe need to defer the fib6_info_release() calls after\nip6_route_mpath_notify(), in the cleanup phase.\n\n[1]\nBUG: KASAN: slab-use-after-free in rt6_fill_node+0x1460/0x1ac0\nRead of size 4 at addr ffff88809a07fc64 by task syz-executor.2/23037\n\nCPU: 0 PID: 23037 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-01035-gea7f3cfaa588 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x167/0x540 mm/kasan/report.c:488\n kasan_report+0x142/0x180 mm/kasan/report.c:601\n rt6_fill_node+0x1460/0x1ac0\n inet6_rt_notify+0x13b/0x290 net/ipv6/route.c:6184\n ip6_route_mpath_notify net/ipv6/route.c:5198 [inline]\n ip6_route_multipath_add net/ipv6/route.c:5404 [inline]\n inet6_rtm_newroute+0x1d0f/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f73dd87dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f73de6550c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f73dd9ac050 RCX: 00007f73dd87dda9\nRDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005\nRBP: 00007f73dd8ca47a R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f73dd9ac050 R15: 00007ffdbdeb7858\n \n\nAllocated by task 23037:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:372 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:389\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3981 [inline]\n __kmalloc+0x22e/0x490 mm/slub.c:3994\n kmalloc include/linux/slab.h:594 [inline]\n kzalloc include/linux/slab.h:711 [inline]\n fib6_info_alloc+0x2e/0xf0 net/ipv6/ip6_fib.c:155\n ip6_route_info_create+0x445/0x12b0 net/ipv6/route.c:3758\n ip6_route_multipath_add net/ipv6/route.c:5298 [inline]\n inet6_rtm_newroute+0x744/0x2300 net/ipv6/route.c:5517\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6597\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nFreed by task 16:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n kasan_save_free_info+0x4e/0x60 mm/kasan/generic.c:640\n poison_slab_object+0xa6/0xe0 m\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26852", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26852" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8310080799b40fd9f2a8b808c657269678c149af" + }, + { + "url": "https://git.kernel.org/stable/c/a11dd49dcb9376776193e15641f84fcc1e5980c9" + }, + { + "url": "https://git.kernel.org/stable/c/a278d5c60f21aa15d540abb2f2da6e6d795c3e6e" + }, + { + "url": "https://git.kernel.org/stable/c/8af1c121b0102041809bc137ec600d1865eaeedd" + }, + { + "url": "https://git.kernel.org/stable/c/2a1728c15ec4f45ed9248ae22f626541c179bfbe" + }, + { + "url": "https://git.kernel.org/stable/c/5941a90c55d3bfba732b32208d58d997600b44ef" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26795" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-201", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26795" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Sparse-Memory/vmemmap out-of-bounds fix\n\nOffset vmemmap so that the first page of vmemmap will be mapped\nto the first page of physical memory in order to ensure that\nvmemmap’s bounds will be respected during\npfn_to_page()/page_to_pfn() operations.\nThe conversion macros will produce correct SV39/48/57 addresses\nfor every possible/valid DRAM_BASE inside the physical memory limits.\n\nv2:Address Alex's comments", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26795", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26795" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-09T16:51:17Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04bf2e5f95c1a52e28a7567a507f926efe31c3b6" + }, + { + "url": "https://git.kernel.org/stable/c/4201b8c8f2c32af321fb50867e68ac6c1cbed4be" + }, + { + "url": "https://git.kernel.org/stable/c/efdcfa554b6eb228943ef1dd4d023c606be647d2" + }, + { + "url": "https://git.kernel.org/stable/c/52e8a42b11078d2aad4b9ba96503d77c7299168b" + }, + { + "url": "https://git.kernel.org/stable/c/6065e736f82c817c9a597a31ee67f0ce4628e948" + }, + { + "url": "https://git.kernel.org/stable/c/a0f0dbbb1bc49fa0de18e92c36492ff6d804cdaa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35988" + }, + { + "url": "https://git.kernel.org/linus/6065e736f82c817c9a597a31ee67f0ce4628e948(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-202", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35988" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix TASK_SIZE on 64-bit NOMMU\n\nOn NOMMU, userspace memory can come from anywhere in physical RAM. The\ncurrent definition of TASK_SIZE is wrong if any RAM exists above 4G,\ncausing spurious failures in the userspace access routines.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35988", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35988" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e03418abde871314e1a3a550f4c8afb7b89cb273" + }, + { + "url": "https://git.kernel.org/stable/c/ef3ba8ce8cf7075b716aa4afcefc3034215878ee" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e03418abde871314e1a3a550f4c8afb7b89cb273(6.9)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35949" + } + ], + "bom-ref": "vuln-203", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35949" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make sure that WRITTEN is set on all metadata blocks\n\nWe previously would call btrfs_check_leaf() if we had the check\nintegrity code enabled, which meant that we could only run the extended\nleaf checks if we had WRITTEN set on the header flags.\n\nThis leaves a gap in our checking, because we could end up with\ncorruption on disk where WRITTEN isn't set on the leaf, and then the\nextended leaf checks don't get run which we rely on to validate all of\nthe item pointers to make sure we don't access memory outside of the\nextent buffer.\n\nHowever, since 732fab95abe2 (\"btrfs: check-integrity: remove\nCONFIG_BTRFS_FS_CHECK_INTEGRITY option\") we no longer call\nbtrfs_check_leaf() from btrfs_mark_buffer_dirty(), which means we only\never call it on blocks that are being written out, and thus have WRITTEN\nset, or that are being read in, which should have WRITTEN set.\n\nAdd checks to make sure we have WRITTEN set appropriately, and then make\nsure __btrfs_check_leaf() always does the item checking. This will\nprotect us from file systems that have been corrupted and no longer have\nWRITTEN set on some of the blocks.\n\nThis was hit on a crafted image tweaking the WRITTEN bit and reported by\nKASAN as out-of-bound access in the eb accessors. The example is a dir\nitem at the end of an eb.\n\n [2.042] BTRFS warning (device loop1): bad eb member start: ptr 0x3fff start 30572544 member offset 16410 size 2\n [2.040] general protection fault, probably for non-canonical address 0xe0009d1000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n [2.537] KASAN: maybe wild-memory-access in range [0x0005088000000018-0x000508800000001f]\n [2.729] CPU: 0 PID: 2587 Comm: mount Not tainted 6.8.2 #1\n [2.729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n [2.621] RIP: 0010:btrfs_get_16+0x34b/0x6d0\n [2.621] RSP: 0018:ffff88810871fab8 EFLAGS: 00000206\n [2.621] RAX: 0000a11000000003 RBX: ffff888104ff8720 RCX: ffff88811b2288c0\n [2.621] RDX: dffffc0000000000 RSI: ffffffff81dd8aca RDI: ffff88810871f748\n [2.621] RBP: 000000000000401a R08: 0000000000000001 R09: ffffed10210e3ee9\n [2.621] R10: ffff88810871f74f R11: 205d323430333737 R12: 000000000000001a\n [2.621] R13: 000508800000001a R14: 1ffff110210e3f5d R15: ffffffff850011e8\n [2.621] FS: 00007f56ea275840(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000\n [2.621] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [2.621] CR2: 00007febd13b75c0 CR3: 000000010bb50000 CR4: 00000000000006f0\n [2.621] Call Trace:\n [2.621] \n [2.621] ? show_regs+0x74/0x80\n [2.621] ? die_addr+0x46/0xc0\n [2.621] ? exc_general_protection+0x161/0x2a0\n [2.621] ? asm_exc_general_protection+0x26/0x30\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? btrfs_get_16+0x34b/0x6d0\n [2.621] ? btrfs_get_16+0x33a/0x6d0\n [2.621] ? __pfx_btrfs_get_16+0x10/0x10\n [2.621] ? __pfx_mutex_unlock+0x10/0x10\n [2.621] btrfs_match_dir_item_name+0x101/0x1a0\n [2.621] btrfs_lookup_dir_item+0x1f3/0x280\n [2.621] ? __pfx_btrfs_lookup_dir_item+0x10/0x10\n [2.621] btrfs_get_tree+0xd25/0x1910\n\n[ copy more details from report ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35949", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35949" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/051e0840ffa8ab25554d6b14b62c9ab9e4901457" + }, + { + "url": "https://git.kernel.org/stable/c/aa39e6878f61f50892ee2dd9d2176f72020be845" + }, + { + "url": "https://git.kernel.org/stable/c/3c907bf56905de7d27b329afaf59c2fb35d17b04" + }, + { + "url": "https://git.kernel.org/stable/c/eeb2a2ca0b8de7e1c66afaf719529154e7dc60b2" + }, + { + "url": "https://git.kernel.org/stable/c/e955e8a7f38a856fc6534ba4e6bffd4d5cc80ac3" + }, + { + "url": "https://git.kernel.org/stable/c/9d66ae0e7bb78b54e1e0525456c6b54e1d132046" + }, + { + "url": "https://git.kernel.org/stable/c/4206ad65a0ee76920041a755bd3c17c6ba59bba2" + }, + { + "url": "https://git.kernel.org/stable/c/8c990221681688da34295d6d76cc2f5b963e83f5" + }, + { + "url": "https://git.kernel.org/stable/c/61d4787692c1fccdc268ffa7a891f9c149f50901" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26654" + }, + { + "url": "https://git.kernel.org/linus/051e0840ffa8ab25554d6b14b62c9ab9e4901457(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-204", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26654" + } + } + ], + "created": "2024-04-01T09:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: sh: aica: reorder cleanup operations to avoid UAF bugs\n\nThe dreamcastcard->timer could schedule the spu_dma_work and the\nspu_dma_work could also arm the dreamcastcard->timer.\n\nWhen the snd_pcm_substream is closing, the aica_channel will be\ndeallocated. But it could still be dereferenced in the worker\nthread. The reason is that del_timer() will return directly\nregardless of whether the timer handler is running or not and\nthe worker could be rescheduled in the timer handler. As a result,\nthe UAF bug will happen. The racy situation is shown below:\n\n (Thread 1) | (Thread 2)\nsnd_aicapcm_pcm_close() |\n ... | run_spu_dma() //worker\n | mod_timer()\n flush_work() |\n del_timer() | aica_period_elapsed() //timer\n kfree(dreamcastcard->channel) | schedule_work()\n | run_spu_dma() //worker\n ... | dreamcastcard->channel-> //USE\n\nIn order to mitigate this bug and other possible corner cases,\ncall mod_timer() conditionally in run_spu_dma(), then implement\nPCM sync_stop op to cancel both the timer and worker. The sync_stop\nop will be called from PCM core appropriately when needed.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26654", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26654" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7" + }, + { + "url": "https://git.kernel.org/stable/c/43235db21fc23559f50a62f8f273002eeb506f5a" + }, + { + "url": "https://git.kernel.org/linus/efb91fea652a42fcc037d2a9ef4ecd1ffc5ff4b7(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52673" + } + ], + "bom-ref": "vuln-205", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52673" + } + } + ], + "created": "2024-05-17T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix a debugfs null pointer error\n\n[WHY & HOW]\nCheck whether get_subvp_en() callback exists before calling it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52673", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52673" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/37801a36b4d68892ce807264f784d818f8d0d39b" + }, + { + "url": "https://git.kernel.org/stable/c/68784a5d01b8868ff85a7926676b6729715fff3c" + }, + { + "url": "https://git.kernel.org/stable/c/477ed6789eb9f3f4d3568bb977f90c863c12724e" + }, + { + "url": "https://git.kernel.org/linus/37801a36b4d68892ce807264f784d818f8d0d39b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35904" + } + ], + "bom-ref": "vuln-206", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35904" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: avoid dereference of garbage after mount failure\n\nIn case kern_mount() fails and returns an error pointer return in the\nerror branch instead of continuing and dereferencing the error pointer.\n\nWhile on it drop the never read static variable selinuxfs_mount.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35904", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35904" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bc004f5038220b1891ef4107134ccae44be55109" + }, + { + "url": "https://git.kernel.org/stable/c/35768baf0fdfc47ede42d899506bad78450e9294" + }, + { + "url": "https://git.kernel.org/stable/c/a81b2acd43e24e419f65df97348c76a5a1496066" + }, + { + "url": "https://git.kernel.org/stable/c/8a6fea3fcb577a543ef67683ca7105bde49a38fb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35952" + }, + { + "url": "https://git.kernel.org/linus/bc004f5038220b1891ef4107134ccae44be55109(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-207", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35952" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: Fix soft lockup\n\nThere is a while-loop in ast_dp_set_on_off() that could lead to\ninfinite-loop. This is because the register, VGACRI-Dx, checked in\nthis API is a scratch register actually controlled by a MCU, named\nDPMCU, in BMC.\n\nThese scratch registers are protected by scu-lock. If suc-lock is not\noff, DPMCU can not update these registers and then host will have soft\nlockup due to never updated status.\n\nDPMCU is used to control DP and relative registers to handshake with\nhost's VGA driver. Even the most time-consuming task, DP's link\ntraining, is less than 100ms. 200ms should be enough.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35952", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35952" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73" + }, + { + "url": "https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed" + }, + { + "url": "https://git.kernel.org/linus/29b359cf6d95fd60730533f7f10464e95bd17c73(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27017" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-208", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27017" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: walk over current view on netlink dump\n\nThe generation mask can be updated while netlink dump is in progress.\nThe pipapo set backend walk iterator cannot rely on it to infer what\nview of the datastructure is to be used. Add notation to specify if user\nwants to read/update the set.\n\nBased on patch from Florian Westphal.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27017", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27017" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9cb3755b1e3680b720b74dbedfac889e904605c7" + }, + { + "url": "https://git.kernel.org/stable/c/ff41e0d4f3fa10d7cdd7d40f8026bea9fcc8b000" + }, + { + "url": "https://git.kernel.org/stable/c/517621b7060096e48e42f545fa6646fc00252eac" + }, + { + "url": "https://git.kernel.org/stable/c/c560327d900bab968c2e1b4cd7fa2d46cd429e3d" + }, + { + "url": "https://git.kernel.org/stable/c/07c3fe923ff7eccf684fb4f8c953d0a7cc8ded73" + }, + { + "url": "https://git.kernel.org/stable/c/585fec7361e7850bead21fada49a7fcde2f2e791" + }, + { + "url": "https://git.kernel.org/stable/c/899e154f9546fcae18065d74064889d08fff62c2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26979" + }, + { + "url": "https://git.kernel.org/linus/517621b7060096e48e42f545fa6646fc00252eac(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-209", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26979" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Fix possible null pointer derefence with invalid contexts\n\nvmw_context_cotable can return either an error or a null pointer and its\nusage sometimes went unchecked. Subsequent code would then try to access\neither a null pointer or an error value.\n\nThe invalid dereferences were only possible with malformed userspace\napps which never properly initialized the rendering contexts.\n\nCheck the results of vmw_context_cotable to fix the invalid derefs.\n\nThanks:\nziming zhang(@ezrak1e) from Ant Group Light-Year Security Lab\nwho was the first person to discover it.\nNiels De Graef who reported it and helped to track down the poc.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26979", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26979" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/be97d0db5f44c0674480cb79ac6f5b0529b84c76" + }, + { + "url": "https://git.kernel.org/stable/c/1493baaf09e3c1899959c8a107cd1207e16d1788" + }, + { + "url": "https://git.kernel.org/stable/c/eff53aea3855f71992c043cebb1c00988c17ee20" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-210", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\ncommit 31da94c25aea (\"riscv: add VMAP_STACK overflow detection\") added\nsupport for CONFIG_VMAP_STACK. If overflow is detected, CPU switches to\n`shadow_stack` temporarily before switching finally to per-cpu\n`overflow_stack`.\n\nIf two CPUs/harts are racing and end up in over flowing kernel stack, one\nor both will end up corrupting each other state because `shadow_stack` is\nnot per-cpu. This patch optimizes per-cpu overflow stack switch by\ndirectly picking per-cpu `overflow_stack` and gets rid of `shadow_stack`.\n\nFollowing are the changes in this patch\n\n - Defines an asm macro to obtain per-cpu symbols in destination\n register.\n - In entry.S, when overflow is detected, per-cpu overflow stack is\n located using per-cpu asm macro. Computing per-cpu symbol requires\n a temporary register. x31 is saved away into CSR_SCRATCH\n (CSR_SCRATCH is anyways zero since we're in kernel).\n\nPlease see Links for additional relevant disccussion and alternative\nsolution.\n\nTested by `echo EXHAUST_STACK > /sys/kernel/debug/provoke-crash/DIRECT`\nKernel crash log below\n\n Insufficient stack space to handle exception!/debug/provoke-crash/DIRECT\n Task stack: [0xff20000010a98000..0xff20000010a9c000]\n Overflow stack: [0xff600001f7d98370..0xff600001f7d99370]\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n epc : __memset+0x60/0xfc\n ra : recursive_loop+0x48/0xc6 [lkdtm]\n epc : ffffffff808de0e4 ra : ffffffff0163a752 sp : ff20000010a97e80\n gp : ffffffff815c0330 tp : ff600000820ea280 t0 : ff20000010a97e88\n t1 : 000000000000002e t2 : 3233206874706564 s0 : ff20000010a982b0\n s1 : 0000000000000012 a0 : ff20000010a97e88 a1 : 0000000000000000\n a2 : 0000000000000400 a3 : ff20000010a98288 a4 : 0000000000000000\n a5 : 0000000000000000 a6 : fffffffffffe43f0 a7 : 00007fffffffffff\n s2 : ff20000010a97e88 s3 : ffffffff01644680 s4 : ff20000010a9be90\n s5 : ff600000842ba6c0 s6 : 00aaaaaac29e42b0 s7 : 00fffffff0aa3684\n s8 : 00aaaaaac2978040 s9 : 0000000000000065 s10: 00ffffff8a7cad10\n s11: 00ffffff8a76a4e0 t3 : ffffffff815dbaf4 t4 : ffffffff815dbaf4\n t5 : ffffffff815dbab8 t6 : ff20000010a9bb48\n status: 0000000200000120 badaddr: ff20000010a97e88 cause: 000000000000000f\n Kernel panic - not syncing: Kernel stack overflow\n CPU: 1 PID: 205 Comm: bash Not tainted 6.1.0-rc2-00001-g328a1f96f7b9 #34\n Hardware name: riscv-virtio,qemu (DT)\n Call Trace:\n [] dump_backtrace+0x30/0x38\n [] show_stack+0x40/0x4c\n [] dump_stack_lvl+0x44/0x5c\n [] dump_stack+0x18/0x20\n [] panic+0x126/0x2fe\n [] walk_stackframe+0x0/0xf0\n [] recursive_loop+0x48/0xc6 [lkdtm]\n SMP: stopping secondary CPUs\n ---[ end Kernel panic - not syncing: Kernel stack overflow ]---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52761", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52761" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/caa9af2e27c275e089d702cfbaaece3b42bca31b" + }, + { + "url": "https://git.kernel.org/stable/c/f8730d6335e5f43d09151fca1f0f41922209a264" + }, + { + "url": "https://git.kernel.org/stable/c/83d3c5e309611ef593e2fcb78444fc8ceedf9bac" + }, + { + "url": "https://git.kernel.org/stable/c/4f3a3bce428fb439c66a578adc447afce7b4a750" + }, + { + "url": "https://git.kernel.org/stable/c/b54478d20375874aeee257744dedfd3e413432ff" + }, + { + "url": "https://git.kernel.org/stable/c/82e25cc1c2e93c3023da98be282322fc08b61ffb" + }, + { + "url": "https://git.kernel.org/stable/c/a75afe480d4349c524d9c659b1a5a544dbc39a98" + }, + { + "url": "https://git.kernel.org/stable/c/3d75b8aa5c29058a512db29da7cbee8052724157" + }, + { + "url": "https://git.kernel.org/stable/c/ab2c2f5d9576112ad22cfd3798071cb74693b1f5" + }, + { + "url": "https://git.kernel.org/linus/3d75b8aa5c29058a512db29da7cbee8052724157(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26976" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-211", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26976" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Always flush async #PF workqueue when vCPU is being destroyed\n\nAlways flush the per-vCPU async #PF workqueue when a vCPU is clearing its\ncompletion queue, e.g. when a VM and all its vCPUs is being destroyed.\nKVM must ensure that none of its workqueue callbacks is running when the\nlast reference to the KVM _module_ is put. Gifting a reference to the\nassociated VM prevents the workqueue callback from dereferencing freed\nvCPU/VM memory, but does not prevent the KVM module from being unloaded\nbefore the callback completes.\n\nDrop the misguided VM refcount gifting, as calling kvm_put_kvm() from\nasync_pf_execute() if kvm_put_kvm() flushes the async #PF workqueue will\nresult in deadlock. async_pf_execute() can't return until kvm_put_kvm()\nfinishes, and kvm_put_kvm() can't return until async_pf_execute() finishes:\n\n WARNING: CPU: 8 PID: 251 at virt/kvm/kvm_main.c:1435 kvm_put_kvm+0x2d/0x320 [kvm]\n Modules linked in: vhost_net vhost vhost_iotlb tap kvm_intel kvm irqbypass\n CPU: 8 PID: 251 Comm: kworker/8:1 Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events async_pf_execute [kvm]\n RIP: 0010:kvm_put_kvm+0x2d/0x320 [kvm]\n Call Trace:\n \n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n ---[ end trace 0000000000000000 ]---\n INFO: task kworker/8:1:251 blocked for more than 120 seconds.\n Tainted: G W 6.6.0-rc1-e7af8d17224a-x86/gmem-vm #119\n \"echo 0 > /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:kworker/8:1 state:D stack:0 pid:251 ppid:2 flags:0x00004000\n Workqueue: events async_pf_execute [kvm]\n Call Trace:\n \n __schedule+0x33f/0xa40\n schedule+0x53/0xc0\n schedule_timeout+0x12a/0x140\n __wait_for_common+0x8d/0x1d0\n __flush_work.isra.0+0x19f/0x2c0\n kvm_clear_async_pf_completion_queue+0x129/0x190 [kvm]\n kvm_arch_destroy_vm+0x78/0x1b0 [kvm]\n kvm_put_kvm+0x1c1/0x320 [kvm]\n async_pf_execute+0x198/0x260 [kvm]\n process_one_work+0x145/0x2d0\n worker_thread+0x27e/0x3a0\n kthread+0xba/0xe0\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n \n\nIf kvm_clear_async_pf_completion_queue() actually flushes the workqueue,\nthen there's no need to gift async_pf_execute() a reference because all\ninvocations of async_pf_execute() will be forced to complete before the\nvCPU and its VM are destroyed/freed. And that in turn fixes the module\nunloading bug as __fput() won't do module_put() on the last vCPU reference\nuntil the vCPU has been freed, e.g. if closing the vCPU file also puts the\nlast reference to the KVM module.\n\nNote that kvm_check_async_pf_completion() may also take the work item off\nthe completion queue and so also needs to flush the work queue, as the\nwork will not be seen by kvm_clear_async_pf_completion_queue(). Waiting\non the workqueue could theoretically delay a vCPU due to waiting for the\nwork to complete, but that's a very, very small chance, and likely a very\nsmall delay. kvm_arch_async_page_present_queued() unconditionally makes a\nnew request, i.e. will effectively delay entering the guest, so the\nremaining work is really just:\n\n trace_kvm_async_pf_completed(addr, cr2_or_gpa);\n\n __kvm_vcpu_wake_up(vcpu);\n\n mmput(mm);\n\nand mmput() can't drop the last reference to the page tables if the vCPU is\nstill alive, i.e. the vCPU won't get stuck tearing down page tables.\n\nAdd a helper to do the flushing, specifically to deal with \"wakeup all\"\nwork items, as they aren't actually work items, i.e. are never placed in a\nworkqueue. Trying to flush a bogus workqueue entry rightly makes\n__flush_work() complain (kudos to whoever added that sanity check).\n\nNote, commit 5f6de5cbebee (\"KVM: Prevent module exit until al\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26976", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26976" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24444af5ddf729376b90db0f135fa19973cb5dab" + }, + { + "url": "https://git.kernel.org/stable/c/867a2f598af6a645c865d1101b58c5e070c6dd9e" + }, + { + "url": "https://git.kernel.org/stable/c/a583117668ddb86e98f2e11c7caa3db0e6df52a3" + }, + { + "url": "https://git.kernel.org/stable/c/8feb1652afe9c5d019059a55c90f70690dce0f52" + }, + { + "url": "https://git.kernel.org/stable/c/f7442a634ac06b953fc1f7418f307b25acd4cfbc" + }, + { + "url": "https://git.kernel.org/linus/f7442a634ac06b953fc1f7418f307b25acd4cfbc(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35907" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-212", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35907" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: call request_irq() after NAPI initialized\n\nThe mlxbf_gige driver encounters a NULL pointer exception in\nmlxbf_gige_open() when kdump is enabled. The sequence to reproduce\nthe exception is as follows:\na) enable kdump\nb) trigger kdump via \"echo c > /proc/sysrq-trigger\"\nc) kdump kernel executes\nd) kdump kernel loads mlxbf_gige module\ne) the mlxbf_gige module runs its open() as the\n the \"oob_net0\" interface is brought up\nf) mlxbf_gige module will experience an exception\n during its open(), something like:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000086000004\n EC = 0x21: IABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\n user pgtable: 4k pages, 48-bit VAs, pgdp=00000000e29a4000\n [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n Internal error: Oops: 0000000086000004 [#1] SMP\n CPU: 0 PID: 812 Comm: NetworkManager Tainted: G OE 5.15.0-1035-bluefield #37-Ubuntu\n Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.6.0.13024 Jan 19 2024\n pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : 0x0\n lr : __napi_poll+0x40/0x230\n sp : ffff800008003e00\n x29: ffff800008003e00 x28: 0000000000000000 x27: 00000000ffffffff\n x26: ffff000066027238 x25: ffff00007cedec00 x24: ffff800008003ec8\n x23: 000000000000012c x22: ffff800008003eb7 x21: 0000000000000000\n x20: 0000000000000001 x19: ffff000066027238 x18: 0000000000000000\n x17: ffff578fcb450000 x16: ffffa870b083c7c0 x15: 0000aaab010441d0\n x14: 0000000000000001 x13: 00726f7272655f65 x12: 6769675f6662786c\n x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa870b0842398\n x8 : 0000000000000004 x7 : fe5a48b9069706ea x6 : 17fdb11fc84ae0d2\n x5 : d94a82549d594f35 x4 : 0000000000000000 x3 : 0000000000400100\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000066027238\n Call trace:\n 0x0\n net_rx_action+0x178/0x360\n __do_softirq+0x15c/0x428\n __irq_exit_rcu+0xac/0xec\n irq_exit+0x18/0x2c\n handle_domain_irq+0x6c/0xa0\n gic_handle_irq+0xec/0x1b0\n call_on_irq_stack+0x20/0x2c\n do_interrupt_handler+0x5c/0x70\n el1_interrupt+0x30/0x50\n el1h_64_irq_handler+0x18/0x2c\n el1h_64_irq+0x7c/0x80\n __setup_irq+0x4c0/0x950\n request_threaded_irq+0xf4/0x1bc\n mlxbf_gige_request_irqs+0x68/0x110 [mlxbf_gige]\n mlxbf_gige_open+0x5c/0x170 [mlxbf_gige]\n __dev_open+0x100/0x220\n __dev_change_flags+0x16c/0x1f0\n dev_change_flags+0x2c/0x70\n do_setlink+0x220/0xa40\n __rtnl_newlink+0x56c/0x8a0\n rtnl_newlink+0x58/0x84\n rtnetlink_rcv_msg+0x138/0x3c4\n netlink_rcv_skb+0x64/0x130\n rtnetlink_rcv+0x20/0x30\n netlink_unicast+0x2ec/0x360\n netlink_sendmsg+0x278/0x490\n __sock_sendmsg+0x5c/0x6c\n ____sys_sendmsg+0x290/0x2d4\n ___sys_sendmsg+0x84/0xd0\n __sys_sendmsg+0x70/0xd0\n __arm64_sys_sendmsg+0x2c/0x40\n invoke_syscall+0x78/0x100\n el0_svc_common.constprop.0+0x54/0x184\n do_el0_svc+0x30/0xac\n el0_svc+0x48/0x160\n el0t_64_sync_handler+0xa4/0x12c\n el0t_64_sync+0x1a4/0x1a8\n Code: bad PC value\n ---[ end trace 7d1c3f3bf9d81885 ]---\n Kernel panic - not syncing: Oops: Fatal exception in interrupt\n Kernel Offset: 0x2870a7a00000 from 0xffff800008000000\n PHYS_OFFSET: 0x80000000\n CPU features: 0x0,000005c1,a3332a5a\n Memory Limit: none\n ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nThe exception happens because there is a pending RX interrupt before the\ncall to request_irq(RX IRQ) executes. Then, the RX IRQ handler fires\nimmediately after this request_irq() completes. The\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35907", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35907" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54PLF5J33IRSLSR4UU6LQSMXX6FI5AOQ/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255497" + }, + { + "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20231208043433.271449-1-hdthky0@gmail.com/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C25BK2YH5MZ6VNQXKF2NAJBTGXVEPKGC/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-7042" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=ad25ee36f00172f7d53242dc77c69fff7ced0755" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-7042" + }, + { + "url": "https://lore.kernel.org/all/20231208043433.271449-1-hdthky0@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/?h=ath-next" + } + ], + "bom-ref": "vuln-213", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-7042" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + } + } + ], + "created": "2023-12-21T20:15:09Z", + "description": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-7042", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-22T05:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4" + }, + { + "url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326" + }, + { + "url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e" + }, + { + "url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581" + }, + { + "url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a" + }, + { + "url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26601" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-052.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e(6.8-rc3)" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-214", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26601" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + } + } + ], + "created": "2024-02-26T16:27:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:03:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-16T09:06:04Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2dcda336b6e80b72d58d30d40f2fad9724e5fe63" + }, + { + "url": "https://git.kernel.org/stable/c/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da" + }, + { + "url": "https://git.kernel.org/stable/c/0c5541b4c980626fa3cab16ba1a451757778bbb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26952" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da(6.9-rc1)" + } + ], + "bom-ref": "vuln-215", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26952" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix potencial out-of-bounds when buffer offset is invalid\n\nI found potencial out-of-bounds when buffer offset fields of a few requests\nis invalid. This patch set the minimum value of buffer offset field to\n->Buffer offset to validate buffer length.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26952", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26952" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4961acdd65c956e97c1a000c82d91a8c1cdbe44b" + }, + { + "url": "https://git.kernel.org/stable/c/417b8a91f4e8831cadaf85c3f15c6991c1f54dde" + }, + { + "url": "https://git.kernel.org/stable/c/7ea0f29d9fd84905051be020c0df7d557e286136" + }, + { + "url": "https://git.kernel.org/stable/c/7c972c89457511007dfc933814c06786905e515c" + }, + { + "url": "https://git.kernel.org/stable/c/b8094c0f1aae329b1c60a275a780d6c2c9ff7aa3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4961acdd65c956e97c1a000c82d91a8c1cdbe44b(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52588" + } + ], + "bom-ref": "vuln-216", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52588" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to tag gcing flag on page during block migration\n\nIt needs to add missing gcing flag on page during block migration,\nin order to garantee migrated data be persisted during checkpoint,\notherwise out-of-order persistency between data and node may cause\ndata corruption after SPOR.\n\nSimilar issue was fixed by commit 2d1fe8a86bf5 (\"f2fs: fix to tag\ngcing flag on page during file defragment\").", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52588", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52588" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8de1584ec4fe0ebea33c273036e7e0a05e65c81d" + }, + { + "url": "https://git.kernel.org/stable/c/67b2d35853c2da25a8ca1c4190a5e96d3083c2ac" + }, + { + "url": "https://git.kernel.org/stable/c/d7a68eee87b05d4e29419e6f151aef99314970a9" + }, + { + "url": "https://git.kernel.org/stable/c/ec7587eef003cab15a13446d67c3adb88146a150" + }, + { + "url": "https://git.kernel.org/stable/c/8f0d32004e3a572bb77e6c11c2797c87f8c9703d" + }, + { + "url": "https://git.kernel.org/stable/c/a859f6a8f4234b8ef62862bf7a92f1af5f8cd47a" + }, + { + "url": "https://git.kernel.org/stable/c/09c0ac18cac206ed1218b1fe6c1a0918e5ea9211" + }, + { + "url": "https://git.kernel.org/stable/c/b73377124f56d2fec154737c2f8d2e839c237d5a" + }, + { + "url": "https://git.kernel.org/stable/c/a27d4d0e7de305def8a5098a614053be208d1aa1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26931" + }, + { + "url": "https://git.kernel.org/linus/a27d4d0e7de305def8a5098a614053be208d1aa1(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-217", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26931" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix command flush on cable pull\n\nSystem crash due to command failed to flush back to SCSI layer.\n\n BUG: unable to handle kernel NULL pointer dereference at 0000000000000000\n PGD 0 P4D 0\n Oops: 0000 [#1] SMP NOPTI\n CPU: 27 PID: 793455 Comm: kworker/u130:6 Kdump: loaded Tainted: G OE --------- - - 4.18.0-372.9.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n Workqueue: nvme-wq nvme_fc_connect_ctrl_work [nvme_fc]\n RIP: 0010:__wake_up_common+0x4c/0x190\n Code: 24 10 4d 85 c9 74 0a 41 f6 01 04 0f 85 9d 00 00 00 48 8b 43 08 48 83 c3 08 4c 8d 48 e8 49 8d 41 18 48 39 c3 0f 84 f0 00 00 00 <49> 8b 41 18 89 54 24 08 31 ed 4c 8d 70 e8 45 8b 29 41 f6 c5 04 75\n RSP: 0018:ffff95f3e0cb7cd0 EFLAGS: 00010086\n RAX: 0000000000000000 RBX: ffff8b08d3b26328 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffff8b08d3b26320\n RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffffffffffe8\n R10: 0000000000000000 R11: ffff95f3e0cb7a60 R12: ffff95f3e0cb7d20\n R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000\n FS: 0000000000000000(0000) GS:ffff8b2fdf6c0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000002f1e410002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n __wake_up_common_lock+0x7c/0xc0\n qla_nvme_ls_req+0x355/0x4c0 [qla2xxx]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae1407ca000 from port 21:32:00:02:ac:07:ee:b8 loop_id 0x02 s_id 01:02:00 logout 1 keep 0 els_logo 0\n ? __nvme_fc_send_ls_req+0x260/0x380 [nvme_fc]\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:00:02:ac:07:ee:b8 state transitioned from ONLINE to LOST - portid=010200.\n ? nvme_fc_send_ls_req.constprop.42+0x1a/0x45 [nvme_fc]\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320002ac07eeb8. rport ffff8ae598122000 roles 1\n ? nvme_fc_connect_ctrl_work.cold.63+0x1e3/0xa7d [nvme_fc]\n qla2xxx [0000:12:00.1]-f084:3: qlt_free_session_done: se_sess 0000000000000000 / sess ffff8ae14801e000 from port 21:32:01:02:ad:f7:ee:b8 loop_id 0x04 s_id 01:02:01 logout 1 keep 0 els_logo 0\n ? __switch_to+0x10c/0x450\n ? process_one_work+0x1a7/0x360\n qla2xxx [0000:12:00.1]-207d:3: FCPort 21:32:01:02:ad:f7:ee:b8 state transitioned from ONLINE to LOST - portid=010201.\n ? worker_thread+0x1ce/0x390\n ? create_worker+0x1a0/0x1a0\n qla2xxx [0000:12:00.1]-2109:3: qla2x00_schedule_rport_del 21320102adf7eeb8. rport ffff8ae3b2312800 roles 70\n ? kthread+0x10a/0x120\n qla2xxx [0000:12:00.1]-2112:3: qla_nvme_unregister_remote_port: unregister remoteport on ffff8ae14801e000 21320102adf7eeb8\n ? set_kthread_struct+0x40/0x40\n qla2xxx [0000:12:00.1]-2110:3: remoteport_delete of ffff8ae14801e000 21320102adf7eeb8 completed.\n ? ret_from_fork+0x1f/0x40\n qla2xxx [0000:12:00.1]-f086:3: qlt_free_session_done: waiting for sess ffff8ae14801e000 logout\n\nThe system was under memory stress where driver was not able to allocate an\nSRB to carry out error recovery of cable pull. The failure to flush causes\nupper layer to start modifying scsi_cmnd. When the system frees up some\nmemory, the subsequent cable pull trigger another command flush. At this\npoint the driver access a null pointer when attempting to DMA unmap the\nSGL.\n\nAdd a check to make sure commands are flush back on session tear down to\nprevent the null pointer access.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26931", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26931" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4e75e222d397c6752b229ed72fc4644c8c36ecde" + }, + { + "url": "https://git.kernel.org/stable/c/5fd72404587d7db4acb2d241fd8c387afb0a7aec" + }, + { + "url": "https://git.kernel.org/stable/c/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f" + }, + { + "url": "https://git.kernel.org/stable/c/ad3c3ac7a03be3697114f781193dd3e9d97e6e23" + }, + { + "url": "https://git.kernel.org/stable/c/40f1d79f07b49c8a64a861706e5163f2db4bd95d" + }, + { + "url": "https://git.kernel.org/stable/c/5a09eae9a7db597fe0c1fc91636205b4a25d2620" + }, + { + "url": "https://git.kernel.org/stable/c/357c64ef1ef39b1e7cd91ab6bdd304d043702c83" + }, + { + "url": "https://git.kernel.org/stable/c/e3425674ff68dc521c57c6eabad0cbd20a027d85" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35984" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f(6.9-rc6)" + } + ], + "bom-ref": "vuln-218", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35984" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: smbus: fix NULL function pointer dereference\n\nBaruch reported an OOPS when using the designware controller as target\nonly. Target-only modes break the assumption of one transfer function\nalways being available. Fix this by always checking the pointer in\n__i2c_transfer.\n\n[wsa: dropped the simplification in core-smbus to avoid theoretical regressions]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35984", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35984" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7874ab3105ca4657102fee1cc14b0af70883c484" + }, + { + "url": "https://git.kernel.org/stable/c/e019d87e02f1e539ae48b99187f253847744ca7a" + }, + { + "url": "https://git.kernel.org/stable/c/330caa061af53ea6d287d7c43d0703714e510e08" + }, + { + "url": "https://git.kernel.org/stable/c/2d9fe7787af01188dc470a649bdbb842d6511fd7" + }, + { + "url": "https://git.kernel.org/stable/c/9ccfe80d022df7c595f1925afb31de2232900656" + }, + { + "url": "https://git.kernel.org/stable/c/14613d52bc7fc180df6d2c65ba65fc921fc1dda7" + }, + { + "url": "https://git.kernel.org/stable/c/6ac7c7a3a9ab57aba0fe78ecb922d2b20e16efeb" + }, + { + "url": "https://git.kernel.org/stable/c/29fde8895b2fcc33f44aea28c644ce2d9b62f9e0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27044" + }, + { + "url": "https://git.kernel.org/linus/9ccfe80d022df7c595f1925afb31de2232900656(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-219", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27044" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix potential NULL pointer dereferences in 'dcn10_set_output_transfer_func()'\n\nThe 'stream' pointer is used in dcn10_set_output_transfer_func() before\nthe check if 'stream' is NULL.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27044", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27044" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fc74b9cb789cae061bbca7b203a3842e059f6b5d" + }, + { + "url": "https://git.kernel.org/stable/c/41ccb5bcbf03f02d820bc6ea8390811859f558f8" + }, + { + "url": "https://git.kernel.org/stable/c/4dd684d4bb3cd5454e0bf6e2a1bdfbd5c9c872ed" + }, + { + "url": "https://git.kernel.org/stable/c/efe7cf828039aedb297c1f9920b638fffee6aabc" + }, + { + "url": "https://git.kernel.org/stable/c/f84e7534457dcd7835be743517c35378bb4e7c50" + }, + { + "url": "https://git.kernel.org/stable/c/978e50ef8c38dc71bd14d1b0143d554ff5d188ba" + }, + { + "url": "https://git.kernel.org/stable/c/08de58abedf6e69396e1207e4f99ef8904b2b532" + }, + { + "url": "https://git.kernel.org/linus/efe7cf828039aedb297c1f9920b638fffee6aabc(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52637" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-220", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52637" + } + } + ], + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)\n\nLock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)\nmodifies jsk->filters while receiving packets.\n\nFollowing trace was seen on affected system:\n ==================================================================\n BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n Read of size 4 at addr ffff888012144014 by task j1939/350\n\n CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\n Call Trace:\n print_report+0xd3/0x620\n ? kasan_complete_mode_report_info+0x7d/0x200\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n kasan_report+0xc2/0x100\n ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n __asan_load4+0x84/0xb0\n j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]\n j1939_sk_recv+0x20b/0x320 [can_j1939]\n ? __kasan_check_write+0x18/0x20\n ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]\n ? j1939_simple_recv+0x69/0x280 [can_j1939]\n ? j1939_ac_recv+0x5e/0x310 [can_j1939]\n j1939_can_recv+0x43f/0x580 [can_j1939]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n ? raw_rcv+0x42/0x3c0 [can_raw]\n ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]\n can_rcv_filter+0x11f/0x350 [can]\n can_receive+0x12f/0x190 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n can_rcv+0xdd/0x130 [can]\n ? __pfx_can_rcv+0x10/0x10 [can]\n __netif_receive_skb_one_core+0x13d/0x150\n ? __pfx___netif_receive_skb_one_core+0x10/0x10\n ? __kasan_check_write+0x18/0x20\n ? _raw_spin_lock_irq+0x8c/0xe0\n __netif_receive_skb+0x23/0xb0\n process_backlog+0x107/0x260\n __napi_poll+0x69/0x310\n net_rx_action+0x2a1/0x580\n ? __pfx_net_rx_action+0x10/0x10\n ? __pfx__raw_spin_lock+0x10/0x10\n ? handle_irq_event+0x7d/0xa0\n __do_softirq+0xf3/0x3f8\n do_softirq+0x53/0x80\n \n \n __local_bh_enable_ip+0x6e/0x70\n netif_rx+0x16b/0x180\n can_send+0x32b/0x520 [can]\n ? __pfx_can_send+0x10/0x10 [can]\n ? __check_object_size+0x299/0x410\n raw_sendmsg+0x572/0x6d0 [can_raw]\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n ? apparmor_socket_sendmsg+0x2f/0x40\n ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]\n sock_sendmsg+0xef/0x100\n sock_write_iter+0x162/0x220\n ? __pfx_sock_write_iter+0x10/0x10\n ? __rtnl_unlock+0x47/0x80\n ? security_file_permission+0x54/0x320\n vfs_write+0x6ba/0x750\n ? __pfx_vfs_write+0x10/0x10\n ? __fget_light+0x1ca/0x1f0\n ? __rcu_read_unlock+0x5b/0x280\n ksys_write+0x143/0x170\n ? __pfx_ksys_write+0x10/0x10\n ? __kasan_check_read+0x15/0x20\n ? fpregs_assert_state_consistent+0x62/0x70\n __x64_sys_write+0x47/0x60\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6d/0x90\n ? irqentry_exit+0x3f/0x50\n ? exc_page_fault+0x79/0xf0\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 348:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_alloc_info+0x1f/0x30\n __kasan_kmalloc+0xb5/0xc0\n __kmalloc_node_track_caller+0x67/0x160\n j1939_sk_setsockopt+0x284/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 349:\n kasan_save_stack+0x2a/0x50\n kasan_set_track+0x29/0x40\n kasan_save_free_info+0x2f/0x50\n __kasan_slab_free+0x12e/0x1c0\n __kmem_cache_free+0x1b9/0x380\n kfree+0x7a/0x120\n j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]\n __sys_setsockopt+0x15c/0x2f0\n __x64_sys_setsockopt+0x6b/0x80\n do_syscall_64+0x60/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52637", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52637" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/242006996d15f5ca62e22f8c7de077d9c4a8f367" + }, + { + "url": "https://git.kernel.org/stable/c/ecbd9ced84dd655a8f4cd49d2aad0e80dbf6bf35" + }, + { + "url": "https://git.kernel.org/stable/c/7d3765550374f71248c55e6206ea1d6fd4537e65" + }, + { + "url": "https://git.kernel.org/stable/c/38b43539d64b2fa020b3b9a752a986769f87f7a6" + }, + { + "url": "https://git.kernel.org/stable/c/c9d3d2fbde9b8197bce88abcbe8ee8e713ffe7c2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35826" + }, + { + "url": "https://git.kernel.org/linus/38b43539d64b2fa020b3b9a752a986769f87f7a6(6.9-rc1)" + } + ], + "bom-ref": "vuln-221", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35826" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix page refcounts for unaligned buffers in __bio_release_pages()\n\nFix an incorrect number of pages being released for buffers that do not\nstart at the beginning of a page.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35826", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35826" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b7586e902128e4fb7bfbb661cb52e4215a65637b" + }, + { + "url": "https://git.kernel.org/stable/c/437a111f79a2f5b2a5f21e27fdec6f40c8768712" + }, + { + "url": "https://git.kernel.org/stable/c/f20c3270f3ed5aa6919a87e4de9bf6c05fb57086" + }, + { + "url": "https://git.kernel.org/stable/c/d0f5c28333822f9baa5280d813124920720fd856" + }, + { + "url": "https://git.kernel.org/stable/c/35674111a043b0482a9bc69da8850a83f465b07d" + }, + { + "url": "https://git.kernel.org/stable/c/0d3fe80b6d175c220b3e252efc6c6777e700e98e" + }, + { + "url": "https://git.kernel.org/stable/c/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5" + }, + { + "url": "https://git.kernel.org/stable/c/779e8db7efb22316c8581d6c229636d2f5694a62" + }, + { + "url": "https://git.kernel.org/stable/c/096237039d00c839f3e3a5fe6d001bf0db45b644" + }, + { + "url": "https://git.kernel.org/linus/8c64f4cdf4e6cc5682c52523713af8c39c94e6d5(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27043" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-222", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27043" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: edia: dvbdev: fix a use-after-free\n\nIn dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed\nin several error-handling paths. However, *pdvbdev is not set to NULL\nafter dvbdev's deallocation, causing use-after-frees in many places,\nfor example, in the following call chain:\n\nbudget_register\n |-> dvb_dmxdev_init\n |-> dvb_register_device\n |-> dvb_dmxdev_release\n |-> dvb_unregister_device\n |-> dvb_remove_device\n |-> dvb_device_put\n |-> kref_put\n\nWhen calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in\ndvb_register_device) could point to memory that had been freed in\ndvb_register_device. Thereafter, this pointer is transferred to\nkref_put and triggering a use-after-free.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27043", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27043" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3eadd887dbac1df8f25f701e5d404d1b90fd0fea" + }, + { + "url": "https://git.kernel.org/stable/c/5a2f957e3c4553bbb100504a1acfeaeb33f4ca4e" + }, + { + "url": "https://git.kernel.org/stable/c/d2dc6600d4e3e1453e3b1fb233e9f97e2a1ae949" + }, + { + "url": "https://git.kernel.org/stable/c/41586487769eede64ab1aa6c65c74cbf76c12ef0" + }, + { + "url": "https://git.kernel.org/stable/c/8ceb873d816786a7c8058f50d903574aff8d3764" + }, + { + "url": "https://git.kernel.org/stable/c/18c8cc6680ce938d0458859b6a08b4d34f7d8055" + }, + { + "url": "https://git.kernel.org/stable/c/04e018bd913d3d3336ab7d21c2ad31a9175fe984" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35950" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/3eadd887dbac1df8f25f701e5d404d1b90fd0fea(6.9-rc4)" + } + ], + "bom-ref": "vuln-223", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35950" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Fully protect modes[] with dev->mode_config.mutex\n\nThe modes[] array contains pointers to modes on the connectors'\nmode lists, which are protected by dev->mode_config.mutex.\nThus we need to extend modes[] the same protection or by the\ntime we use it the elements may already be pointing to\nfreed/reused memory.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35950", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35950" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2248755" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6039" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6628-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6628-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6039" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6626-1" + }, + { + "url": "https://git.kernel.org/linus/1e7417c188d0a83fb385ba2dbe35fd2563f2b6f3(6.5-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6534-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6706-1" + } + ], + "bom-ref": "vuln-224", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6039" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + } + } + ], + "created": "2023-11-09T15:15:09Z", + "description": "A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-6039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6039" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-16T17:59:48Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6723d8dbfdc10c784a56748f86a9a3cd410dbd5" + }, + { + "url": "https://git.kernel.org/stable/c/5c03387021cfa3336b97e0dcba38029917a8af2a" + }, + { + "url": "https://git.kernel.org/stable/c/ca914f1cdee8a85799942c9b0ce5015bbd6844e1" + }, + { + "url": "https://git.kernel.org/stable/c/77fd5294ea09b21f6772ac954a121b87323cec80" + }, + { + "url": "https://git.kernel.org/stable/c/ec6bb01e02cbd47781dd90775b631a1dc4bd9d2b" + }, + { + "url": "https://git.kernel.org/stable/c/b0ec2abf98267f14d032102551581c833b0659d3" + }, + { + "url": "https://git.kernel.org/stable/c/c4c857723b37c20651300b3de4ff25059848b4b0" + }, + { + "url": "https://git.kernel.org/stable/c/60044ab84836359534bd7153b92e9c1584140e4a" + }, + { + "url": "https://git.kernel.org/linus/b0ec2abf98267f14d032102551581c833b0659d3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26882" + } + ], + "bom-ref": "vuln-225", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26882" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()\n\nApply the same fix than ones found in :\n\n8d975c15c0cd (\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n1ca1ba465e55 (\"geneve: make sure to pull inner header in geneve_rx()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\nsyzbot reported:\nBUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409\n __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389\n ipgre_rcv net/ipv4/ip_gre.c:411 [inline]\n gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447\n gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n netif_receive_skb_internal net/core/dev.c:5734 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5793\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556\n tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590\n alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133\n alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204\n skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909\n tun_build_skb drivers/net/tun.c:1686 [inline]\n tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055\n call_write_iter include/linux/fs.h:2087 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0xb6b/0x1520 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26882", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26882" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:38:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1f8d0691c50581ba6043f009ec9e8b9f78f09d5a" + }, + { + "url": "https://git.kernel.org/stable/c/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21" + }, + { + "url": "https://git.kernel.org/stable/c/6be99c51829b24c914cef5bff6164877178e84d9" + }, + { + "url": "https://git.kernel.org/stable/c/609c7c1cc976e740d0fed4dbeec688b3ecb5dce2" + }, + { + "url": "https://git.kernel.org/stable/c/491528935c9c48bf341d8b40eabc6c4fc5df6f2c" + }, + { + "url": "https://git.kernel.org/stable/c/7a14b8a477b88607d157c24aeb23e7389ec3319f" + }, + { + "url": "https://git.kernel.org/stable/c/d074d5ff5ae77b18300e5079c6bda6342a4d44b7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26593" + }, + { + "url": "https://git.kernel.org/linus/c1c9d0f6f7f1dbf29db996bd8e166242843a5f21(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-226", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26593" + } + }, + { + "severity": "high", + "score": 7.1, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + } + } + ], + "created": "2024-02-23T10:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Fix block process call transactions\n\nAccording to the Intel datasheets, software must reset the block\nbuffer index twice for block process call transactions: once before\nwriting the outgoing data to the buffer, and once again before\nreading the incoming data from the buffer.\n\nThe driver is currently missing the second reset, causing the wrong\nportion of the block buffer to be read.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26593", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26593" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-19T17:58:44Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a2e706841488f474c06e9b33f71afc947fb3bf56" + }, + { + "url": "https://git.kernel.org/stable/c/89aa78a34340e9dbc3248095f44d81d0e1c23193" + }, + { + "url": "https://git.kernel.org/stable/c/db006d7edbf0b4800390ece3727a82f4ae764043" + }, + { + "url": "https://git.kernel.org/stable/c/0d43a58900e5a2bfcc9de47e16c6c501c0bef853" + }, + { + "url": "https://git.kernel.org/stable/c/489e05c614dbeb1a1148959f02bdb788891819e6" + }, + { + "url": "https://git.kernel.org/stable/c/46803b776d869b0c36041828a83c4f7da2dfa03b" + }, + { + "url": "https://git.kernel.org/stable/c/4f2efa17c3ec5e4be0567b47439b9713c0dc6550" + }, + { + "url": "https://git.kernel.org/stable/c/652b0b35819610a42b8a90d21acb12f69943b397" + }, + { + "url": "https://git.kernel.org/linus/a2e706841488f474c06e9b33f71afc947fb3bf56(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27423" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-227", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27423" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_requested_window_size\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27423", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27423" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f69e81396aea66304d214f175aa371f1b5578862" + }, + { + "url": "https://git.kernel.org/stable/c/82827ca21e7c8a91384c5baa656f78a5adfa4ab4" + }, + { + "url": "https://git.kernel.org/stable/c/c3b5c5c31e723b568f83d8cafab8629d9d830ffb" + }, + { + "url": "https://git.kernel.org/stable/c/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba" + }, + { + "url": "https://git.kernel.org/stable/c/2e2619ff5d0def4bb6c2037a32a6eaa28dd95c84" + }, + { + "url": "https://git.kernel.org/stable/c/b67189690eb4b7ecc84ae16fa1e880e0123eaa35" + }, + { + "url": "https://git.kernel.org/stable/c/a8e4d098de1c0f4c5c1f2ed4633a860f0da6d713" + }, + { + "url": "https://git.kernel.org/stable/c/9cbe1ad5f4354f4df1445e5f4883983328cd6d8e" + }, + { + "url": "https://git.kernel.org/stable/c/46b832e09d43b394ac0f6d9485d2b1a06593f0b7" + }, + { + "url": "https://git.kernel.org/linus/f2f26b4a84a0ef41791bd2d70861c8eac748f4ba(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26956" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-228", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26956" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix failure to detect DAT corruption in btree and direct mappings\n\nPatch series \"nilfs2: fix kernel bug at submit_bh_wbc()\".\n\nThis resolves a kernel BUG reported by syzbot. Since there are two\nflaws involved, I've made each one a separate patch.\n\nThe first patch alone resolves the syzbot-reported bug, but I think\nboth fixes should be sent to stable, so I've tagged them as such.\n\n\nThis patch (of 2):\n\nSyzbot has reported a kernel bug in submit_bh_wbc() when writing file data\nto a nilfs2 file system whose metadata is corrupted.\n\nThere are two flaws involved in this issue.\n\nThe first flaw is that when nilfs_get_block() locates a data block using\nbtree or direct mapping, if the disk address translation routine\nnilfs_dat_translate() fails with internal code -ENOENT due to DAT metadata\ncorruption, it can be passed back to nilfs_get_block(). This causes\nnilfs_get_block() to misidentify an existing block as non-existent,\ncausing both data block lookup and insertion to fail inconsistently.\n\nThe second flaw is that nilfs_get_block() returns a successful status in\nthis inconsistent state. This causes the caller __block_write_begin_int()\nor others to request a read even though the buffer is not mapped,\nresulting in a BUG_ON check for the BH_Mapped flag in submit_bh_wbc()\nfailing.\n\nThis fixes the first issue by changing the return value to code -EINVAL\nwhen a conversion using DAT fails with code -ENOENT, avoiding the\nconflicting condition that leads to the kernel bug described above. Here,\ncode -EINVAL indicates that metadata corruption was detected during the\nblock lookup, which will be properly handled as a file system error and\nconverted to -EIO when passing through the nilfs2 bmap layer.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26956", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26956" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6b47cdeb786c38e4174319218db3fa6d7b4bba88" + }, + { + "url": "https://git.kernel.org/stable/c/52f9041deaca3fc5c40ef3b9cb943993ec7d2489" + }, + { + "url": "https://git.kernel.org/stable/c/b64092d2f108f0cd1d7fd7e176f5fb2a67a2f189" + }, + { + "url": "https://git.kernel.org/stable/c/e60502b907be350c518819297b565007a94c706d" + }, + { + "url": "https://git.kernel.org/stable/c/73e87c0a49fda31d7b589edccf4c72e924411371" + }, + { + "url": "https://git.kernel.org/linus/73e87c0a49fda31d7b589edccf4c72e924411371(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35851" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-229", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35851" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: qca: fix NULL-deref on non-serdev suspend\n\nQualcomm ROME controllers can be registered from the Bluetooth line\ndiscipline and in this case the HCI UART serdev pointer is NULL.\n\nAdd the missing sanity check to prevent a NULL-pointer dereference when\nwakeup() is called for a non-serdev controller during suspend.\n\nJust return true for now to restore the original behaviour and address\nthe crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657\n(\"Bluetooth: hci_qca: only assign wakeup with serial port support\") that\ncauses the crash to happen already at setup() time.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35851", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35851" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf" + }, + { + "url": "https://git.kernel.org/stable/c/a2471d271042ea18e8a6babc132a8716bb2f08b9" + }, + { + "url": "https://git.kernel.org/stable/c/8bf7c76a2a207ca2b4cfda0a279192adf27678d7" + }, + { + "url": "https://git.kernel.org/stable/c/d06977b9a4109f8738bb276125eb6a0b772bc433" + }, + { + "url": "https://git.kernel.org/stable/c/cf366ee3bc1b7d1c76a882640ba3b3f8f1039163" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27016" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/87b3593bed1868b2d9fe096c01bcdf0ea86cbebf(6.9-rc5)" + } + ], + "bom-ref": "vuln-230", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27016" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: validate pppoe header\n\nEnsure there is sufficient room to access the protocol field of the\nPPPoe header. Validate it once before the flowtable lookup, then use a\nhelper function to access protocol field.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27016", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27016" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f87884e0dffd61b47e58bc6e1e2f6843c212b0cc" + }, + { + "url": "https://git.kernel.org/stable/c/d691be84ab898cf136a35176eaf2f8fc116563f0" + }, + { + "url": "https://git.kernel.org/stable/c/78739d72f16b2d7d549f713f1dfebd678d32484b" + }, + { + "url": "https://git.kernel.org/stable/c/45a83b220c83e3c326513269afbf69ae6fc65cce" + }, + { + "url": "https://git.kernel.org/stable/c/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3" + }, + { + "url": "https://git.kernel.org/stable/c/fdf16de078a97bf14bb8ee2b8d47cc3d3ead09ed" + }, + { + "url": "https://git.kernel.org/stable/c/3f94da807fe1668b9830f0eefbbf7e887b0a7bc6" + }, + { + "url": "https://git.kernel.org/linus/bba045dc4d996d03dce6fe45726e78a1a1f6d4c3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-231", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26861" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: receive: annotate data-race around receiving_counter.counter\n\nSyzkaller with KCSAN identified a data-race issue when accessing\nkeypair->receiving_counter.counter. Use READ_ONCE() and WRITE_ONCE()\nannotations to mark the data race as intentional.\n\n BUG: KCSAN: data-race in wg_packet_decrypt_worker / wg_packet_rx_poll\n\n write to 0xffff888107765888 of 8 bytes by interrupt on cpu 0:\n counter_validate drivers/net/wireguard/receive.c:321 [inline]\n wg_packet_rx_poll+0x3ac/0xf00 drivers/net/wireguard/receive.c:461\n __napi_poll+0x60/0x3b0 net/core/dev.c:6536\n napi_poll net/core/dev.c:6605 [inline]\n net_rx_action+0x32b/0x750 net/core/dev.c:6738\n __do_softirq+0xc4/0x279 kernel/softirq.c:553\n do_softirq+0x5e/0x90 kernel/softirq.c:454\n __local_bh_enable_ip+0x64/0x70 kernel/softirq.c:381\n __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]\n _raw_spin_unlock_bh+0x36/0x40 kernel/locking/spinlock.c:210\n spin_unlock_bh include/linux/spinlock.h:396 [inline]\n ptr_ring_consume_bh include/linux/ptr_ring.h:367 [inline]\n wg_packet_decrypt_worker+0x6c5/0x700 drivers/net/wireguard/receive.c:499\n process_one_work kernel/workqueue.c:2633 [inline]\n ...\n\n read to 0xffff888107765888 of 8 bytes by task 3196 on cpu 1:\n decrypt_packet drivers/net/wireguard/receive.c:252 [inline]\n wg_packet_decrypt_worker+0x220/0x700 drivers/net/wireguard/receive.c:501\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706\n worker_thread+0x525/0x730 kernel/workqueue.c:2787\n ...", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26861" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9c41f4935625218a2053a2dce1423c3054169809" + }, + { + "url": "https://git.kernel.org/stable/c/76426abf9b980b46983f97de8e5b25047b4c9863" + }, + { + "url": "https://git.kernel.org/stable/c/96370ba395c572ef496fd2c7afc4a1ab3dedd3f0" + }, + { + "url": "https://git.kernel.org/stable/c/2afdd0cb02329464d77f3ec59468395c791a51a4" + }, + { + "url": "https://git.kernel.org/stable/c/058ed71e0f7aa3b6694ca357e23d084e5d3f2470" + }, + { + "url": "https://git.kernel.org/stable/c/106e14ca55a0acb3236ee98813a1d243f8aa2d05" + }, + { + "url": "https://git.kernel.org/stable/c/fe02316e4933befc621fa125efb8f8b4d04cceec" + }, + { + "url": "https://git.kernel.org/stable/c/5f7a07646655fb4108da527565dcdc80124b14c4" + }, + { + "url": "https://git.kernel.org/stable/c/a6ffae61ad9ebf2fdcb943135b2f30c85f49cd27" + }, + { + "url": "https://git.kernel.org/stable/c/f67898867b6b0f4542cddc7fe57997978b948a7a" + }, + { + "url": "https://git.kernel.org/stable/c/b94f434fe977689da4291dc21717790b9bd1c064" + }, + { + "url": "https://git.kernel.org/stable/c/854ebf45a4ddd4cadeffb6644e88d19020634e1a" + }, + { + "url": "https://git.kernel.org/stable/c/80b15346492bdba677bbb0adefc611910e505f7b" + }, + { + "url": "https://git.kernel.org/stable/c/5c78be006ed9cb735ac2abf4fd64f3f4ea26da31" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26848" + }, + { + "url": "https://git.kernel.org/linus/5f7a07646655fb4108da527565dcdc80124b14c4(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-232", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26848" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix endless loop in directory parsing\n\nIf a directory has a block with only \".__afsXXXX\" files in it (from\nuncompleted silly-rename), these .__afsXXXX files are skipped but without\nadvancing the file position in the dir_context. This leads to\nafs_dir_iterate() repeating the block again and again.\n\nFix this by making the code that skips the .__afsXXXX file also manually\nadvance the file position.\n\nThe symptoms are a soft lookup:\n\n watchdog: BUG: soft lockup - CPU#3 stuck for 52s! [check:5737]\n ...\n RIP: 0010:afs_dir_iterate_block+0x39/0x1fd\n ...\n ? watchdog_timer_fn+0x1a6/0x213\n ...\n ? asm_sysvec_apic_timer_interrupt+0x16/0x20\n ? afs_dir_iterate_block+0x39/0x1fd\n afs_dir_iterate+0x10a/0x148\n afs_readdir+0x30/0x4a\n iterate_dir+0x93/0xd3\n __do_sys_getdents64+0x6b/0xd4\n\nThis is almost certainly the actual fix for:\n\n https://bugzilla.kernel.org/show_bug.cgi?id=218496", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26848", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26848" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ae4acad41b0f93f1c26cc0fc9135bb79d8282d0b" + }, + { + "url": "https://git.kernel.org/stable/c/b2dd7b953c25ffd5912dda17e980e7168bebcf6c" + }, + { + "url": "https://git.kernel.org/stable/c/fb7bcd1722bc9bc55160378f5f99c01198fd14a7" + }, + { + "url": "https://git.kernel.org/stable/c/ec1bedd797588fe38fc11cba26d77bb1d9b194c6" + }, + { + "url": "https://git.kernel.org/stable/c/686820fe141ea0220fc6fdfc7e5694f915cf64b2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/b2dd7b953c25ffd5912dda17e980e7168bebcf6c(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52631" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-233", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52631" + } + } + ], + "created": "2024-04-02T07:15:40Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix an NULL dereference bug\n\nThe issue here is when this is called from ntfs_load_attr_list(). The\n\"size\" comes from le32_to_cpu(attr->res.data_size) so it can't overflow\non a 64bit systems but on 32bit systems the \"+ 1023\" can overflow and\nthe result is zero. This means that the kmalloc will succeed by\nreturning the ZERO_SIZE_PTR and then the memcpy() will crash with an\nOops on the next line.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52631", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52631" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c787888d164689da8b1b115f3ef562c1e843af4" + }, + { + "url": "https://git.kernel.org/stable/c/60ddea1600bc476e0f5e02bce0e29a460ccbf0be" + }, + { + "url": "https://git.kernel.org/stable/c/52f671db18823089a02f07efc04efdb2272ddc17" + }, + { + "url": "https://git.kernel.org/linus/52f671db18823089a02f07efc04efdb2272ddc17(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26740" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-234", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26740" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: use the backlog for mirred ingress\n\nThe test Davide added in commit ca22da2fbd69 (\"act_mirred: use the backlog\nfor nested calls to mirred ingress\") hangs our testing VMs every 10 or so\nruns, with the familiar tcp_v4_rcv -> tcp_v4_rcv deadlock reported by\nlockdep.\n\nThe problem as previously described by Davide (see Link) is that\nif we reverse flow of traffic with the redirect (egress -> ingress)\nwe may reach the same socket which generated the packet. And we may\nstill be holding its socket lock. The common solution to such deadlocks\nis to put the packet in the Rx backlog, rather than run the Rx path\ninline. Do that for all egress -> ingress reversals, not just once\nwe started to nest mirred calls.\n\nIn the past there was a concern that the backlog indirection will\nlead to loss of error reporting / less accurate stats. But the current\nworkaround does not seem to address the issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26740", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26740" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6fc6233f6db1579b69b54b44571f1a7fde8186e6" + }, + { + "url": "https://git.kernel.org/stable/c/83e0f220d1e992fa074157fcf14945bf170ffbc5" + }, + { + "url": "https://git.kernel.org/stable/c/d1e546ab91c670e536a274a75481034ab7534876" + }, + { + "url": "https://git.kernel.org/stable/c/89709105a6091948ffb6ec2427954cbfe45358ce" + }, + { + "url": "https://git.kernel.org/stable/c/40624af6674745e174c754a20d7c53c250e65e7a" + }, + { + "url": "https://git.kernel.org/stable/c/03b1072616a8f7d6e8594f643b416a9467c83fbf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52662" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/89709105a6091948ffb6ec2427954cbfe45358ce(6.9-rc1)" + } + ], + "bom-ref": "vuln-235", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52662" + } + } + ], + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node\n\nWhen ida_alloc_max fails, resources allocated before should be freed,\nincluding *res allocated by kmalloc and ttm_resource_init.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52662", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52662" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8c91c60858473731bcdaf04fda99fcbcf84420d4" + }, + { + "url": "https://git.kernel.org/stable/c/c6e77aa9dd82bc18a89bf49418f8f7e961cfccc8" + }, + { + "url": "https://git.kernel.org/stable/c/967caa3d37c078e5b95a32094657e6a4cad145f0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35961" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c6e77aa9dd82bc18a89bf49418f8f7e961cfccc8(6.9-rc4)" + } + ], + "bom-ref": "vuln-236", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35961" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Register devlink first under devlink lock\n\nIn case device is having a non fatal FW error during probe, the\ndriver will report the error to user via devlink. This will trigger\na WARN_ON, since mlx5 is calling devlink_register() last.\nIn order to avoid the WARN_ON[1], change mlx5 to invoke devl_register()\nfirst under devlink lock.\n\n[1]\nWARNING: CPU: 5 PID: 227 at net/devlink/health.c:483 devlink_recover_notify.constprop.0+0xb8/0xc0\nCPU: 5 PID: 227 Comm: kworker/u16:3 Not tainted 6.4.0-rc5_for_upstream_min_debug_2023_06_12_12_38 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nWorkqueue: mlx5_health0000:08:00.0 mlx5_fw_reporter_err_work [mlx5_core]\nRIP: 0010:devlink_recover_notify.constprop.0+0xb8/0xc0\nCall Trace:\n \n ? __warn+0x79/0x120\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n ? report_bug+0x17c/0x190\n ? handle_bug+0x3c/0x60\n ? exc_invalid_op+0x14/0x70\n ? asm_exc_invalid_op+0x16/0x20\n ? devlink_recover_notify.constprop.0+0xb8/0xc0\n devlink_health_report+0x4a/0x1c0\n mlx5_fw_reporter_err_work+0xa4/0xd0 [mlx5_core]\n process_one_work+0x1bb/0x3c0\n ? process_one_work+0x3c0/0x3c0\n worker_thread+0x4d/0x3c0\n ? process_one_work+0x3c0/0x3c0\n kthread+0xc6/0xf0\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x1f/0x30\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35961" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f4e294bbdca8ac8757db436fc82214f3882fc7e7" + }, + { + "url": "https://git.kernel.org/stable/c/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210" + }, + { + "url": "https://git.kernel.org/stable/c/28cdbbd38a4413b8eff53399b3f872fd4e80db9d" + }, + { + "url": "https://git.kernel.org/linus/166c2c8a6a4dc2e4ceba9e10cfe81c3e469e3210(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26739" + } + ], + "bom-ref": "vuln-237", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26739" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_mirred: don't override retval if we already lost the skb\n\nIf we're redirecting the skb, and haven't called tcf_mirred_forward(),\nyet, we need to tell the core to drop the skb by setting the retcode\nto SHOT. If we have called tcf_mirred_forward(), however, the skb\nis out of our hands and returning SHOT will lead to UaF.\n\nMove the retval override to the error path which actually need it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26739", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26739" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c2386ba80e779a92ec3bb64ccadbedd88f779b1" + }, + { + "url": "https://git.kernel.org/stable/c/f23a4d6e07570826fe95023ca1aa96a011fa9f84" + }, + { + "url": "https://git.kernel.org/stable/c/cea234bb214b17d004dfdccce4491e6ff57c96ee" + }, + { + "url": "https://git.kernel.org/stable/c/d4c34782b6d7b1e68d18d9549451b19433bd4c6c" + }, + { + "url": "https://git.kernel.org/stable/c/f4ff08fab66eb5c0b97e1a24edac052fb40bf5d7" + }, + { + "url": "https://git.kernel.org/stable/c/e293c773c13b830cdc251f155df2254981abc320" + }, + { + "url": "https://git.kernel.org/stable/c/3678cf67ff7136db1dd3bf63c361650db5d92889" + }, + { + "url": "https://git.kernel.org/stable/c/0053f15d50d50c9312d8ab9c11e2e405812dfcac" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26935" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f23a4d6e07570826fe95023ca1aa96a011fa9f84(6.9-rc2)" + } + ], + "bom-ref": "vuln-238", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26935" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Fix unremoved procfs host directory regression\n\nCommit fc663711b944 (\"scsi: core: Remove the /proc/scsi/${proc_name}\ndirectory earlier\") fixed a bug related to modules loading/unloading, by\nadding a call to scsi_proc_hostdir_rm() on scsi_remove_host(). But that led\nto a potential duplicate call to the hostdir_rm() routine, since it's also\ncalled from scsi_host_dev_release(). That triggered a regression report,\nwhich was then fixed by commit be03df3d4bfe (\"scsi: core: Fix a procfs host\ndirectory removal regression\"). The fix just dropped the hostdir_rm() call\nfrom dev_release().\n\nBut it happens that this proc directory is created on scsi_host_alloc(),\nand that function \"pairs\" with scsi_host_dev_release(), while\nscsi_remove_host() pairs with scsi_add_host(). In other words, it seems the\nreason for removing the proc directory on dev_release() was meant to cover\ncases in which a SCSI host structure was allocated, but the call to\nscsi_add_host() didn't happen. And that pattern happens to exist in some\nerror paths, for example.\n\nSyzkaller causes that by using USB raw gadget device, error'ing on\nusb-storage driver, at usb_stor_probe2(). By checking that path, we can see\nthat the BadDevice label leads to a scsi_host_put() after a SCSI host\nallocation, but there's no call to scsi_add_host() in such path. That leads\nto messages like this in dmesg (and a leak of the SCSI host proc\nstructure):\n\nusb-storage 4-1:87.51: USB Mass Storage device detected\nproc_dir_entry 'scsi/usb-storage' already registered\nWARNING: CPU: 1 PID: 3519 at fs/proc/generic.c:377 proc_register+0x347/0x4e0 fs/proc/generic.c:376\n\nThe proper fix seems to still call scsi_proc_hostdir_rm() on dev_release(),\nbut guard that with the state check for SHOST_CREATED; there is even a\ncomment in scsi_host_dev_release() detailing that: such conditional is\nmeant for cases where the SCSI host was allocated but there was no calls to\n{add,remove}_host(), like the usb-storage case.\n\nThis is what we propose here and with that, the error path of usb-storage\ndoes not trigger the warning anymore.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26935", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26935" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4297217bcf1f0948a19c2bacc6b68d92e7778ad9" + }, + { + "url": "https://git.kernel.org/stable/c/f1acb109505d983779bbb7e20a1ee6244d2b5736" + }, + { + "url": "https://git.kernel.org/stable/c/4cc31fa07445879a13750cb061bb8c2654975fcb" + }, + { + "url": "https://git.kernel.org/stable/c/b29b16bd836a838b7690f80e37f8376414c74cbe" + }, + { + "url": "https://git.kernel.org/linus/f1acb109505d983779bbb7e20a1ee6244d2b5736(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26710" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-239", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26710" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Limit KASAN thread size increase to 32KB\n\nKASAN is seen to increase stack usage, to the point that it was reported\nto lead to stack overflow on some 32-bit machines (see link).\n\nTo avoid overflows the stack size was doubled for KASAN builds in\ncommit 3e8635fb2e07 (\"powerpc/kasan: Force thread size increase with\nKASAN\").\n\nHowever with a 32KB stack size to begin with, the doubling leads to a\n64KB stack, which causes build errors:\n arch/powerpc/kernel/switch.S:249: Error: operand out of range (0x000000000000fe50 is not between 0xffffffffffff8000 and 0x0000000000007fff)\n\nAlthough the asm could be reworked, in practice a 32KB stack seems\nsufficient even for KASAN builds - the additional usage seems to be in\nthe 2-3KB range for a 64-bit KASAN build.\n\nSo only increase the stack for KASAN if the stack size is < 32KB.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26710", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001" + }, + { + "url": "https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c" + }, + { + "url": "https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397" + }, + { + "url": "https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49" + }, + { + "url": "https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb" + }, + { + "url": "https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05" + }, + { + "url": "https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26910" + }, + { + "url": "https://git.kernel.org/linus/97f7cf1cd80eeed3b7c808b7c12463295c751001(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-240", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26910" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910" + } + } + ], + "created": "2024-04-17T16:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: fix performance regression in swap operation\n\nThe patch \"netfilter: ipset: fix race condition between swap/destroy\nand kernel side add/del/test\", commit 28628fa9 fixes a race condition.\nBut the synchronize_rcu() added to the swap function unnecessarily slows\nit down: it can safely be moved to destroy and use call_rcu() instead.\n\nEric Dumazet pointed out that simply calling the destroy functions as\nrcu callback does not work: sets with timeout use garbage collectors\nwhich need cancelling at destroy which can wait. Therefore the destroy\nfunctions are split into two: cancelling garbage collectors safely at\nexecuting the command received by netlink and moving the remaining\npart only into the rcu callback.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26910", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26910" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:14:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97a4d8b9f67cc7efe9a0c137e12f6d9e40795bf1" + }, + { + "url": "https://git.kernel.org/stable/c/bc76645ebdd01be9b9994dac39685a3d0f6f7985" + }, + { + "url": "https://git.kernel.org/stable/c/db364859ce68fb3a52d42cd87a54da3dc42dc1c8" + }, + { + "url": "https://git.kernel.org/stable/c/0b8eb369c182814d817b9449bc9e86bfae4310f9" + }, + { + "url": "https://git.kernel.org/stable/c/07bbccd1adb56b39eef982b8960d59e3c005c6a1" + }, + { + "url": "https://git.kernel.org/stable/c/cfe0f73fb38a01bce86fe15ef5f750f850f7d3fe" + }, + { + "url": "https://git.kernel.org/stable/c/cfedde3058bf976f2f292c0a236edd43afcdab57" + }, + { + "url": "https://git.kernel.org/stable/c/c558e54f7712b086fbcb611723272a0a4b0d451c" + }, + { + "url": "https://git.kernel.org/linus/bc76645ebdd01be9b9994dac39685a3d0f6f7985(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27420" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-241", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27420" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_link_fails_count\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27420", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27420" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/all/00000000000056e02f05dfb6e11a@google.com/T/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6f861765464f43a71462d52026fbddfc858239a5" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-37454" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-242", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-37454" + } + } + ], + "created": "2023-07-06T17:15:14Z", + "description": "An issue was discovered in the Linux kernel through 6.4.2. A crafted UDF filesystem image causes a use-after-free write operation in the udf_put_super and udf_close_lvid functions in fs/udf/super.c. NOTE: the suse.com reference has a different perspective about this.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-37454", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37454" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:01:50Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-243", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ + { + "ref": "comp-416" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8983397951b4b0bd51bb4b4ba9749424e1ccbb70" + }, + { + "url": "https://git.kernel.org/stable/c/7330256268664ea0a7dd5b07a3fed363093477dd" + }, + { + "url": "https://git.kernel.org/stable/c/9a9d00c23d170d4ef5a1b28e6b69f5c85dd12bc1" + }, + { + "url": "https://git.kernel.org/stable/c/a28f4d1e0bed85943d309ac243fd1c200f8af9a2" + }, + { + "url": "https://git.kernel.org/stable/c/2827633c9dab6304ec4cdbf369363219832e605d" + }, + { + "url": "https://git.kernel.org/linus/7330256268664ea0a7dd5b07a3fed363093477dd(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26915" + } + ], + "bom-ref": "vuln-244", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26915" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Reset IH OVERFLOW_CLEAR bit\n\nAllows us to detect subsequent IH ring buffer overflows as well.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26915", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26915" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fd244524c2cf07b5f4c3fe8abd6a99225c76544b" + }, + { + "url": "https://git.kernel.org/stable/c/7d420eaaa18ec8e2bb4eeab8c65c00492ef6f416" + }, + { + "url": "https://git.kernel.org/stable/c/2b1b14d9fc94b8feae20808684c8af28ec80f45b" + }, + { + "url": "https://git.kernel.org/stable/c/75abfd61392b1db391bde6d738a30d685b843286" + }, + { + "url": "https://git.kernel.org/stable/c/52982edfcefd475cc34af663d5c47c0cddaa5739" + }, + { + "url": "https://git.kernel.org/stable/c/542c8b3c774a480bfd0804291a12f6f2391b0cd1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27034" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fd244524c2cf07b5f4c3fe8abd6a99225c76544b(6.9-rc1)" + } + ], + "bom-ref": "vuln-245", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27034" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to cover normal cluster write with cp_rwsem\n\nWhen we overwrite compressed cluster w/ normal cluster, we should\nnot unlock cp_rwsem during f2fs_write_raw_pages(), otherwise data\nwill be corrupted if partial blocks were persisted before CP & SPOR,\ndue to cluster metadata wasn't updated atomically.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27034", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27034" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/22863485a4626ec6ecf297f4cc0aef709bc862e4" + }, + { + "url": "https://git.kernel.org/stable/c/21fed37d2bdcde33453faf61d3d4d96c355f04bd" + }, + { + "url": "https://git.kernel.org/stable/c/84488466b7a69570bdbf76dd9576847ab97d54e7" + }, + { + "url": "https://git.kernel.org/stable/c/3dba0e5276f131e36d6d8043191d856f49238628" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35865" + }, + { + "url": "https://git.kernel.org/linus/22863485a4626ec6ecf297f4cc0aef709bc862e4(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-246", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35865" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in smb2_is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35865", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35865" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/62b71cd73d41ddac6b1760402bbe8c4932e23531" + }, + { + "url": "https://git.kernel.org/stable/c/7784135f134c13af17d9ffb39a57db8500bc60ff" + }, + { + "url": "https://git.kernel.org/stable/c/9114ba9987506bcfbb454f6e68558d68cb1abbde" + }, + { + "url": "https://git.kernel.org/stable/c/090d2b4515ade379cd592fbc8931344945978210" + }, + { + "url": "https://git.kernel.org/stable/c/b9d103aca85f082a343b222493f3cab1219aaaf4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35800" + }, + { + "url": "https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-247", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35800" + } + } + ], + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: fix panic in kdump kernel\n\nCheck if get_next_variable() is actually valid pointer before\ncalling it. In kdump kernel this method is set to NULL that causes\npanic during the kexec-ed kernel boot.\n\nTested with QEMU and OVMF firmware.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35800", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35800" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256786" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-6270" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1923.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2475.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6270" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-248", + "ratings": [ + { + "severity": "high", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6270" + } + } + ], + "created": "2024-01-04T17:15:08Z", + "description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-6270", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-10T15:59:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/aa82ac51d63328714645c827775d64dbfd9941f3" + }, + { + "url": "https://git.kernel.org/stable/c/43ba9e331559a30000c862eea313248707afa787" + }, + { + "url": "https://git.kernel.org/stable/c/e9eac260369d0cf57ea53df95427125725507a0d" + }, + { + "url": "https://git.kernel.org/stable/c/c4c795b21dd23d9514ae1c6646c3fb2c78b5be60" + }, + { + "url": "https://git.kernel.org/stable/c/6c480d0f131862645d172ca9e25dc152b1a5c3a6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26750" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-249", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26750" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in GC.\n\nsyzbot reported another task hung in __unix_gc(). [0]\n\nThe current while loop assumes that all of the left candidates\nhave oob_skb and calling kfree_skb(oob_skb) releases the remaining\ncandidates.\n\nHowever, I missed a case that oob_skb has self-referencing fd and\nanother fd and the latter sk is placed before the former in the\ncandidate list. Then, the while loop never proceeds, resulting\nthe task hung.\n\n__unix_gc() has the same loop just before purging the collected skb,\nso we can call kfree_skb(oob_skb) there and let __skb_queue_purge()\nrelease all inflight sockets.\n\n[0]:\nSending NMI from CPU 0 to CPUs 1:\nNMI backtrace for cpu 1\nCPU: 1 PID: 2784 Comm: kworker/u4:8 Not tainted 6.8.0-rc4-syzkaller-01028-g71b605d32017 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:200\nCode: 89 fb e8 23 00 00 00 48 8b 3d 84 f5 1a 0c 48 89 de 5b e9 43 26 57 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1e fa 48 8b 04 24 65 48 8b 0d 90 52 70 7e 65 8b 15 91 52 70\nRSP: 0018:ffffc9000a17fa78 EFLAGS: 00000287\nRAX: ffffffff8a0a6108 RBX: ffff88802b6c2640 RCX: ffff88802c0b3b80\nRDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000\nRBP: ffffc9000a17fbf0 R08: ffffffff89383f1d R09: 1ffff1100ee5ff84\nR10: dffffc0000000000 R11: ffffed100ee5ff85 R12: 1ffff110056d84ee\nR13: ffffc9000a17fae0 R14: 0000000000000000 R15: ffffffff8f47b840\nFS: 0000000000000000(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007ffef5687ff8 CR3: 0000000029b34000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n \n \n __unix_gc+0xe69/0xf40 net/unix/garbage.c:343\n process_one_work kernel/workqueue.c:2633 [inline]\n process_scheduled_works+0x913/0x1420 kernel/workqueue.c:2706\n worker_thread+0xa5f/0x1000 kernel/workqueue.c:2787\n kthread+0x2ef/0x390 kernel/kthread.c:388\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26750", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26750" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09c3fa70f65175861ca948cb2f0f791e666c90e5" + }, + { + "url": "https://git.kernel.org/stable/c/d44bd323d8bb8031eef4bdc44547925998a11e47" + }, + { + "url": "https://git.kernel.org/stable/c/93bcc1752c69bb309f4d8cfaf960ef1faeb34996" + }, + { + "url": "https://git.kernel.org/stable/c/493aa6bdcffd90a4f82aa614fe4f4db0641b4068" + }, + { + "url": "https://git.kernel.org/stable/c/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f" + }, + { + "url": "https://git.kernel.org/stable/c/c991567e6c638079304cc15dff28748e4a3c4a37" + }, + { + "url": "https://git.kernel.org/stable/c/4be453271a882c8ebc28df3dbf9e4d95e6ac42f5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26950" + }, + { + "url": "https://git.kernel.org/linus/71cbd32e3db82ea4a74e3ef9aeeaa6971969c86f(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-250", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26950" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: access device through ctx instead of peer\n\nThe previous commit fixed a bug that led to a NULL peer->device being\ndereferenced. It's actually easier and faster performance-wise to\ninstead get the device from ctx->wg. This semantically makes more sense\ntoo, since ctx->wg->peer_allowedips.seq is compared with\nctx->allowedips_seq, basing them both in ctx. This also acts as a\ndefence in depth provision against freed peers.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26950", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26950" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b62ed25feb342eab052822eff0c554873799a4f5" + }, + { + "url": "https://git.kernel.org/stable/c/c0dcd5c072e2a3fff886f673e6a5d9bf8090c4cc" + }, + { + "url": "https://git.kernel.org/stable/c/165d226472575b213dd90dfda19d1605dd7c19a8" + }, + { + "url": "https://git.kernel.org/stable/c/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3" + }, + { + "url": "https://git.kernel.org/linus/2f7b1d8b5505efb0057cd1ab85fca206063ea4c3(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27002" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-251", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27002" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: mediatek: Do a runtime PM get on controllers during probe\n\nmt8183-mfgcfg has a mutual dependency with genpd during the probing\nstage, which leads to a deadlock in the following call stack:\n\nCPU0: genpd_lock --> clk_prepare_lock\ngenpd_power_off_work_fn()\n genpd_lock()\n generic_pm_domain::power_off()\n clk_unprepare()\n clk_prepare_lock()\n\nCPU1: clk_prepare_lock --> genpd_lock\nclk_register()\n __clk_core_init()\n clk_prepare_lock()\n clk_pm_runtime_get()\n genpd_lock()\n\nDo a runtime PM get at the probe function to make sure clk_register()\nwon't acquire the genpd lock. Instead of only modifying mt8183-mfgcfg,\ndo this on all mediatek clock controller probings because we don't\nbelieve this would cause any regression.\n\nVerified on MT8183 and MT8192 Chromebooks.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27002", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27002" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/48fae67d837488c87379f0c9f27df7391718477c" + }, + { + "url": "https://git.kernel.org/stable/c/b9357489c46c7a43999964628db8b47d3a1f8672" + }, + { + "url": "https://git.kernel.org/stable/c/15faa1f67ab405d47789d4702f587ec7df7ef03e" + }, + { + "url": "https://git.kernel.org/stable/c/2a492f01228b7d091dfe38974ef40dccf8f9f2f1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26723" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/15faa1f67ab405d47789d4702f587ec7df7ef03e(6.8-rc5)" + } + ], + "bom-ref": "vuln-252", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26723" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nlan966x: Fix crash when adding interface under a lag\n\nThere is a crash when adding one of the lan966x interfaces under a lag\ninterface. The issue can be reproduced like this:\nip link add name bond0 type bond miimon 100 mode balance-xor\nip link set dev eth0 master bond0\n\nThe reason is because when adding a interface under the lag it would go\nthrough all the ports and try to figure out which other ports are under\nthat lag interface. And the issue is that lan966x can have ports that are\nNULL pointer as they are not probed. So then iterating over these ports\nit would just crash as they are NULL pointers.\nThe fix consists in actually checking for NULL pointers before accessing\nsomething from the ports. Like we do in other places.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26723", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26723" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50173882bb187e70e37bac01385b9b114019bee2" + }, + { + "url": "https://git.kernel.org/stable/c/b2186061d6043d6345a97100460363e990af0d46" + }, + { + "url": "https://git.kernel.org/linus/b2186061d6043d6345a97100460363e990af0d46(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35963" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-253", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35963" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_sock: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35963", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35963" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/46806e59a87790760870d216f54951a5b4d545bc" + }, + { + "url": "https://git.kernel.org/stable/c/ca400d8e0c1c9d79c08dfb6b7f966e26c8cae7fb" + }, + { + "url": "https://git.kernel.org/linus/46806e59a87790760870d216f54951a5b4d545bc(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26699" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-254", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26699" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr\n\n[Why]\nThere is a potential memory access violation while\niterating through array of dcn35 clks.\n\n[How]\nLimit iteration per array size.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26699", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26699" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dcb13b5c9ae8743f99a96f392186527c3df89198" + }, + { + "url": "https://git.kernel.org/stable/c/b4527ee3de365a742215773d20f07db3e2c06f3b" + }, + { + "url": "https://git.kernel.org/stable/c/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d" + }, + { + "url": "https://git.kernel.org/stable/c/db4066e3ab6b3d918ae2b92734a89c04fe82cc1d" + }, + { + "url": "https://git.kernel.org/stable/c/ae60e3342296f766f88911d39199f77b05f657a6" + }, + { + "url": "https://git.kernel.org/stable/c/852db52b45ea96dac2720f108e7c7331cd3738bb" + }, + { + "url": "https://git.kernel.org/stable/c/421b135aceace99789c982f6a77ce9476564fb52" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26970" + }, + { + "url": "https://git.kernel.org/linus/cdbc6e2d8108bc47895e5a901cfcaf799b00ca8d(6.9-rc1)" + } + ], + "bom-ref": "vuln-255", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26970" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq6018: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26970", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26970" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/303197775a97416b62d4da69280d0c120a20e009" + }, + { + "url": "https://git.kernel.org/stable/c/8892780834ae294bc3697c7d0e056d7743900b39" + }, + { + "url": "https://git.kernel.org/linus/8892780834ae294bc3697c7d0e056d7743900b39(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52485" + } + ], + "bom-ref": "vuln-256", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52485" + } + } + ], + "created": "2024-02-29T15:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before sending a command\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nFor functions that execute within a DC context or DC lock we can\nwrap the direct calls to dm_execute_dmub_cmd/list with code that\nexits idle power optimizations and reallows once we're done with\nthe command submission on success.\n\nFor DM direct submissions the DM will need to manage the enter/exit\nsequencing manually.\n\nWe cannot invoke a DMCUB command directly within the DM execution\nhelper or we can deadlock.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52485", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52485" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-29T18:06:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8514899c1a4edf802f03c408db901063aa3f05a1" + }, + { + "url": "https://git.kernel.org/stable/c/49669f8e7eb053f91d239df7b1bfb4500255a9d0" + }, + { + "url": "https://git.kernel.org/stable/c/1ca72a3de915f87232c9a4cb9bebbd3af8ed3e25" + }, + { + "url": "https://git.kernel.org/stable/c/40a673b4b07efd6f74ff3ab60f38b26aa91ee5d5" + }, + { + "url": "https://git.kernel.org/stable/c/7f9e833fc0f9b47be503af012eb5903086939754" + }, + { + "url": "https://git.kernel.org/stable/c/f2649d98aa9ca8623149b3cb8df00c944f5655c7" + }, + { + "url": "https://git.kernel.org/stable/c/d0aa72604fbd80c8aabb46eda00535ed35570f1f" + }, + { + "url": "https://git.kernel.org/stable/c/6afc9f4434fa8063aa768c2bf5bf98583aee0877" + }, + { + "url": "https://git.kernel.org/stable/c/61380537aa6dd32d8a723d98b8f1bd1b11d8fee0" + }, + { + "url": "https://git.kernel.org/linus/d0aa72604fbd80c8aabb46eda00535ed35570f1f(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26878" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-257", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26878" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: Fix potential NULL pointer dereference\n\nBelow race may cause NULL pointer dereference\n\nP1\t\t\t\t\tP2\ndquot_free_inode\t\t\tquota_off\n\t\t\t\t\t drop_dquot_ref\n\t\t\t\t\t remove_dquot_ref\n\t\t\t\t\t dquots = i_dquot(inode)\n dquots = i_dquot(inode)\n srcu_read_lock\n dquots[cnt]) != NULL (1)\n\t\t\t\t\t dquots[type] = NULL (2)\n spin_lock(&dquots[cnt]->dq_dqb_lock) (3)\n ....\n\nIf dquot_free_inode(or other routines) checks inode's quota pointers (1)\nbefore quota_off sets it to NULL(2) and use it (3) after that, NULL pointer\ndereference will be triggered.\n\nSo let's fix it by using a temporary pointer to avoid this issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26878", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26878" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bccebf64701735533c8db37773eeacc6566cc8ec" + }, + { + "url": "https://git.kernel.org/stable/c/31ea574aeca1aa488e18716459bde057217637af" + }, + { + "url": "https://git.kernel.org/stable/c/f2135bbf14949687e96cabb13d8a91ae3deb9069" + }, + { + "url": "https://git.kernel.org/stable/c/0c9302a6da262e6ab6a6c1d30f04a6130ed97376" + }, + { + "url": "https://git.kernel.org/stable/c/ae4360cbd385f0d7a8a86d5723e50448cc6318f3" + }, + { + "url": "https://git.kernel.org/stable/c/6f2496366426cec18ba53f1c7f6c3ac307ca6a95" + }, + { + "url": "https://git.kernel.org/stable/c/664264a5c55bf97a9c571c557d477b75416199be" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26835" + }, + { + "url": "https://git.kernel.org/linus/bccebf64701735533c8db37773eeacc6566cc8ec(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-258", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26835" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: set dormant flag on hook register failure\n\nWe need to set the dormant flag again if we fail to register\nthe hooks.\n\nDuring memory pressure hook registration can fail and we end up\nwith a table marked as active but no registered hooks.\n\nOn table/base chain deletion, nf_tables will attempt to unregister\nthe hook again which yields a warn splat from the nftables core.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26835", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26835" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/997ca415384612c8df76d99d9a768e0b3f42b325" + }, + { + "url": "https://git.kernel.org/stable/c/4154e767354140db7804207117e7238fb337b0e7" + }, + { + "url": "https://git.kernel.org/stable/c/ac3e0384073b2408d6cb0d972fee9fcc3776053d" + }, + { + "url": "https://git.kernel.org/stable/c/f6df761182fc953907b18aba5049fc2a044ecb45" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35824" + }, + { + "url": "https://git.kernel.org/linus/ac3e0384073b2408d6cb0d972fee9fcc3776053d(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-259", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35824" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume\n\nWhen not configured for wakeup lis3lv02d_i2c_suspend() will call\nlis3lv02d_poweroff() even if the device has already been turned off\nby the runtime-suspend handler and if configured for wakeup and\nthe device is runtime-suspended at this point then it is not turned\nback on to serve as a wakeup source.\n\nBefore commit b1b9f7a49440 (\"misc: lis3lv02d_i2c: Add missing setting\nof the reg_ctrl callback\"), lis3lv02d_poweroff() failed to disable\nthe regulators which as a side effect made calling poweroff() twice ok.\n\nNow that poweroff() correctly disables the regulators, doing this twice\ntriggers a WARN() in the regulator core:\n\nunbalanced disables for regulator-dummy\nWARNING: CPU: 1 PID: 92 at drivers/regulator/core.c:2999 _regulator_disable\n...\n\nFix lis3lv02d_i2c_suspend() to not call poweroff() a second time if\nalready runtime-suspended and add a poweron() call when necessary to\nmake wakeup work.\n\nlis3lv02d_i2c_resume() has similar issues, with an added weirness that\nit always powers on the device if it is runtime suspended, after which\nthe first runtime-resume will call poweron() again, causing the enabled\ncount for the regulator to increase by 1 every suspend/resume. These\nunbalanced regulator_enable() calls cause the regulator to never\nbe turned off and trigger the following WARN() on driver unbind:\n\nWARNING: CPU: 1 PID: 1724 at drivers/regulator/core.c:2396 _regulator_put\n\nFix this by making lis3lv02d_i2c_resume() mirror the new suspend().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35824", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35824" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395" + }, + { + "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e" + }, + { + "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5" + }, + { + "url": "https://git.kernel.org/linus/9253c54e01b6505d348afbc02abaa4d9f8a01395(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26982" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-260", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26982" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n and fill a metadata index. It however suffers a data read error\n and aborts, invalidating the newly returned empty metadata index.\n It does this by setting the inode number of the index to zero,\n which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n read operation, locate_meta_index() returns the previous index\n because it matches the inode number of 0. Because this index\n has been returned it is expected to have been filled, and because\n it hasn't been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]\n Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26982", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26982" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:10Z" + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0841" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256490" + }, + { + "url": "https://lore.kernel.org/all/20240130210418.3771-1-osalvador@suse.de/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0841" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-261", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0841" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + } + } + ], + "created": "2024-01-28T12:15:52Z", + "description": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-0841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:15:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/967d3c27127e71a10ff5c083583a038606431b61" + }, + { + "url": "https://git.kernel.org/stable/c/e64148635509bf13eea851986f5a0b150e5bd066" + }, + { + "url": "https://git.kernel.org/stable/c/987c3ed7297e5661bc7f448f06fc366e497ac9b2" + }, + { + "url": "https://git.kernel.org/stable/c/2dba5774e8ed326a78ad4339d921a4291281ea6e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27404" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/967d3c27127e71a10ff5c083583a038606431b61(6.8-rc6)" + } + ], + "bom-ref": "vuln-262", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27404" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data races on remote_id\n\nSimilar to the previous patch, address the data race on\nremote_id, adding the suitable ONCE annotations.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27404", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27404" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0a15ba88a32fa7a516aff7ffd27befed5334dff2" + }, + { + "url": "https://git.kernel.org/stable/c/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29" + }, + { + "url": "https://git.kernel.org/stable/c/16d58c6a7db5050b9638669084b63fc05f951825" + }, + { + "url": "https://git.kernel.org/stable/c/494c91e1e9413b407d12166a61b84200d4d54fac" + }, + { + "url": "https://git.kernel.org/linus/69ccf040acddf33a3a85ec0f6b45ef84b0f7ec29(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35863" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-263", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35863" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in is_valid_oplock_break()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35863", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35863" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" + } + ], + "bom-ref": "vuln-264", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" + } + } + ], + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-103" + } + ], + "id": "CVE-2023-6237", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/333fe86968482ca701c609af590003bcea450e8f" + }, + { + "url": "https://git.kernel.org/stable/c/81e921fd321614c2ad8ac333b041aae1da7a1c6d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27079" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/81e921fd321614c2ad8ac333b041aae1da7a1c6d(6.9-rc1)" + } + ], + "bom-ref": "vuln-265", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27079" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix NULL domain on device release\n\nIn the kdump kernel, the IOMMU operates in deferred_attach mode. In this\nmode, info->domain may not yet be assigned by the time the release_device\nfunction is called. It leads to the following crash in the crash kernel:\n\n BUG: kernel NULL pointer dereference, address: 000000000000003c\n ...\n RIP: 0010:do_raw_spin_lock+0xa/0xa0\n ...\n _raw_spin_lock_irqsave+0x1b/0x30\n intel_iommu_release_device+0x96/0x170\n iommu_deinit_device+0x39/0xf0\n __iommu_group_remove_device+0xa0/0xd0\n iommu_bus_notifier+0x55/0xb0\n notifier_call_chain+0x5a/0xd0\n blocking_notifier_call_chain+0x41/0x60\n bus_notify+0x34/0x50\n device_del+0x269/0x3d0\n pci_remove_bus_device+0x77/0x100\n p2sb_bar+0xae/0x1d0\n ...\n i801_probe+0x423/0x740\n\nUse the release_domain mechanism to fix it. The scalable mode context\nentry which is not part of release domain should be cleared in\nrelease_device().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27079", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27079" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8fd9b0ce8c26533fe4d5d15ea15bbf7b904b611c" + }, + { + "url": "https://git.kernel.org/stable/c/67944e6db656bf1e986aa2a359f866f851091f8a" + }, + { + "url": "https://git.kernel.org/stable/c/4a3859ea5240365d21f6053ee219bb240d520895" + }, + { + "url": "https://git.kernel.org/stable/c/ac9b6b3e8d1237136c8ebf0fa1ce037dd7e2948f" + }, + { + "url": "https://git.kernel.org/stable/c/7eab7b021835ae422c38b968d5cc60e99408fb62" + }, + { + "url": "https://git.kernel.org/stable/c/aed034866a08bb7e6e34d50a5629a4d23fe83703" + }, + { + "url": "https://git.kernel.org/stable/c/fe34587acc995e7b1d7a5d3444a0736721ec32b3" + }, + { + "url": "https://git.kernel.org/stable/c/3b031e4fcb2740988143c303f81f69f18ce86325" + }, + { + "url": "https://git.kernel.org/linus/4a3859ea5240365d21f6053ee219bb240d520895(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26937" + } + ], + "bom-ref": "vuln-266", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26937" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Reset queue_priority_hint on parking\n\nOriginally, with strict in order execution, we could complete execution\nonly when the queue was empty. Preempt-to-busy allows replacement of an\nactive request that may complete before the preemption is processed by\nHW. If that happens, the request is retired from the queue, but the\nqueue_priority_hint remains set, preventing direct submission until\nafter the next CS interrupt is processed.\n\nThis preempt-to-busy race can be triggered by the heartbeat, which will\nalso act as the power-management barrier and upon completion allow us to\nidle the HW. We may process the completion of the heartbeat, and begin\nparking the engine before the CS event that restores the\nqueue_priority_hint, causing us to fail the assertion that it is MIN.\n\n<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 166.210781] Dumping ftrace buffer:\n<0>[ 166.210795] ---------------------------------\n...\n<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }\n<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646\n<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0\n<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659\n<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40\n<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }\n<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2\n<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin\n<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2\n<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin\n<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660\n<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }\n<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked\n<0>[ 167.303534] -0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040\n<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }\n<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }\n<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))\n<0>[ 167.303811] ---------------------------------\n<4>[ 167.304722] ------------[ cut here ]------------\n<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!\n<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1\n<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022\n<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]\n<4>[ 16\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26937", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26937" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6655G3GPS42WQM32DJHUCZALI2URQSCO/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185714" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-1906" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034373" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-170.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6200-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-1906" + } + ], + "bom-ref": "vuln-267", + "ratings": [ + { + "severity": "none", + "score": 0.00056, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-1906" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906" + } + } + ], + "created": "2023-04-12T22:15:11Z", + "description": "A heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2023-1906", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-07T04:05:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-06T15:08:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e3f078103421642fcd5f05c5e70777feb10f000d" + }, + { + "url": "https://git.kernel.org/stable/c/4ed82dd368ad883dc4284292937b882f044e625d" + }, + { + "url": "https://git.kernel.org/stable/c/6db5dc7b351b9569940cd1cf445e237c42cd6d27" + }, + { + "url": "https://git.kernel.org/stable/c/f1c3c61701a0b12f4906152c1626a5de580ea3d2" + }, + { + "url": "https://git.kernel.org/stable/c/e719b52d0c56989b0f3475a03a6d64f182c85b56" + }, + { + "url": "https://git.kernel.org/linus/6db5dc7b351b9569940cd1cf445e237c42cd6d27(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27015" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-268", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27015" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: flowtable: incorrect pppoe tuple\n\npppoe traffic reaching ingress path does not match the flowtable entry\nbecause the pppoe header is expected to be at the network header offset.\nThis bug causes a mismatch in the flow table lookup, so pppoe packets\nenter the classical forwarding path.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27015", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27015" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + } + ], + "bom-ref": "vuln-269", + "ratings": [ + { + "severity": "none", + "score": 0.00228, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + } + } + ], + "created": "2024-01-26T09:15:07Z", + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "affects": [ + { + "ref": "comp-103" + } + ], + "id": "CVE-2024-0727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:13Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23851" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://lore.kernel.org/all/PH7PR11MB576877FF72A9B2D43EAA1AEBA093A@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-2" + } + ], + "bom-ref": "vuln-270", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23851" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" + } + } + ], + "created": "2024-01-23T09:15:36Z", + "description": "copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. This is related to ctl_ioctl.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-23851", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23851" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-28T03:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d1b22e573a3789ed1f32033ee709106993ba551" + }, + { + "url": "https://git.kernel.org/stable/c/a9bd6bb6f02bf7132c1ab192ba62bbfa52df7d66" + }, + { + "url": "https://git.kernel.org/stable/c/910c57dfa4d113aae6571c2a8b9ae8c430975902" + }, + { + "url": "https://git.kernel.org/stable/c/726374dde5d608b15b9756bd52b6fc283fda7a06" + }, + { + "url": "https://git.kernel.org/stable/c/225d587a073584946c05c9b7651d637bd45c0c71" + }, + { + "url": "https://git.kernel.org/linus/910c57dfa4d113aae6571c2a8b9ae8c430975902(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35804" + } + ], + "bom-ref": "vuln-271", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35804" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Mark target gfn of emulated atomic instruction as dirty\n\nWhen emulating an atomic access on behalf of the guest, mark the target\ngfn dirty if the CMPXCHG by KVM is attempted and doesn't fault. This\nfixes a bug where KVM effectively corrupts guest memory during live\nmigration by writing to guest memory without informing userspace that the\npage is dirty.\n\nMarking the page dirty got unintentionally dropped when KVM's emulated\nCMPXCHG was converted to do a user access. Before that, KVM explicitly\nmapped the guest page into kernel memory, and marked the page dirty during\nthe unmap phase.\n\nMark the page dirty even if the CMPXCHG fails, as the old data is written\nback on failure, i.e. the page is still written. The value written is\nguaranteed to be the same because the operation is atomic, but KVM's ABI\nis that all writes are dirty logged regardless of the value written. And\nmore importantly, that's what KVM did before the buggy commit.\n\nHuge kudos to the folks on the Cc list (and many others), who did all the\nactual work of triaging and debugging.\n\nbase-commit: 6769ea8da8a93ed4630f1ce64df6aafcaabfce64", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c02d257c654191ecda1dc1af6875d527e85310e7" + }, + { + "url": "https://git.kernel.org/stable/c/22ae604aea14756954e1c00ae653e34d2afd2935" + }, + { + "url": "https://git.kernel.org/stable/c/7073934f5d73f8b53308963cee36f0d389ea857c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26648" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7073934f5d73f8b53308963cee36f0d389ea857c(6.8-rc1)" + } + ], + "bom-ref": "vuln-272", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26648" + } + } + ], + "created": "2024-03-26T18:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay()\n\nIn edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'\nwas dereferenced before the pointer 'link' & 'replay' NULL check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_edp_panel_control.c:947 edp_setup_replay() warn: variable dereferenced before check 'link' (see line 933)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26648", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26648" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/92c0c29f667870f17c0b764544bdf22ce0e886a1" + }, + { + "url": "https://git.kernel.org/stable/c/46efbdbc95a30951c2579caf97b6df2ee2b3bef3" + }, + { + "url": "https://git.kernel.org/stable/c/3a38a829c8bc27d78552c28e582eb1d885d07d11" + }, + { + "url": "https://git.kernel.org/stable/c/6d9395ba7f85bdb7af0b93272e537484ecbeff48" + }, + { + "url": "https://git.kernel.org/stable/c/553d294db94b5f139378022df480a9fb6c3ae39e" + }, + { + "url": "https://git.kernel.org/stable/c/7e9edb569fd9f688d887e36db8170f6e22bafbc8" + }, + { + "url": "https://git.kernel.org/stable/c/476eed5f1c22034774902a980aa48dc4662cb39a" + }, + { + "url": "https://git.kernel.org/linus/3a38a829c8bc27d78552c28e582eb1d885d07d11(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35796" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-273", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35796" + } + } + ], + "created": "2024-05-17T14:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ll_temac: platform_get_resource replaced by wrong function\n\nThe function platform_get_resource was replaced with\ndevm_platform_ioremap_resource_byname and is called using 0 as name.\n\nThis eventually ends up in platform_get_resource_byname in the call\nstack, where it causes a null pointer in strcmp.\n\n\tif (type == resource_type(r) && !strcmp(r->name, name))\n\nIt should have been replaced with devm_platform_ioremap_resource.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35796", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35796" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3a3181a71935774bda2398451256d7441426420b" + }, + { + "url": "https://git.kernel.org/stable/c/2cc1a530ab31c65b52daf3cb5d0883c8b614ea69" + }, + { + "url": "https://git.kernel.org/stable/c/0cab687205986491302cd2e440ef1d253031c221" + }, + { + "url": "https://git.kernel.org/stable/c/031217128990d7f0ab8c46db1afb3cf1e075fd29" + }, + { + "url": "https://git.kernel.org/linus/0cab687205986491302cd2e440ef1d253031c221(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26761" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-274", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26761" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window\n\nThe Linux CXL subsystem is built on the assumption that HPA == SPA.\nThat is, the host physical address (HPA) the HDM decoder registers are\nprogrammed with are system physical addresses (SPA).\n\nDuring HDM decoder setup, the DVSEC CXL range registers (cxl-3.1,\n8.1.3.8) are checked if the memory is enabled and the CXL range is in\na HPA window that is described in a CFMWS structure of the CXL host\nbridge (cxl-3.1, 9.18.1.3).\n\nNow, if the HPA is not an SPA, the CXL range does not match a CFMWS\nwindow and the CXL memory range will be disabled then. The HDM decoder\nstops working which causes system memory being disabled and further a\nsystem hang during HDM decoder initialization, typically when a CXL\nenabled kernel boots.\n\nPrevent a system hang and do not disable the HDM decoder if the\ndecoder's CXL range is not found in a CFMWS window.\n\nNote the change only fixes a hardware hang, but does not implement\nHPA/SPA translation. Support for this can be added in a follow on\npatch series.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26761", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26761" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa" + }, + { + "url": "https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52625" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa(6.8-rc1)" + } + ], + "bom-ref": "vuln-275", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52625" + } + } + ], + "created": "2024-03-26T18:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Refactor DMCUB enter/exit idle interface\n\n[Why]\nWe can hang in place trying to send commands when the DMCUB isn't\npowered on.\n\n[How]\nWe need to exit out of the idle state prior to sending a command,\nbut the process that performs the exit also invokes a command itself.\n\nFixing this issue involves the following:\n\n1. Using a software state to track whether or not we need to start\n the process to exit idle or notify idle.\n\nIt's possible for the hardware to have exited an idle state without\ndriver knowledge, but entering one is always restricted to a driver\nallow - which makes the SW state vs HW state mismatch issue purely one\nof optimization, which should seldomly be hit, if at all.\n\n2. Refactor any instances of exit/notify idle to use a single wrapper\n that maintains this SW state.\n\nThis works simialr to dc_allow_idle_optimizations, but works at the\nDMCUB level and makes sure the state is marked prior to any notify/exit\nidle so we don't enter an infinite loop.\n\n3. Make sure we exit out of idle prior to sending any commands or\n waiting for DMCUB idle.\n\nThis patch takes care of 1/2. A future patch will take care of wrapping\nDMCUB command submission with calls to this new interface.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52625", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52625" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/87632bc9ecff5ded93433bc0fca428019bdd1cfe" + }, + { + "url": "https://git.kernel.org/stable/c/4ef9ad19e17676b9ef071309bc62020e2373705d" + }, + { + "url": "https://git.kernel.org/stable/c/7432376c913381c5f24d373a87ff629bbde94b47" + }, + { + "url": "https://git.kernel.org/linus/4ef9ad19e17676b9ef071309bc62020e2373705d(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26621" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024149" + } + ], + "bom-ref": "vuln-276", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26621" + } + } + ], + "created": "2024-03-02T22:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: huge_memory: don't force huge page alignment on 32 bit\n\ncommit efa7df3e3bb5 (\"mm: align larger anonymous mappings on THP\nboundaries\") caused two issues [1] [2] reported on 32 bit system or compat\nuserspace.\n\nIt doesn't make too much sense to force huge page alignment on 32 bit\nsystem due to the constrained virtual address space.\n\n[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/\n[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26621", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26621" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7bddf18f474f166c19f91b2baf67bf7c5eda03f7" + }, + { + "url": "https://git.kernel.org/stable/c/02f2b95b00bf57d20320ee168b30fb7f3db8e555" + }, + { + "url": "https://git.kernel.org/stable/c/a4b7741c8302e28073bfc6dd1c2e73598e5e535e" + }, + { + "url": "https://git.kernel.org/stable/c/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26726" + }, + { + "url": "https://git.kernel.org/linus/5571e41ec6e56e35f34ae9f5b3a335ef510e0ade(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-277", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26726" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode on write error\n\nWhile running the CI for an unrelated change I hit the following panic\nwith generic/648 on btrfs_holes_spacecache.\n\nassertion failed: block_start != EXTENT_MAP_HOLE, in fs/btrfs/extent_io.c:1385\n------------[ cut here ]------------\nkernel BUG at fs/btrfs/extent_io.c:1385!\ninvalid opcode: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 1 PID: 2695096 Comm: fsstress Kdump: loaded Tainted: G W 6.8.0-rc2+ #1\nRIP: 0010:__extent_writepage_io.constprop.0+0x4c1/0x5c0\nCall Trace:\n \n extent_write_cache_pages+0x2ac/0x8f0\n extent_writepages+0x87/0x110\n do_writepages+0xd5/0x1f0\n filemap_fdatawrite_wbc+0x63/0x90\n __filemap_fdatawrite_range+0x5c/0x80\n btrfs_fdatawrite_range+0x1f/0x50\n btrfs_write_out_cache+0x507/0x560\n btrfs_write_dirty_block_groups+0x32a/0x420\n commit_cowonly_roots+0x21b/0x290\n btrfs_commit_transaction+0x813/0x1360\n btrfs_sync_file+0x51a/0x640\n __x64_sys_fdatasync+0x52/0x90\n do_syscall_64+0x9c/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nThis happens because we fail to write out the free space cache in one\ninstance, come back around and attempt to write it again. However on\nthe second pass through we go to call btrfs_get_extent() on the inode to\nget the extent mapping. Because this is a new block group, and with the\nfree space inode we always search the commit root to avoid deadlocking\nwith the tree, we find nothing and return a EXTENT_MAP_HOLE for the\nrequested range.\n\nThis happens because the first time we try to write the space cache out\nwe hit an error, and on an error we drop the extent mapping. This is\nnormal for normal files, but the free space cache inode is special. We\nalways expect the extent map to be correct. Thus the second time\nthrough we end up with a bogus extent map.\n\nSince we're deprecating this feature, the most straightforward way to\nfix this is to simply skip dropping the extent map range for this failed\nrange.\n\nI shortened the test by using error injection to stress the area to make\nit easier to reproduce. With this patch in place we no longer panic\nwith my error injection test.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26726", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26726" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/56590678791119b9a655202e49898edfb9307271" + }, + { + "url": "https://git.kernel.org/stable/c/369acf97d6fd5da620d053d0f1878ffe32eff555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35832" + }, + { + "url": "https://git.kernel.org/linus/369acf97d6fd5da620d053d0f1878ffe32eff555(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-278", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35832" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: kvfree bch_fs::snapshots in bch2_fs_snapshots_exit\n\nbch_fs::snapshots is allocated by kvzalloc in __snapshot_t_mut.\nIt should be freed by kvfree not kfree.\nOr umount will triger:\n\n[ 406.829178 ] BUG: unable to handle page fault for address: ffffe7b487148008\n[ 406.830676 ] #PF: supervisor read access in kernel mode\n[ 406.831643 ] #PF: error_code(0x0000) - not-present page\n[ 406.832487 ] PGD 0 P4D 0\n[ 406.832898 ] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 406.833512 ] CPU: 2 PID: 1754 Comm: umount Kdump: loaded Tainted: G OE 6.7.0-rc7-custom+ #90\n[ 406.834746 ] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n[ 406.835796 ] RIP: 0010:kfree+0x62/0x140\n[ 406.836197 ] Code: 80 48 01 d8 0f 82 e9 00 00 00 48 c7 c2 00 00 00 80 48 2b 15 78 9f 1f 01 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 56 9f 1f 01 <48> 8b 50 08 48 89 c7 f6 c2 01 0f 85 b0 00 00 00 66 90 48 8b 07 f6\n[ 406.837810 ] RSP: 0018:ffffb9d641607e48 EFLAGS: 00010286\n[ 406.838213 ] RAX: ffffe7b487148000 RBX: ffffb9d645200000 RCX: ffffb9d641607dc4\n[ 406.838738 ] RDX: 000065bb00000000 RSI: ffffffffc0d88b84 RDI: ffffb9d645200000\n[ 406.839217 ] RBP: ffff9a4625d00068 R08: 0000000000000001 R09: 0000000000000001\n[ 406.839650 ] R10: 0000000000000001 R11: 000000000000001f R12: ffff9a4625d4da80\n[ 406.840055 ] R13: ffff9a4625d00000 R14: ffffffffc0e2eb20 R15: 0000000000000000\n[ 406.840451 ] FS: 00007f0a264ffb80(0000) GS:ffff9a4e2d500000(0000) knlGS:0000000000000000\n[ 406.840851 ] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 406.841125 ] CR2: ffffe7b487148008 CR3: 000000018c4d2000 CR4: 00000000000006f0\n[ 406.841464 ] Call Trace:\n[ 406.841583 ] \n[ 406.841682 ] ? __die+0x1f/0x70\n[ 406.841828 ] ? page_fault_oops+0x159/0x470\n[ 406.842014 ] ? fixup_exception+0x22/0x310\n[ 406.842198 ] ? exc_page_fault+0x1ed/0x200\n[ 406.842382 ] ? asm_exc_page_fault+0x22/0x30\n[ 406.842574 ] ? bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.842842 ] ? kfree+0x62/0x140\n[ 406.842988 ] ? kfree+0x104/0x140\n[ 406.843138 ] bch2_fs_release+0x54/0x280 [bcachefs]\n[ 406.843390 ] kobject_put+0xb7/0x170\n[ 406.843552 ] deactivate_locked_super+0x2f/0xa0\n[ 406.843756 ] cleanup_mnt+0xba/0x150\n[ 406.843917 ] task_work_run+0x59/0xa0\n[ 406.844083 ] exit_to_user_mode_prepare+0x197/0x1a0\n[ 406.844302 ] syscall_exit_to_user_mode+0x16/0x40\n[ 406.844510 ] do_syscall_64+0x4e/0xf0\n[ 406.844675 ] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 406.844907 ] RIP: 0033:0x7f0a2664e4fb", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35832", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35832" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/88c49d9c896143cdc0f77197c4dcf24140375e89" + }, + { + "url": "https://git.kernel.org/stable/c/a6771f343af90a25f3a14911634562bb5621df02" + }, + { + "url": "https://git.kernel.org/stable/c/6e5e6d274956305f1fc0340522b38f5f5be74bdb" + }, + { + "url": "https://git.kernel.org/stable/c/d909d381c3152393421403be4b6435f17a2378b4" + }, + { + "url": "https://git.kernel.org/stable/c/a3812a47a32022ca76bf46ddacdd823dc2aabf8b" + }, + { + "url": "https://git.kernel.org/stable/c/cfb24022bb2c31f1f555dc6bc3cc5e2547446fb3" + }, + { + "url": "https://git.kernel.org/linus/6e5e6d274956305f1fc0340522b38f5f5be74bdb(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52656" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-279", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52656" + } + } + ], + "created": "2024-05-14T14:23:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: drop any code related to SCM_RIGHTS\n\nThis is dead code after we dropped support for passing io_uring fds\nover SCM_RIGHTS, get rid of it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52656", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52656" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/466ceebe48cbba3f4506f165fca7111f9eb8bb12" + }, + { + "url": "https://git.kernel.org/stable/c/e42e334c645575be5432adee224975d4f536fdb1" + }, + { + "url": "https://git.kernel.org/stable/c/2e7d3b67630dfd8f178c41fa2217aa00e79a5887" + }, + { + "url": "https://git.kernel.org/stable/c/004fe5b7f59286a926a45e0cafc7870e9cdddd56" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2e7d3b67630dfd8f178c41fa2217aa00e79a5887(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26680" + } + ], + "bom-ref": "vuln-280", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26680" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: Fix DMA mapping for PTP hwts ring\n\nFunction aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes\nfor PTP HWTS ring but then generic aq_ring_free() does not take this\ninto account.\nCreate and use a specific function to free HWTS ring to fix this\nissue.\n\nTrace:\n[ 215.351607] ------------[ cut here ]------------\n[ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes]\n[ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360\n...\n[ 215.581176] Call Trace:\n[ 215.583632] \n[ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df\n[ 215.594497] ? debug_dma_free_coherent+0x196/0x210\n[ 215.599305] ? check_unmap+0xa6f/0x2360\n[ 215.603147] ? __warn+0xca/0x1d0\n[ 215.606391] ? check_unmap+0xa6f/0x2360\n[ 215.610237] ? report_bug+0x1ef/0x370\n[ 215.613921] ? handle_bug+0x3c/0x70\n[ 215.617423] ? exc_invalid_op+0x14/0x50\n[ 215.621269] ? asm_exc_invalid_op+0x16/0x20\n[ 215.625480] ? check_unmap+0xa6f/0x2360\n[ 215.629331] ? mark_lock.part.0+0xca/0xa40\n[ 215.633445] debug_dma_free_coherent+0x196/0x210\n[ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10\n[ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0\n[ 215.648060] dma_free_attrs+0x6d/0x130\n[ 215.651834] aq_ring_free+0x193/0x290 [atlantic]\n[ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic]\n...\n[ 216.127540] ---[ end trace 6467e5964dd2640b ]---\n[ 216.132160] DMA-API: Mapped at:\n[ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0\n[ 216.132165] dma_alloc_attrs+0xf5/0x1b0\n[ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic]\n[ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic]\n[ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26680", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26680" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/07acf979da33c721357ff27129edf74c23c036c6" + }, + { + "url": "https://git.kernel.org/stable/c/8cbdd324b41528994027128207fae8100dff094f" + }, + { + "url": "https://git.kernel.org/stable/c/12d6a5681a0a5cecc2af7860f0a1613fa7c6e947" + }, + { + "url": "https://git.kernel.org/stable/c/1b175bc579f46520b11ecda443bcd2ee4904f66a" + }, + { + "url": "https://git.kernel.org/stable/c/e451709573f8be904a8a72d0775bf114d7c291d9" + }, + { + "url": "https://git.kernel.org/stable/c/80ba43e9f799cbdd83842fc27db667289b3150f5" + }, + { + "url": "https://git.kernel.org/stable/c/122a06f1068bf5e39089863f4f60b1f5d4273384" + }, + { + "url": "https://git.kernel.org/stable/c/ab062fa3dc69aea88fe62162c5881ba14b50ecc5" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf66250d2d33e8b27352fcb901de79f3521057" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26934" + }, + { + "url": "https://git.kernel.org/linus/80ba43e9f799cbdd83842fc27db667289b3150f5(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-281", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26934" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in usb_deauthorize_interface()\n\nAmong the attribute file callback routines in\ndrivers/usb/core/sysfs.c, the interface_authorized_store() function is\nthe only one which acquires a device lock on an ancestor device: It\ncalls usb_deauthorize_interface(), which locks the interface's parent\nUSB device.\n\nThe will lead to deadlock if another process already owns that lock\nand tries to remove the interface, whether through a configuration\nchange or because the device has been disconnected. As part of the\nremoval procedure, device_del() waits for all ongoing sysfs attribute\ncallbacks to complete. But usb_deauthorize_interface() can't complete\nuntil the device lock has been released, and the lock won't be\nreleased until the removal has finished.\n\nThe mechanism provided by sysfs to prevent this kind of deadlock is\nto use the sysfs_break_active_protection() function, which tells sysfs\nnot to wait for the attribute callback.\n\nReported-and-tested by: Yue Sun \nReported by: xingwei lee ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26934", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26934" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6db94d08359c43f2c8fe372811cdee04564a41b9" + }, + { + "url": "https://git.kernel.org/stable/c/5c86919455c1edec99ebd3338ad213b59271a71b" + }, + { + "url": "https://git.kernel.org/stable/c/93877b9afc2994c89362007aac480a7b150f386f" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-282", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix use-after-free in smb2_query_info_compound()\n\nThe following UAF was triggered when running fstests generic/072 with\nKASAN enabled against Windows Server 2022 and mount options\n'multichannel,max_channels=2,vers=3.1.1,mfsymlinks,noperm'\n\n BUG: KASAN: slab-use-after-free in smb2_query_info_compound+0x423/0x6d0 [cifs]\n Read of size 8 at addr ffff888014941048 by task xfs_io/27534\n\n CPU: 0 PID: 27534 Comm: xfs_io Not tainted 6.6.0-rc7 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n Call Trace:\n dump_stack_lvl+0x4a/0x80\n print_report+0xcf/0x650\n ? srso_alias_return_thunk+0x5/0x7f\n ? srso_alias_return_thunk+0x5/0x7f\n ? __phys_addr+0x46/0x90\n kasan_report+0xda/0x110\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? smb2_query_info_compound+0x423/0x6d0 [cifs]\n smb2_query_info_compound+0x423/0x6d0 [cifs]\n ? __pfx_smb2_query_info_compound+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __stack_depot_save+0x39/0x480\n ? kasan_save_stack+0x33/0x60\n ? kasan_set_track+0x25/0x30\n ? ____kasan_slab_free+0x126/0x170\n smb2_queryfs+0xc2/0x2c0 [cifs]\n ? __pfx_smb2_queryfs+0x10/0x10 [cifs]\n ? __pfx___lock_acquire+0x10/0x10\n smb311_queryfs+0x210/0x220 [cifs]\n ? __pfx_smb311_queryfs+0x10/0x10 [cifs]\n ? srso_alias_return_thunk+0x5/0x7f\n ? __lock_acquire+0x480/0x26c0\n ? lock_release+0x1ed/0x640\n ? srso_alias_return_thunk+0x5/0x7f\n ? do_raw_spin_unlock+0x9b/0x100\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n ? __pfx___do_sys_fstatfs+0x10/0x10\n ? srso_alias_return_thunk+0x5/0x7f\n ? lockdep_hardirqs_on_prepare+0x136/0x200\n ? srso_alias_return_thunk+0x5/0x7f\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Allocated by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n __kasan_kmalloc+0x8f/0xa0\n open_cached_dir+0x71b/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n smb311_queryfs+0x210/0x220 [cifs]\n cifs_statfs+0x18c/0x4b0 [cifs]\n statfs_by_dentry+0x9b/0xf0\n fd_statfs+0x4e/0xb0\n __do_sys_fstatfs+0x7f/0xe0\n do_syscall_64+0x3f/0x90\n entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\n Freed by task 27534:\n kasan_save_stack+0x33/0x60\n kasan_set_track+0x25/0x30\n kasan_save_free_info+0x2b/0x50\n ____kasan_slab_free+0x126/0x170\n slab_free_freelist_hook+0xd0/0x1e0\n __kmem_cache_free+0x9d/0x1b0\n open_cached_dir+0xff5/0x1240 [cifs]\n smb2_query_info_compound+0x5c3/0x6d0 [cifs]\n smb2_queryfs+0xc2/0x2c0 [cifs]\n\nThis is a race between open_cached_dir() and cached_dir_lease_break()\nwhere the cache entry for the open directory handle receives a lease\nbreak while creating it. And before returning from open_cached_dir(),\nwe put the last reference of the new @cfid because of\n!@cfid->has_lease.\n\nBesides the UAF, while running xfstests a lot of missed lease breaks\nhave been noticed in tests that run several concurrent statfs(2) calls\non those cached fids\n\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 00000000715bfe83 len 108\n CIFS: VFS: Dump pending requests:\n CIFS: VFS: \\\\w22-root1.gandalf.test No task to wake, unknown frame...\n CIFS: VFS: \\\\w22-root1.gandalf.test Cmd: 18 Err: 0x0 Flags: 0x1...\n CIFS: VFS: \\\\w22-root1.gandalf.test smb buf 000000005aa7316e len 108\n ...\n\nTo fix both, in open_cached_dir() ensure that @cfid->has_lease is set\nright before sending out compounded request so that any potential\nlease break will be get processed by demultiplex thread while we're\nstill caching @cfid. And, if open failed for some reason, re-check\n@cfid->has_lease to decide whether or not put lease reference.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52751" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0484e05d048b66d01d1f3c1d2306010bb57d8738" + }, + { + "url": "https://git.kernel.org/stable/c/beea9ab9080cd2ef46296070bb327af066ee09d7" + }, + { + "url": "https://git.kernel.org/stable/c/71783d1ff65204d69207fd156d4b2eb1d3882375" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26767" + }, + { + "url": "https://git.kernel.org/linus/0484e05d048b66d01d1f3c1d2306010bb57d8738(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-283", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26767" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fixed integer types and null check locations\n\n[why]:\nissues fixed:\n- comparison with wider integer type in loop condition which can cause\ninfinite loops\n- pointer dereference before null check", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26767", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26767" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4d5e86a56615cc387d21c629f9af8fb0e958d350" + }, + { + "url": "https://git.kernel.org/stable/c/d27c48dc309da72c3b46351a1205d89687272baa" + }, + { + "url": "https://git.kernel.org/stable/c/185fa07000e0a81d54cf8c05414cebff14469a5c" + }, + { + "url": "https://git.kernel.org/stable/c/60ba938a8bc8c90e724c75f98e932f9fb7ae1b9d" + }, + { + "url": "https://git.kernel.org/stable/c/9a624a5f95733bac4648ecadb320ca83aa9c08fd" + }, + { + "url": "https://git.kernel.org/stable/c/cad82f1671e41094acd3b9a60cd27d67a3c64a21" + }, + { + "url": "https://git.kernel.org/linus/4d5e86a56615cc387d21c629f9af8fb0e958d350(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26907" + } + ], + "bom-ref": "vuln-284", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26907" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessing Eth segment\n\n ------------[ cut here ]------------\n memcpy: detected field-spanning write (size 56) of single field \"eseg->inline_hdr.start\" at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 (size 2)\n WARNING: CPU: 0 PID: 293779 at /var/lib/dkms/mlnx-ofed-kernel/5.8/build/drivers/infiniband/hw/mlx5/wr.c:131 mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Modules linked in: 8021q garp mrp stp llc rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) ib_core(OE) mlx5_core(OE) pci_hyperv_intf mlxdevm(OE) mlx_compat(OE) tls mlxfw(OE) psample nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink mst_pciconf(OE) knem(OE) vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd irqbypass cuse nfsv3 nfs fscache netfs xfrm_user xfrm_algo ipmi_devintf ipmi_msghandler binfmt_misc crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 snd_pcsp aesni_intel crypto_simd cryptd snd_pcm snd_timer joydev snd soundcore input_leds serio_raw evbug nfsd auth_rpcgss nfs_acl lockd grace sch_fq_codel sunrpc drm efi_pstore ip_tables x_tables autofs4 psmouse virtio_net net_failover failover floppy\n [last unloaded: mlx_compat(OE)]\n CPU: 0 PID: 293779 Comm: ssh Tainted: G OE 6.2.0-32-generic #32~22.04.1-Ubuntu\n Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\n RIP: 0010:mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n Code: 0c 01 00 a8 01 75 25 48 8b 75 a0 b9 02 00 00 00 48 c7 c2 10 5b fd c0 48 c7 c7 80 5b fd c0 c6 05 57 0c 03 00 01 e8 95 4d 93 da <0f> 0b 44 8b 4d b0 4c 8b 45 c8 48 8b 4d c0 e9 49 fb ff ff 41 0f b7\n RSP: 0018:ffffb5b48478b570 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n RBP: ffffb5b48478b628 R08: 0000000000000000 R09: 0000000000000000\n R10: 0000000000000000 R11: 0000000000000000 R12: ffffb5b48478b5e8\n R13: ffff963a3c609b5e R14: ffff9639c3fbd800 R15: ffffb5b480475a80\n FS: 00007fc03b444c80(0000) GS:ffff963a3dc00000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000556f46bdf000 CR3: 0000000006ac6003 CR4: 00000000003706f0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n \n ? show_regs+0x72/0x90\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? __warn+0x8d/0x160\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n ? report_bug+0x1bb/0x1d0\n ? handle_bug+0x46/0x90\n ? exc_invalid_op+0x19/0x80\n ? asm_exc_invalid_op+0x1b/0x20\n ? mlx5_ib_post_send+0x191b/0x1a60 [mlx5_ib]\n mlx5_ib_post_send_nodrain+0xb/0x20 [mlx5_ib]\n ipoib_send+0x2ec/0x770 [ib_ipoib]\n ipoib_start_xmit+0x5a0/0x770 [ib_ipoib]\n dev_hard_start_xmit+0x8e/0x1e0\n ? validate_xmit_skb_list+0x4d/0x80\n sch_direct_xmit+0x116/0x3a0\n __dev_xmit_skb+0x1fd/0x580\n __dev_queue_xmit+0x284/0x6b0\n ? _raw_spin_unlock_irq+0xe/0x50\n ? __flush_work.isra.0+0x20d/0x370\n ? push_pseudo_header+0x17/0x40 [ib_ipoib]\n neigh_connected_output+0xcd/0x110\n ip_finish_output2+0x179/0x480\n ? __smp_call_single_queue+0x61/0xa0\n __ip_finish_output+0xc3/0x190\n ip_finish_output+0x2e/0xf0\n ip_output+0x78/0x110\n ? __pfx_ip_finish_output+0x10/0x10\n ip_local_out+0x64/0x70\n __ip_queue_xmit+0x18a/0x460\n ip_queue_xmit+0x15/0x30\n __tcp_transmit_skb+0x914/0x9c0\n tcp_write_xmit+0x334/0x8d0\n tcp_push_one+0x3c/0x60\n tcp_sendmsg_locked+0x2e1/0xac0\n tcp_sendmsg+0x2d/0x50\n inet_sendmsg+0x43/0x90\n sock_sendmsg+0x68/0x80\n sock_write_iter+0x93/0x100\n vfs_write+0x326/0x3c0\n ksys_write+0xbd/0xf0\n ? do_syscall_64+0x69/0x90\n __x64_sys_write+0x19/0x30\n do_syscall_\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26907", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26907" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:44:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b427f55e9d4185f6f17cc1e3296eb8d0c4425283" + }, + { + "url": "https://git.kernel.org/stable/c/abe4eaa8618bb36c2b33e9cdde0499296a23448c" + }, + { + "url": "https://git.kernel.org/stable/c/4f7dad73df4cdb2b7042103d3922745d040ad025" + }, + { + "url": "https://git.kernel.org/stable/c/0c7478a2da3f5fe106b4658338873d50c86ac7ab" + }, + { + "url": "https://git.kernel.org/stable/c/de3e9d8e8d1ae0a4d301109d1ec140796901306c" + }, + { + "url": "https://git.kernel.org/linus/abe4eaa8618bb36c2b33e9cdde0499296a23448c(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52633" + } + ], + "bom-ref": "vuln-285", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52633" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\num: time-travel: fix time corruption\n\nIn 'basic' time-travel mode (without =inf-cpu or =ext), we\nstill get timer interrupts. These can happen at arbitrary\npoints in time, i.e. while in timer_read(), which pushes\ntime forward just a little bit. Then, if we happen to get\nthe interrupt after calculating the new time to push to,\nbut before actually finishing that, the interrupt will set\nthe time to a value that's incompatible with the forward,\nand we'll crash because time goes backwards when we do the\nforwarding.\n\nFix this by reading the time_travel_time, calculating the\nadjustment, and doing the adjustment all with interrupts\ndisabled.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52633", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52633" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ba3c5574203034781ac4231acf117da917efcd2a" + }, + { + "url": "https://git.kernel.org/stable/c/0c3687822259a7628c85cd21a3445cbe3c367165" + }, + { + "url": "https://git.kernel.org/stable/c/2bb86817b33c9d704e127f92b838035a72c315b6" + }, + { + "url": "https://git.kernel.org/stable/c/7ebf812b7019fd2d4d5a7ca45ef4bf3a6f4bda0a" + }, + { + "url": "https://git.kernel.org/stable/c/7abdfd45a650c714d5ebab564bb1b988f14d9b49" + }, + { + "url": "https://git.kernel.org/stable/c/bb44477d4506e52785693a39f03cdc6a2c5e8598" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52616" + }, + { + "url": "https://git.kernel.org/linus/ba3c5574203034781ac4231acf117da917efcd2a(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-286", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52616" + } + } + ], + "created": "2024-03-18T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: lib/mpi - Fix unexpected pointer access in mpi_ec_init\n\nWhen the mpi_ec_ctx structure is initialized, some fields are not\ncleared, causing a crash when referencing the field when the\nstructure was released. Initially, this issue was ignored because\nmemory for mpi_ec_ctx is allocated with the __GFP_ZERO flag.\nFor example, this error will be triggered when calculating the\nZa value for SM2 separately.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52616", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52616" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4530b3660d396a646aad91a787b6ab37cf604b53" + }, + { + "url": "https://git.kernel.org/stable/c/260fc96283c0f594de18a1b045faf6d8fb42874d" + }, + { + "url": "https://git.kernel.org/stable/c/f97e75fa4e12b0aa0224e83fcbda8853ac2adf36" + }, + { + "url": "https://git.kernel.org/stable/c/927794a02169778c9c2e7b25c768ab3ea8c1dc03" + }, + { + "url": "https://git.kernel.org/stable/c/a2576ae9a35c078e488f2c573e9e6821d651fbbe" + }, + { + "url": "https://git.kernel.org/stable/c/21f8cfe79f776287459343e9cfa6055af61328ea" + }, + { + "url": "https://git.kernel.org/stable/c/0184747b552d6b5a14db3b7fcc3b792ce64dedd1" + }, + { + "url": "https://git.kernel.org/stable/c/4c21fa60a6f4606f6214a38f50612b17b2f738f5" + }, + { + "url": "https://git.kernel.org/linus/4530b3660d396a646aad91a787b6ab37cf604b53(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26773" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-287", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26773" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()\n\nDetermine if the group block bitmap is corrupted before using ac_b_ex in\next4_mb_try_best_found() to avoid allocating blocks from a group with a\ncorrupted block bitmap in the following concurrency and making the\nsituation worse.\n\next4_mb_regular_allocator\n ext4_lock_group(sb, group)\n ext4_mb_good_group\n // check if the group bbitmap is corrupted\n ext4_mb_complex_scan_group\n // Scan group gets ac_b_ex but doesn't use it\n ext4_unlock_group(sb, group)\n ext4_mark_group_bitmap_corrupted(group)\n // The block bitmap was corrupted during\n // the group unlock gap.\n ext4_mb_try_best_found\n ext4_lock_group(ac->ac_sb, group)\n ext4_mb_use_best_found\n mb_mark_used\n // Allocating blocks in block bitmap corrupted group", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26773", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26773" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fa8c776f4c323a9fbc8ddf25edcb962083391430" + }, + { + "url": "https://git.kernel.org/stable/c/d487e7ba1bc7444d5f062c4930ef8436c47c7e63" + }, + { + "url": "https://git.kernel.org/stable/c/cc32ba2fdf3f8b136619fff551f166ba51ec856d" + }, + { + "url": "https://git.kernel.org/stable/c/f27d319df055629480b84b9288a502337b6f2a2e" + }, + { + "url": "https://git.kernel.org/stable/c/70e5b013538d5e4cb421afed431a5fcd2a5d49ee" + }, + { + "url": "https://git.kernel.org/stable/c/d6a9608af9a75d13243d217f6ce1e30e57d56ffe" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26781" + } + ], + "bom-ref": "vuln-288", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26781" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix possible deadlock in subflow diag\n\nSyzbot and Eric reported a lockdep splat in the subflow diag:\n\n WARNING: possible circular locking dependency detected\n 6.8.0-rc4-syzkaller-00212-g40b9385dd8e6 #0 Not tainted\n\n syz-executor.2/24141 is trying to acquire lock:\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n ffff888045870130 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at:\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n\n but task is already holding lock:\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at: spin_lock\n include/linux/spinlock.h:351 [inline]\n ffffc9000135e488 (&h->lhash2[i].lock){+.+.}-{2:2}, at:\n inet_diag_dump_icsk+0x39f/0x1f80 net/ipv4/inet_diag.c:1038\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (&h->lhash2[i].lock){+.+.}-{2:2}:\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]\n _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154\n spin_lock include/linux/spinlock.h:351 [inline]\n __inet_hash+0x335/0xbe0 net/ipv4/inet_hashtables.c:743\n inet_csk_listen_start+0x23a/0x320 net/ipv4/inet_connection_sock.c:1261\n __inet_listen_sk+0x2a2/0x770 net/ipv4/af_inet.c:217\n inet_listen+0xa3/0x110 net/ipv4/af_inet.c:239\n rds_tcp_listen_init+0x3fd/0x5a0 net/rds/tcp_listen.c:316\n rds_tcp_init_net+0x141/0x320 net/rds/tcp.c:577\n ops_init+0x352/0x610 net/core/net_namespace.c:136\n __register_pernet_operations net/core/net_namespace.c:1214 [inline]\n register_pernet_operations+0x2cb/0x660 net/core/net_namespace.c:1283\n register_pernet_device+0x33/0x80 net/core/net_namespace.c:1370\n rds_tcp_init+0x62/0xd0 net/rds/tcp.c:735\n do_one_initcall+0x238/0x830 init/main.c:1236\n do_initcall_level+0x157/0x210 init/main.c:1298\n do_initcalls+0x3f/0x80 init/main.c:1314\n kernel_init_freeable+0x42f/0x5d0 init/main.c:1551\n kernel_init+0x1d/0x2a0 init/main.c:1441\n ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n\n -> #0 (k-sk_lock-AF_INET6){+.+.}-{0:0}:\n check_prev_add kernel/locking/lockdep.c:3134 [inline]\n check_prevs_add kernel/locking/lockdep.c:3253 [inline]\n validate_chain+0x18ca/0x58e0 kernel/locking/lockdep.c:3869\n __lock_acquire+0x1345/0x1fd0 kernel/locking/lockdep.c:5137\n lock_acquire+0x1e3/0x530 kernel/locking/lockdep.c:5754\n lock_sock_fast include/net/sock.h:1723 [inline]\n subflow_get_info+0x166/0xd20 net/mptcp/diag.c:28\n tcp_diag_put_ulp net/ipv4/tcp_diag.c:100 [inline]\n tcp_diag_get_aux+0x738/0x830 net/ipv4/tcp_diag.c:137\n inet_sk_diag_fill+0x10ed/0x1e00 net/ipv4/inet_diag.c:345\n inet_diag_dump_icsk+0x55b/0x1f80 net/ipv4/inet_diag.c:1061\n __inet_diag_dump+0x211/0x3a0 net/ipv4/inet_diag.c:1263\n inet_diag_dump_compat+0x1c1/0x2d0 net/ipv4/inet_diag.c:1371\n netlink_dump+0x59b/0xc80 net/netlink/af_netlink.c:2264\n __netlink_dump_start+0x5df/0x790 net/netlink/af_netlink.c:2370\n netlink_dump_start include/linux/netlink.h:338 [inline]\n inet_diag_rcv_msg_compat+0x209/0x4c0 net/ipv4/inet_diag.c:1405\n sock_diag_rcv_msg+0xe7/0x410\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:280\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nAs noted by Eric we can break the lock dependency chain avoid\ndumping \n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26781", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26781" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695" + }, + { + "url": "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35966" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695(6.9-rc4)" + } + ], + "bom-ref": "vuln-289", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35966" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35966", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/edf82aa7e9eb864a09229392054d131b34a5c9e8" + }, + { + "url": "https://git.kernel.org/stable/c/3320126ed3afbc11934502319b340f91a4d61c8f" + }, + { + "url": "https://git.kernel.org/stable/c/7849e6f8410da96384e3d1f6b6d730f095142dc7" + }, + { + "url": "https://git.kernel.org/stable/c/07a2aa674fca679316b8ac51440adb895b53a7cf" + }, + { + "url": "https://git.kernel.org/stable/c/c473288f27d15014447de5a891bdf22a0695847a" + }, + { + "url": "https://git.kernel.org/stable/c/2ae917d4bcab80ab304b774d492e2fcd6c52c06b" + }, + { + "url": "https://git.kernel.org/stable/c/e2cd32435b1dff3d63759476a3abc878e02fb6c8" + }, + { + "url": "https://git.kernel.org/stable/c/ee0b5f96b6d66a1e6698228dcb41df11ec7f352f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35930" + }, + { + "url": "https://git.kernel.org/linus/2ae917d4bcab80ab304b774d492e2fcd6c52c06b(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-290", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35930" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()\n\nThe call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return an\nunsuccessful status. In such cases, the elsiocb is not issued, the\ncompletion is not called, and thus the elsiocb resource is leaked.\n\nCheck return value after calling lpfc_sli4_resume_rpi() and conditionally\nrelease the elsiocb resource.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35930", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35930" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6c92224721a439d6350db5933a1060768dcd565e" + }, + { + "url": "https://git.kernel.org/stable/c/5d9fe604bf9b5b09d2215225df55f22a4cbbc684" + }, + { + "url": "https://git.kernel.org/stable/c/d164ddc21e986dd9ad614b4b01746e5457aeb24f" + }, + { + "url": "https://git.kernel.org/stable/c/b1d0eebaf87cc9ccd05f779ec4a0589f95d6c18b" + }, + { + "url": "https://git.kernel.org/stable/c/8df9a3c7044b847e9c4dc7e683fd64c6b873f328" + }, + { + "url": "https://git.kernel.org/stable/c/8c2e4efe1278cd2b230cdbf90a6cefbf00acc282" + }, + { + "url": "https://git.kernel.org/stable/c/4797a3dd46f220e6d83daf54d70c5b33db6deb01" + }, + { + "url": "https://git.kernel.org/stable/c/42492b00156c03a79fd4851190aa63045d6a15ce" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27076" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4797a3dd46f220e6d83daf54d70c5b33db6deb01(6.9-rc1)" + } + ], + "bom-ref": "vuln-291", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27076" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: imx: csc/scaler: fix v4l2_ctrl_handler memory leak\n\nFree the memory allocated in v4l2_ctrl_handler_init on release.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27076", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27076" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c6d19c8cbf6abcea2c8fca2db26abca2cbf0363" + }, + { + "url": "https://git.kernel.org/stable/c/359f220d0e753bba840eac19ffedcdc816b532f2" + }, + { + "url": "https://git.kernel.org/stable/c/95a0d596bbd0552a78e13ced43f2be1038883c81" + }, + { + "url": "https://git.kernel.org/stable/c/b90126c86d83912688501826643ea698f0df1728" + }, + { + "url": "https://git.kernel.org/stable/c/3db312e06851996e7fb27cb5a8ccab4c0f9cdb93" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/95a0d596bbd0552a78e13ced43f2be1038883c81(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52643" + } + ], + "bom-ref": "vuln-292", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52643" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: core: fix memleak in iio_device_register_sysfs\n\nWhen iio_device_register_sysfs_group() fails, we should\nfree iio_dev_opaque->chan_attr_group.attrs to prevent\npotential memleak.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52643", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52643" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c0882c366418bf9c19e1ba7f270fe377a9bf5d67" + }, + { + "url": "https://git.kernel.org/stable/c/4f2c95015ec2a1899161be6c0bdaecedd5a7bfb2" + }, + { + "url": "https://git.kernel.org/stable/c/0bf567d6d9ffe09e059bbdfb4d07143cef42c75c" + }, + { + "url": "https://git.kernel.org/stable/c/085195aa90a924c79e35569bcdad860d764a8e17" + }, + { + "url": "https://git.kernel.org/stable/c/baa6b7eb8c66486bd64608adc63fe03b30d3c0b9" + }, + { + "url": "https://git.kernel.org/stable/c/70fbfc47a392b98e5f8dba70c6efc6839205c982" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26846" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/70fbfc47a392b98e5f8dba70c6efc6839205c982(6.8-rc3)" + } + ], + "bom-ref": "vuln-293", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26846" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme-fc: do not wait in vain when unloading module\n\nThe module exit path has race between deleting all controllers and\nfreeing 'left over IDs'. To prevent double free a synchronization\nbetween nvme_delete_ctrl and ida_destroy has been added by the initial\ncommit.\n\nThere is some logic around trying to prevent from hanging forever in\nwait_for_completion, though it does not handling all cases. E.g.\nblktests is able to reproduce the situation where the module unload\nhangs forever.\n\nIf we completely rely on the cleanup code executed from the\nnvme_delete_ctrl path, all IDs will be freed eventually. This makes\ncalling ida_destroy unnecessary. We only have to ensure that all\nnvme_delete_ctrl code has been executed before we leave\nnvme_fc_exit_module. This is done by flushing the nvme_delete_wq\nworkqueue.\n\nWhile at it, remove the unused nvme_fc_wq workqueue too.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26846", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26846" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6f8b3fcc62725e4129f2c0fd550d022d4a7685a" + }, + { + "url": "https://git.kernel.org/stable/c/b7d2eee1f53899b53f069bba3a59a419fc3d331b" + }, + { + "url": "https://git.kernel.org/stable/c/e4cf8941664cae2f89f0189c29fe2ce8c6be0d03" + }, + { + "url": "https://git.kernel.org/stable/c/edcf9725150e42beeca42d085149f4c88fa97afd" + }, + { + "url": "https://git.kernel.org/stable/c/8f5b860de87039b007e84a28a5eefc888154e098" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/edcf9725150e42beeca42d085149f4c88fa97afd(6.8-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26629" + } + ], + "bom-ref": "vuln-294", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26629" + } + } + ], + "created": "2024-03-13T14:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix RELEASE_LOCKOWNER\n\nThe test on so_count in nfsd4_release_lockowner() is nonsense and\nharmful. Revert to using check_for_locks(), changing that to not sleep.\n\nFirst: harmful.\nAs is documented in the kdoc comment for nfsd4_release_lockowner(), the\ntest on so_count can transiently return a false positive resulting in a\nreturn of NFS4ERR_LOCKS_HELD when in fact no locks are held. This is\nclearly a protocol violation and with the Linux NFS client it can cause\nincorrect behaviour.\n\nIf RELEASE_LOCKOWNER is sent while some other thread is still\nprocessing a LOCK request which failed because, at the time that request\nwas received, the given owner held a conflicting lock, then the nfsd\nthread processing that LOCK request can hold a reference (conflock) to\nthe lock owner that causes nfsd4_release_lockowner() to return an\nincorrect error.\n\nThe Linux NFS client ignores that NFS4ERR_LOCKS_HELD error because it\nnever sends NFS4_RELEASE_LOCKOWNER without first releasing any locks, so\nit knows that the error is impossible. It assumes the lock owner was in\nfact released so it feels free to use the same lock owner identifier in\nsome later locking request.\n\nWhen it does reuse a lock owner identifier for which a previous RELEASE\nfailed, it will naturally use a lock_seqid of zero. However the server,\nwhich didn't release the lock owner, will expect a larger lock_seqid and\nso will respond with NFS4ERR_BAD_SEQID.\n\nSo clearly it is harmful to allow a false positive, which testing\nso_count allows.\n\nThe test is nonsense because ... well... it doesn't mean anything.\n\nso_count is the sum of three different counts.\n1/ the set of states listed on so_stateids\n2/ the set of active vfs locks owned by any of those states\n3/ various transient counts such as for conflicting locks.\n\nWhen it is tested against '2' it is clear that one of these is the\ntransient reference obtained by find_lockowner_str_locked(). It is not\nclear what the other one is expected to be.\n\nIn practice, the count is often 2 because there is precisely one state\non so_stateids. If there were more, this would fail.\n\nIn my testing I see two circumstances when RELEASE_LOCKOWNER is called.\nIn one case, CLOSE is called before RELEASE_LOCKOWNER. That results in\nall the lock states being removed, and so the lockowner being discarded\n(it is removed when there are no more references which usually happens\nwhen the lock state is discarded). When nfsd4_release_lockowner() finds\nthat the lock owner doesn't exist, it returns success.\n\nThe other case shows an so_count of '2' and precisely one state listed\nin so_stateid. It appears that the Linux client uses a separate lock\nowner for each file resulting in one lock state per lock owner, so this\ntest on '2' is safe. For another client it might not be safe.\n\nSo this patch changes check_for_locks() to use the (newish)\nfind_any_file_locked() so that it doesn't take a reference on the\nnfs4_file and so never calls nfsd_file_put(), and so never sleeps. With\nthis check is it safe to restore the use of check_for_locks() rather\nthan testing so_count against the mysterious '2'.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26629" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-10T15:16:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fa3f3ab5c399852d32a0c3cbb8c55882f7e2c61f" + }, + { + "url": "https://git.kernel.org/stable/c/34a164d2448264b62af82bc0af3d2c83d12d38ac" + }, + { + "url": "https://git.kernel.org/stable/c/e799299aafed417cc1f32adccb2a0e5268b3f6d5" + }, + { + "url": "https://git.kernel.org/stable/c/f716a68234242f95305dffb5c9426caa64b316b0" + }, + { + "url": "https://git.kernel.org/stable/c/f84f7709486d8a578ab4b7d2a556d1b1a59cfc97" + }, + { + "url": "https://git.kernel.org/stable/c/d28fa5f0e6c1554e2829f73a6a276c9a49689d04" + }, + { + "url": "https://git.kernel.org/stable/c/84b8486e9cedc93875f251ba31abcf73bd586a3a" + }, + { + "url": "https://git.kernel.org/stable/c/42e71408e2c138be9ccce60920bd6cf094ba1e32" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27426" + }, + { + "url": "https://git.kernel.org/linus/e799299aafed417cc1f32adccb2a0e5268b3f6d5(6.8)" + } + ], + "bom-ref": "vuln-295", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27426" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_maximum_tries\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27426", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27426" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d964dd1bc1452594b4207d9229c157d9386e5d8a" + }, + { + "url": "https://git.kernel.org/stable/c/d75abeec401f8c86b470e7028a13fcdc87e5dd06" + }, + { + "url": "https://git.kernel.org/stable/c/e77bf828f1ca1c47fcff58bdc26b60a9d3dfbe1d" + }, + { + "url": "https://git.kernel.org/stable/c/510c869ffa4068c5f19ff4df51d1e2f3a30aaac1" + }, + { + "url": "https://git.kernel.org/stable/c/7dc9feb8b1705cf00de20563b6bc4831f4c99dab" + }, + { + "url": "https://git.kernel.org/stable/c/e37cde7a5716466ff2a76f7f27f0a29b05b9a732" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26665" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/d75abeec401f8c86b470e7028a13fcdc87e5dd06(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-296", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26665" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: fix out of bounds access when building IPv6 PMTU error\n\nIf the ICMPv6 error is built from a non-linear skb we get the following\nsplat,\n\n BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240\n Read of size 4 at addr ffff88811d402c80 by task netperf/820\n CPU: 0 PID: 820 Comm: netperf Not tainted 6.8.0-rc1+ #543\n ...\n kasan_report+0xd8/0x110\n do_csum+0x220/0x240\n csum_partial+0xc/0x20\n skb_tunnel_check_pmtu+0xeb9/0x3280\n vxlan_xmit_one+0x14c2/0x4080\n vxlan_xmit+0xf61/0x5c00\n dev_hard_start_xmit+0xfb/0x510\n __dev_queue_xmit+0x7cd/0x32a0\n br_dev_queue_push_xmit+0x39d/0x6a0\n\nUse skb_checksum instead of csum_partial who cannot deal with non-linear\nSKBs.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26665", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26665" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/996ce839606afd0fef91355627868022aa73eb68" + }, + { + "url": "https://git.kernel.org/stable/c/1543418e82789cc383cd36d41469983c64e3fc7f" + }, + { + "url": "https://git.kernel.org/stable/c/da83ed350e4604b976e94239b08d8e2e7eaee7ea" + }, + { + "url": "https://git.kernel.org/stable/c/2ae0ab0143fcc06190713ed81a6486ed0ad3c861" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26866" + }, + { + "url": "https://git.kernel.org/linus/2ae0ab0143fcc06190713ed81a6486ed0ad3c861(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-297", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26866" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: lpspi: Avoid potential use-after-free in probe()\n\nfsl_lpspi_probe() is allocating/disposing memory manually with\nspi_alloc_host()/spi_alloc_target(), but uses\ndevm_spi_register_controller(). In case of error after the latter call the\nmemory will be explicitly freed in the probe function by\nspi_controller_put() call, but used afterwards by \"devm\" management outside\nprobe() (spi_unregister_controller() <- devm_spi_unregister() below).\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\n...\nCall trace:\n kernfs_find_ns\n kernfs_find_and_get_ns\n sysfs_remove_group\n sysfs_remove_groups\n device_remove_attrs\n device_del\n spi_unregister_controller\n devm_spi_unregister\n release_nodes\n devres_release_all\n really_probe\n driver_probe_device\n __device_attach_driver\n bus_for_each_drv\n __device_attach\n device_initial_probe\n bus_probe_device\n deferred_probe_work_func\n process_one_work\n worker_thread\n kthread\n ret_from_fork", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26866", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26866" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24228dcf1d30c2231caa332be7d3090ac59fbfe9" + }, + { + "url": "https://git.kernel.org/stable/c/73a2aa0aef86c2c07be5a2f42c9e6047e1a2f7bb" + }, + { + "url": "https://git.kernel.org/stable/c/cb5942b77c05d54310a0420cac12935e9b6aa21c" + }, + { + "url": "https://git.kernel.org/stable/c/3da9d32b7f4a1a9f7e4bb15bb82f2b2dd6719447" + }, + { + "url": "https://git.kernel.org/stable/c/a9545af2a533739ffb64d6c9a6fec6f13e2b505f" + }, + { + "url": "https://git.kernel.org/stable/c/5956f4203b6cdd0755bbdd21b45f3933c7026208" + }, + { + "url": "https://git.kernel.org/stable/c/fe20e3d56bc911408fc3c27a17c59e9d7885f7d1" + }, + { + "url": "https://git.kernel.org/linus/cb5942b77c05d54310a0420cac12935e9b6aa21c(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26895" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-298", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26895" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: prevent use-after-free on vif when cleaning up all interfaces\n\nwilc_netdev_cleanup currently triggers a KASAN warning, which can be\nobserved on interface registration error path, or simply by\nremoving the module/unbinding device from driver:\n\necho spi0.1 > /sys/bus/spi/drivers/wilc1000_spi/unbind\n\n==================================================================\nBUG: KASAN: slab-use-after-free in wilc_netdev_cleanup+0x508/0x5cc\nRead of size 4 at addr c54d1ce8 by task sh/86\n\nCPU: 0 PID: 86 Comm: sh Not tainted 6.8.0-rc1+ #117\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x58\n dump_stack_lvl from print_report+0x154/0x500\n print_report from kasan_report+0xac/0xd8\n kasan_report from wilc_netdev_cleanup+0x508/0x5cc\n wilc_netdev_cleanup from wilc_bus_remove+0xc8/0xec\n wilc_bus_remove from spi_remove+0x8c/0xac\n spi_remove from device_release_driver_internal+0x434/0x5f8\n device_release_driver_internal from unbind_store+0xbc/0x108\n unbind_store from kernfs_fop_write_iter+0x398/0x584\n kernfs_fop_write_iter from vfs_write+0x728/0xf88\n vfs_write from ksys_write+0x110/0x1e4\n ksys_write from ret_fast_syscall+0x0/0x1c\n\n[...]\n\nAllocated by task 1:\n kasan_save_track+0x30/0x5c\n __kasan_kmalloc+0x8c/0x94\n __kmalloc_node+0x1cc/0x3e4\n kvmalloc_node+0x48/0x180\n alloc_netdev_mqs+0x68/0x11dc\n alloc_etherdev_mqs+0x28/0x34\n wilc_netdev_ifc_init+0x34/0x8ec\n wilc_cfg80211_init+0x690/0x910\n wilc_bus_probe+0xe0/0x4a0\n spi_probe+0x158/0x1b0\n really_probe+0x270/0xdf4\n __driver_probe_device+0x1dc/0x580\n driver_probe_device+0x60/0x140\n __driver_attach+0x228/0x5d4\n bus_for_each_dev+0x13c/0x1a8\n bus_add_driver+0x2a0/0x608\n driver_register+0x24c/0x578\n do_one_initcall+0x180/0x310\n kernel_init_freeable+0x424/0x484\n kernel_init+0x20/0x148\n ret_from_fork+0x14/0x28\n\nFreed by task 86:\n kasan_save_track+0x30/0x5c\n kasan_save_free_info+0x38/0x58\n __kasan_slab_free+0xe4/0x140\n kfree+0xb0/0x238\n device_release+0xc0/0x2a8\n kobject_put+0x1d4/0x46c\n netdev_run_todo+0x8fc/0x11d0\n wilc_netdev_cleanup+0x1e4/0x5cc\n wilc_bus_remove+0xc8/0xec\n spi_remove+0x8c/0xac\n device_release_driver_internal+0x434/0x5f8\n unbind_store+0xbc/0x108\n kernfs_fop_write_iter+0x398/0x584\n vfs_write+0x728/0xf88\n ksys_write+0x110/0x1e4\n ret_fast_syscall+0x0/0x1c\n [...]\n\nDavid Mosberger-Tan initial investigation [1] showed that this\nuse-after-free is due to netdevice unregistration during vif list\ntraversal. When unregistering a net device, since the needs_free_netdev has\nbeen set to true during registration, the netdevice object is also freed,\nand as a consequence, the corresponding vif object too, since it is\nattached to it as private netdevice data. The next occurrence of the loop\nthen tries to access freed vif pointer to the list to move forward in the\nlist.\n\nFix this use-after-free thanks to two mechanisms:\n- navigate in the list with list_for_each_entry_safe, which allows to\n safely modify the list as we go through each element. For each element,\n remove it from the list with list_del_rcu\n- make sure to wait for RCU grace period end after each vif removal to make\n sure it is safe to free the corresponding vif too (through\n unregister_netdev)\n\nSince we are in a RCU \"modifier\" path (not a \"reader\" path), and because\nsuch path is expected not to be concurrent to any other modifier (we are\nusing the vif_mutex lock), we do not need to use RCU list API, that's why\nwe can benefit from list_for_each_entry_safe.\n\n[1] https://lore.kernel.org/linux-wireless/ab077dbe58b1ea5de0a3b2ca21f275a07af967d2.camel@egauge.net/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26895", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26895" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4e0cfb25d49da2e6261ad582f58ffa5b5dd8c8e9" + }, + { + "url": "https://git.kernel.org/stable/c/4031b72ca747a1e6e9ae4fa729e765b43363d66a" + }, + { + "url": "https://git.kernel.org/stable/c/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf" + }, + { + "url": "https://git.kernel.org/stable/c/b57326c96b7bc7638aa8c44e12afa2defe0c934c" + }, + { + "url": "https://git.kernel.org/linus/b9fa16949d18e06bdf728a560f5c8af56d2bdcaf(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35939" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-299", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35939" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-direct: Leak pages on dma_set_decrypted() failure\n\nOn TDX it is possible for the untrusted host to cause\nset_memory_encrypted() or set_memory_decrypted() to fail such that an\nerror is returned and the resulting memory is shared. Callers need to\ntake care to handle these errors to avoid returning decrypted (shared)\nmemory to the page allocator, which could lead to functional or security\nissues.\n\nDMA could free decrypted/shared pages if dma_set_decrypted() fails. This\nshould be a rare case. Just leak the pages in this case instead of\nfreeing them.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35939", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35939" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-21823" + } + ], + "bom-ref": "vuln-300", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21823" + } + } + ], + "created": "2024-05-16T21:16:03Z", + "description": "Hardware logic with insecure de-synchronization in Intel(R) DSA and Intel(R) IAA for some Intel(R) 4th or 5th generation Xeon(R) processors may allow an authorized user to potentially enable denial of service via local access.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-21823", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21823" + }, + "cwes": [ + 1264 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:36:05Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/58fe3bbddfec10c6b216096d8c0e517cd8463e3a" + }, + { + "url": "https://git.kernel.org/stable/c/ac512507ac89c01ed6cd4ca53032f52cdb23ea59" + }, + { + "url": "https://git.kernel.org/stable/c/3518cea837de4d106efa84ddac18a07b6de1384e" + }, + { + "url": "https://git.kernel.org/stable/c/dddedfa3b29a63c2ca4336663806a6128b8545b4" + }, + { + "url": "https://git.kernel.org/stable/c/7059cdb69f8e1a2707dd1e2f363348b507ed7707" + }, + { + "url": "https://git.kernel.org/stable/c/1213acb478a7181cd73eeaf00db430f1e45b1361" + }, + { + "url": "https://git.kernel.org/stable/c/156012667b85ca7305cb363790d3ae8519a6f41e" + }, + { + "url": "https://git.kernel.org/linus/1213acb478a7181cd73eeaf00db430f1e45b1361(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27052" + } + ], + "bom-ref": "vuln-301", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27052" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work\n\nThe workqueue might still be running, when the driver is stopped. To\navoid a use-after-free, call cancel_work_sync() in rtl8xxxu_stop().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27052", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27052" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5f369efd9d963c1f711a06c9b8baf9f5ce616d85" + }, + { + "url": "https://git.kernel.org/stable/c/2535b848fa0f42ddff3e5255cf5e742c9b77bb26" + }, + { + "url": "https://git.kernel.org/stable/c/5f9fe302dd3a9bbc50f4888464c1773f45166bfd" + }, + { + "url": "https://git.kernel.org/stable/c/369f419c097e82407dd429a202cde9a73d3ae29b" + }, + { + "url": "https://git.kernel.org/stable/c/3ead59bafad05f2967ae2438c0528d53244cfde5" + }, + { + "url": "https://git.kernel.org/stable/c/8d1753973f598531baaa2c1033cf7f7b5bb004b0" + }, + { + "url": "https://git.kernel.org/stable/c/567c0411dc3b424fc7bd1e6109726d7ba32d4f73" + }, + { + "url": "https://git.kernel.org/stable/c/81d7d920a22fd58ef9aedb1bd0a68ee32bd23e96" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26903" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2535b848fa0f42ddff3e5255cf5e742c9b77bb26(6.8-rc7)" + } + ], + "bom-ref": "vuln-302", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26903" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security\n\nDuring our fuzz testing of the connection and disconnection process at the\nRFCOMM layer, we discovered this bug. By comparing the packets from a\nnormal connection and disconnection process with the testcase that\ntriggered a KASAN report. We analyzed the cause of this bug as follows:\n\n1. In the packets captured during a normal connection, the host sends a\n`Read Encryption Key Size` type of `HCI_CMD` packet\n(Command Opcode: 0x1408) to the controller to inquire the length of\nencryption key.After receiving this packet, the controller immediately\nreplies with a Command Completepacket (Event Code: 0x0e) to return the\nEncryption Key Size.\n\n2. In our fuzz test case, the timing of the controller's response to this\npacket was delayed to an unexpected point: after the RFCOMM and L2CAP\nlayers had disconnected but before the HCI layer had disconnected.\n\n3. After receiving the Encryption Key Size Response at the time described\nin point 2, the host still called the rfcomm_check_security function.\nHowever, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`\nhad already been released, and when the function executed\n`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,\nspecifically when accessing `conn->hcon`, a null-ptr-deref error occurred.\n\nTo fix this bug, check if `sk->sk_state` is BT_CLOSED before calling\nrfcomm_recv_frame in rfcomm_process_rx.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26903", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26903" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:41:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/394b6d8bbdf9ddee6d5bcf3e1f3e9f23eecd6484" + }, + { + "url": "https://git.kernel.org/stable/c/befb7f889594d23e1b475720cf93efd2f77df000" + }, + { + "url": "https://git.kernel.org/stable/c/a55677878b93e9ebc31f66d0e2fb93be5e7836a6" + }, + { + "url": "https://git.kernel.org/stable/c/9daddee03de3f231012014dab8ab2b277a116a55" + }, + { + "url": "https://git.kernel.org/stable/c/b7f6c3630eb3f103115ab0d7613588064f665d0d" + }, + { + "url": "https://git.kernel.org/stable/c/7e500849fa558879a1cde43f80c7c048c2437058" + }, + { + "url": "https://git.kernel.org/stable/c/50ed48c80fecbe17218afed4f8bed005c802976c" + }, + { + "url": "https://git.kernel.org/stable/c/a64ab862e84e3e698cd351a87cdb504c7fc575ca" + }, + { + "url": "https://git.kernel.org/stable/c/6470078ab3d8f222115e11c4ec67351f3031b3dd" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26957" + }, + { + "url": "https://git.kernel.org/linus/50ed48c80fecbe17218afed4f8bed005c802976c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-303", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26957" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/zcrypt: fix reference counting on zcrypt card objects\n\nTests with hot-plugging crytpo cards on KVM guests with debug\nkernel build revealed an use after free for the load field of\nthe struct zcrypt_card. The reason was an incorrect reference\nhandling of the zcrypt card object which could lead to a free\nof the zcrypt card object while it was still in use.\n\nThis is an example of the slab message:\n\n kernel: 0x00000000885a7512-0x00000000885a7513 @offset=1298. First byte 0x68 instead of 0x6b\n kernel: Allocated in zcrypt_card_alloc+0x36/0x70 [zcrypt] age=18046 cpu=3 pid=43\n kernel: kmalloc_trace+0x3f2/0x470\n kernel: zcrypt_card_alloc+0x36/0x70 [zcrypt]\n kernel: zcrypt_cex4_card_probe+0x26/0x380 [zcrypt_cex4]\n kernel: ap_device_probe+0x15c/0x290\n kernel: really_probe+0xd2/0x468\n kernel: driver_probe_device+0x40/0xf0\n kernel: __device_attach_driver+0xc0/0x140\n kernel: bus_for_each_drv+0x8c/0xd0\n kernel: __device_attach+0x114/0x198\n kernel: bus_probe_device+0xb4/0xc8\n kernel: device_add+0x4d2/0x6e0\n kernel: ap_scan_adapter+0x3d0/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: Freed in zcrypt_card_put+0x54/0x80 [zcrypt] age=9024 cpu=3 pid=43\n kernel: kfree+0x37e/0x418\n kernel: zcrypt_card_put+0x54/0x80 [zcrypt]\n kernel: ap_device_remove+0x4c/0xe0\n kernel: device_release_driver_internal+0x1c4/0x270\n kernel: bus_remove_device+0x100/0x188\n kernel: device_del+0x164/0x3c0\n kernel: device_unregister+0x30/0x90\n kernel: ap_scan_adapter+0xc8/0x7c0\n kernel: ap_scan_bus+0x5a/0x3b0\n kernel: ap_scan_bus_wq_callback+0x40/0x60\n kernel: process_one_work+0x26e/0x620\n kernel: worker_thread+0x21c/0x440\n kernel: kthread+0x150/0x168\n kernel: __ret_from_fork+0x3c/0x58\n kernel: ret_from_fork+0xa/0x30\n kernel: Slab 0x00000372022169c0 objects=20 used=18 fp=0x00000000885a7c88 flags=0x3ffff00000000a00(workingset|slab|node=0|zone=1|lastcpupid=0x1ffff)\n kernel: Object 0x00000000885a74b8 @offset=1208 fp=0x00000000885a7c88\n kernel: Redzone 00000000885a74b0: bb bb bb bb bb bb bb bb ........\n kernel: Object 00000000885a74b8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74c8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74d8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74e8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a74f8: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk\n kernel: Object 00000000885a7508: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 68 4b 6b 6b 6b a5 kkkkkkkkkkhKkkk.\n kernel: Redzone 00000000885a7518: bb bb bb bb bb bb bb bb ........\n kernel: Padding 00000000885a756c: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZ\n kernel: CPU: 0 PID: 387 Comm: systemd-udevd Not tainted 6.8.0-HF #2\n kernel: Hardware name: IBM 3931 A01 704 (KVM/Linux)\n kernel: Call Trace:\n kernel: [<00000000ca5ab5b8>] dump_stack_lvl+0x90/0x120\n kernel: [<00000000c99d78bc>] check_bytes_and_report+0x114/0x140\n kernel: [<00000000c99d53cc>] check_object+0x334/0x3f8\n kernel: [<00000000c99d820c>] alloc_debug_processing+0xc4/0x1f8\n kernel: [<00000000c99d852e>] get_partial_node.part.0+0x1ee/0x3e0\n kernel: [<00000000c99d94ec>] ___slab_alloc+0xaf4/0x13c8\n kernel: [<00000000c99d9e38>] __slab_alloc.constprop.0+0x78/0xb8\n kernel: [<00000000c99dc8dc>] __kmalloc+0x434/0x590\n kernel: [<00000000c9b4c0ce>] ext4_htree_store_dirent+0x4e/0x1c0\n kernel: [<00000000c9b908a2>] htree_dirblock_to_tree+0x17a/0x3f0\n kernel: \n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26957", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26957" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c806333efea1000a2a9620926f560ad2e1ca7cc" + }, + { + "url": "https://git.kernel.org/stable/c/538faabf31e9c53d8c870d114846fda958a0de10" + }, + { + "url": "https://git.kernel.org/stable/c/b76b46902c2d0395488c8412e1116c2486cdfcb2" + }, + { + "url": "https://git.kernel.org/stable/c/f6c5d21db16a0910152ec8aa9d5a7aed72694505" + }, + { + "url": "https://git.kernel.org/linus/b76b46902c2d0395488c8412e1116c2486cdfcb2(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36000" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-304", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36000" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix missing hugetlb_lock for resv uncharge\n\nThere is a recent report on UFFDIO_COPY over hugetlb:\n\nhttps://lore.kernel.org/all/000000000000ee06de0616177560@google.com/\n\n350:\tlockdep_assert_held(&hugetlb_lock);\n\nShould be an issue in hugetlb but triggered in an userfault context, where\nit goes into the unlikely path where two threads modifying the resv map\ntogether. Mike has a fix in that path for resv uncharge but it looks like\nthe locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()\nwill update the cgroup pointer, so it requires to be called with the lock\nheld.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36000", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36000" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8248224ab5b8ca7559b671917c224296a4d671fc" + }, + { + "url": "https://git.kernel.org/stable/c/8861fd5180476f45f9e8853db154600469a0284f" + }, + { + "url": "https://git.kernel.org/stable/c/c7a4bca289e50bb4b2650f845c41bb3e453f4c66" + }, + { + "url": "https://git.kernel.org/stable/c/699f8958dece132709c0bff6a9700999a2a63b75" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35998" + }, + { + "url": "https://git.kernel.org/linus/8861fd5180476f45f9e8853db154600469a0284f(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-305", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35998" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: fix lock ordering potential deadlock in cifs_sync_mid_result\n\nCoverity spotted that the cifs_sync_mid_result function could deadlock\n\n\"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires\nlock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock\"\n\nAddresses-Coverity: 1590401 (\"Thread deadlock (ORDER_REVERSAL)\")", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35998", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35998" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e4f9f20b32658ef3724aa46f7aef4908d2609e3" + }, + { + "url": "https://git.kernel.org/stable/c/f0d857ce31a6bc7a82afcdbadb8f7417d482604b" + }, + { + "url": "https://git.kernel.org/stable/c/809aa64ebff51eb170ee31a95f83b2d21efa32e2" + }, + { + "url": "https://git.kernel.org/stable/c/8412c86e89cc78d8b513cb25cf2157a2adf3670a" + }, + { + "url": "https://git.kernel.org/stable/c/3fa240bb6b2dbb3e7a3ee1440a4889cbb6207eb7" + }, + { + "url": "https://git.kernel.org/stable/c/cecfb90cf71d91e9efebd68b9e9b84661b277cc8" + }, + { + "url": "https://git.kernel.org/stable/c/52de5805c147137205662af89ed7e083d656ae25" + }, + { + "url": "https://git.kernel.org/stable/c/b41d0ade0398007fb746213f09903d52a920e896" + }, + { + "url": "https://git.kernel.org/linus/809aa64ebff51eb170ee31a95f83b2d21efa32e2(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26839" + } + ], + "bom-ref": "vuln-306", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26839" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix a memleak in init_credit_return\n\nWhen dma_alloc_coherent fails to allocate dd->cr_base[i].va,\ninit_credit_return should deallocate dd->cr_base and\ndd->cr_base[i] that allocated before. Or those resources\nwould be never freed and a memleak is triggered.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26839", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26839" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/93f0133b9d589cc6e865f254ad9be3e9d8133f50" + }, + { + "url": "https://git.kernel.org/stable/c/91b243de910a9ac8476d40238ab3dbfeedd5b7de" + }, + { + "url": "https://git.kernel.org/stable/c/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada" + }, + { + "url": "https://git.kernel.org/stable/c/c1ae4d1e76eacddaacb958b67cd942082f800c87" + }, + { + "url": "https://git.kernel.org/stable/c/899265c1389fe022802aae73dbf13ee08837a35a" + }, + { + "url": "https://git.kernel.org/stable/c/44e62f5d35678686734afd47c6a421ad30772e7f" + }, + { + "url": "https://git.kernel.org/stable/c/2e43d8eba6edd1cf05a3a20fdd77688fa7ec16a4" + }, + { + "url": "https://git.kernel.org/stable/c/e3e27d2b446deb1f643758a0c4731f5c22492810" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35910" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/151c9c724d05d5b0dd8acd3e11cb69ef1f2dbada(6.9-rc2)" + } + ], + "bom-ref": "vuln-307", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35910" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: properly terminate timers for kernel sockets\n\nWe had various syzbot reports about tcp timers firing after\nthe corresponding netns has been dismantled.\n\nFortunately Josef Bacik could trigger the issue more often,\nand could test a patch I wrote two years ago.\n\nWhen TCP sockets are closed, we call inet_csk_clear_xmit_timers()\nto 'stop' the timers.\n\ninet_csk_clear_xmit_timers() can be called from any context,\nincluding when socket lock is held.\nThis is the reason it uses sk_stop_timer(), aka del_timer().\nThis means that ongoing timers might finish much later.\n\nFor user sockets, this is fine because each running timer\nholds a reference on the socket, and the user socket holds\na reference on the netns.\n\nFor kernel sockets, we risk that the netns is freed before\ntimer can complete, because kernel sockets do not hold\nreference on the netns.\n\nThis patch adds inet_csk_clear_xmit_timers_sync() function\nthat using sk_stop_timer_sync() to make sure all timers\nare terminated before the kernel socket is released.\nModules using kernel sockets close them in their netns exit()\nhandler.\n\nAlso add sock_not_owned_by_me() helper to get LOCKDEP\nsupport : inet_csk_clear_xmit_timers_sync() must not be called\nwhile socket lock is held.\n\nIt is very possible we can revert in the future commit\n3a58f13a881e (\"net: rds: acquire refcount on TCP sockets\")\nwhich attempted to solve the issue in rds only.\n(net/smc/af_smc.c and net/mptcp/subflow.c have similar code)\n\nWe probably can remove the check_net() tests from\ntcp_out_of_resources() and __tcp_close() in the future.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35910", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35910" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/562b7245131f6e9f1d280c8b5a8750f03edfc05c" + }, + { + "url": "https://git.kernel.org/stable/c/c760089aa98289b4b88a7ff5a62dd92845adf223" + }, + { + "url": "https://git.kernel.org/stable/c/cf4bc359b76144a3dd55d7c09464ef4c5f2b2b05" + }, + { + "url": "https://git.kernel.org/stable/c/65acf6e0501ac8880a4f73980d01b5d27648b956" + }, + { + "url": "https://git.kernel.org/stable/c/97dab36e57c64106e1c8ebd66cbf0d2d1e52d6b7" + }, + { + "url": "https://git.kernel.org/stable/c/89242d9584c342cb83311b598d9e6b82572eadf8" + }, + { + "url": "https://git.kernel.org/linus/65acf6e0501ac8880a4f73980d01b5d27648b956(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35962" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-308", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35962" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: complete validation of user input\n\nIn my recent commit, I missed that do_replace() handlers\nuse copy_from_sockptr() (which I fixed), followed\nby unsafe copy_from_sockptr_offset() calls.\n\nIn all functions, we can perform the @optlen validation\nbefore even calling xt_alloc_table_info() with the following\ncheck:\n\nif ((u64)optlen < (u64)tmp.size + sizeof(tmp))\n return -EINVAL;", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35962", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35962" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UFQJCYJ23HWHNDOVKBHZQ7HCXXL6MM3/" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2210657" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2ZUHZXQ2C3JZYKPW4XHCMVVL467MA2V/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-34151" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2272.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-34151" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-301.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6200-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1844.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036999" + } + ], + "bom-ref": "vuln-309", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34151" + } + } + ], + "created": "2023-05-30T22:15:11Z", + "description": "A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2023-34151", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-22T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T04:12:02Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f860595512ff5c05a29fa4d64169c3fd1186b8cf" + }, + { + "url": "https://git.kernel.org/stable/c/20a915154ccb88da08986ab6c9fc4c1cf6259de2" + }, + { + "url": "https://git.kernel.org/stable/c/32223b0b60d53f49567fc501f91ca076ae96be6b" + }, + { + "url": "https://git.kernel.org/stable/c/f5e65b782f3e07324b9a8fa3cdaee422f057c758" + }, + { + "url": "https://git.kernel.org/stable/c/976b1b2680fb4c01aaf05a0623288d87619a6c93" + }, + { + "url": "https://git.kernel.org/stable/c/3ddf944b32f88741c303f0b21459dbb3872b8bc5" + }, + { + "url": "https://git.kernel.org/stable/c/5a02df3e92470efd589712925b5c722e730276a0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35876" + }, + { + "url": "https://git.kernel.org/linus/3ddf944b32f88741c303f0b21459dbb3872b8bc5(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-310", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35876" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mce: Make sure to grab mce_sysfs_mutex in set_bank()\n\nModifying a MCA bank's MCA_CTL bits which control which error types to\nbe reported is done over\n\n /sys/devices/system/machinecheck/\n ??? machinecheck0\n ?   ??? bank0\n ?   ??? bank1\n ?   ??? bank10\n ?   ??? bank11\n ...\n\nsysfs nodes by writing the new bit mask of events to enable.\n\nWhen the write is accepted, the kernel deletes all current timers and\nreinits all banks.\n\nDoing that in parallel can lead to initializing a timer which is already\narmed and in the timer wheel, i.e., in use already:\n\n ODEBUG: init active (active state 0) object: ffff888063a28000 object\n type: timer_list hint: mce_timer_fn+0x0/0x240 arch/x86/kernel/cpu/mce/core.c:2642\n WARNING: CPU: 0 PID: 8120 at lib/debugobjects.c:514\n debug_print_object+0x1a0/0x2a0 lib/debugobjects.c:514\n\nFix that by grabbing the sysfs mutex as the rest of the MCA sysfs code\ndoes.\n\nReported by: Yue Sun \nReported by: xingwei lee ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35876", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35876" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8db10cee51e3e11a6658742465edc21986cf1e8d" + }, + { + "url": "https://git.kernel.org/stable/c/8f3e68c6a3fff53c2240762a47a0045d89371775" + }, + { + "url": "https://git.kernel.org/stable/c/cdb637d339572398821204a1142d8d615668f1e9" + }, + { + "url": "https://git.kernel.org/stable/c/b33d4af102b9c1f7a83d3f0ad3cab7d2bab8f058" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27042" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/cdb637d339572398821204a1142d8d615668f1e9(6.9-rc1)" + } + ], + "bom-ref": "vuln-311", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27042" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'\n\nThe issue arises when the array 'adev->vcn.vcn_config' is accessed\nbefore checking if the index 'adev->vcn.num_vcn_inst' is within the\nbounds of the array.\n\nThe fix involves moving the bounds check before the array access. This\nensures that 'adev->vcn.num_vcn_inst' is within the bounds of the array\nbefore it is used as an index.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c:1289 amdgpu_discovery_reg_base_init() error: testing array offset 'adev->vcn.num_vcn_inst' after use.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27042", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27042" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0bd8ef618a42d7e6ea3f701065264e15678025e3" + }, + { + "url": "https://git.kernel.org/stable/c/39079fe8e660851abbafa90cd55cbf029210661f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26914" + }, + { + "url": "https://git.kernel.org/linus/39079fe8e660851abbafa90cd55cbf029210661f(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-312", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26914" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix incorrect mpc_combine array size\n\n[why]\nMAX_SURFACES is per stream, while MAX_PLANES is per asic. The\nmpc_combine is an array that records all the planes per asic. Therefore\nMAX_PLANES should be used as the array size. Using MAX_SURFACES causes\narray overflow when there are more than 3 planes.\n\n[how]\nUse the MAX_PLANES for the mpc_combine array size.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26914", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26914" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b8d55a90fd55b767c25687747e2b24abd1ef8680" + }, + { + "url": "https://git.kernel.org/stable/c/195a6289282e039024ad30ba66e6f94a4d0fbe49" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52585" + }, + { + "url": "https://git.kernel.org/linus/b8d55a90fd55b767c25687747e2b24abd1ef8680(6.8-rc1)" + } + ], + "bom-ref": "vuln-313", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52585" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()\n\nReturn invalid error code -EINVAL for invalid block id.\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52585", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52585" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html" + }, + { + "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-588.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2515.html" + }, + { + "url": "https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-605.html" + }, + { + "url": "https://seclists.org/oss-sec/2024/q1/240" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0450" + } + ], + "bom-ref": "vuln-314", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0450" + } + } + ], + "created": "2024-03-19T16:15:09Z", + "description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n", + "affects": [ + { + "ref": "comp-321" + } + ], + "id": "CVE-2024-0450", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0450" + }, + "cwes": [ + 405 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T22:15:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/39126abc5e20611579602f03b66627d7cd1422f0" + }, + { + "url": "https://git.kernel.org/stable/c/cc0037fa592d56e4abb9c7d1c52c4d2dc25cd906" + }, + { + "url": "https://git.kernel.org/stable/c/985d053f7633d8b539ab1531738d538efac678a9" + }, + { + "url": "https://git.kernel.org/linus/39126abc5e20611579602f03b66627d7cd1422f0(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26719" + } + ], + "bom-ref": "vuln-315", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26719" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: offload fence uevents work to workqueue\n\nThis should break the deadlock between the fctx lock and the irq lock.\n\nThis offloads the processing off the work from the irq into a workqueue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26719", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26719" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2402845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-316", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-303" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9db89b1fb85557892e6681724b367287de5f9f20" + }, + { + "url": "https://git.kernel.org/stable/c/a71f66bd5f7b9b35a8aaa49e29565eca66299399" + }, + { + "url": "https://git.kernel.org/stable/c/8a01335aedc50a66d04dd39203c89f4bc8042596" + }, + { + "url": "https://git.kernel.org/stable/c/03e6d4e948432a61b35783323b6ab2be071d2619" + }, + { + "url": "https://git.kernel.org/stable/c/dbf291d8ffffb70f48286176a15c6c54f0bb0743" + }, + { + "url": "https://git.kernel.org/stable/c/a853450bf4c752e664abab0b2fad395b7ad7701c" + }, + { + "url": "https://git.kernel.org/stable/c/23bc89fdce71124cd2126fc919c7076e7cb489cf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26877" + }, + { + "url": "https://git.kernel.org/linus/a853450bf4c752e664abab0b2fad395b7ad7701c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-317", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26877" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: xilinx - call finalize with bh disabled\n\nWhen calling crypto_finalize_request, BH should be disabled to avoid\ntriggering the following calltrace:\n\n ------------[ cut here ]------------\n WARNING: CPU: 2 PID: 74 at crypto/crypto_engine.c:58 crypto_finalize_request+0xa0/0x118\n Modules linked in: cryptodev(O)\n CPU: 2 PID: 74 Comm: firmware:zynqmp Tainted: G O 6.8.0-rc1-yocto-standard #323\n Hardware name: ZynqMP ZCU102 Rev1.0 (DT)\n pstate: 40000005 (nZcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : crypto_finalize_request+0xa0/0x118\n lr : crypto_finalize_request+0x104/0x118\n sp : ffffffc085353ce0\n x29: ffffffc085353ce0 x28: 0000000000000000 x27: ffffff8808ea8688\n x26: ffffffc081715038 x25: 0000000000000000 x24: ffffff880100db00\n x23: ffffff880100da80 x22: 0000000000000000 x21: 0000000000000000\n x20: ffffff8805b14000 x19: ffffff880100da80 x18: 0000000000010450\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n x14: 0000000000000003 x13: 0000000000000000 x12: ffffff880100dad0\n x11: 0000000000000000 x10: ffffffc0832dcd08 x9 : ffffffc0812416d8\n x8 : 00000000000001f4 x7 : ffffffc0830d2830 x6 : 0000000000000001\n x5 : ffffffc082091000 x4 : ffffffc082091658 x3 : 0000000000000000\n x2 : ffffffc7f9653000 x1 : 0000000000000000 x0 : ffffff8802d20000\n Call trace:\n crypto_finalize_request+0xa0/0x118\n crypto_finalize_aead_request+0x18/0x30\n zynqmp_handle_aes_req+0xcc/0x388\n crypto_pump_work+0x168/0x2d8\n kthread_worker_fn+0xfc/0x3a0\n kthread+0x118/0x138\n ret_from_fork+0x10/0x20\n irq event stamp: 40\n hardirqs last enabled at (39): [] _raw_spin_unlock_irqrestore+0x70/0xb0\n hardirqs last disabled at (40): [] el1_dbg+0x28/0x90\n softirqs last enabled at (36): [] kernel_neon_begin+0x8c/0xf0\n softirqs last disabled at (34): [] kernel_neon_begin+0x60/0xf0\n ---[ end trace 0000000000000000 ]---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26877", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26877" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d3a9331a6591e9df64791e076f6591f440af51c3" + }, + { + "url": "https://git.kernel.org/stable/c/0c7ed3ed35eec9138b88d42217b5a6b9a62bda4d" + }, + { + "url": "https://git.kernel.org/stable/c/5c25b169f9a0b34ee410891a96bc9d7b9ed6f9be" + }, + { + "url": "https://git.kernel.org/stable/c/9a4f6e138720b6e9adf7b82a71d0292f3f276480" + }, + { + "url": "https://git.kernel.org/linus/d3a9331a6591e9df64791e076f6591f440af51c3(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27400" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-318", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27400" + } + } + ], + "created": "2024-05-14T15:12:29Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2\n\nThis reverts drm/amdgpu: fix ftrace event amdgpu_bo_move always move\non same heap. The basic problem here is that after the move the old\nlocation is simply not available any more.\n\nSome fixes were suggested, but essentially we should call the move\nnotification before actually moving things because only this way we have\nthe correct order for DMA-buf and VM move notifications as well.\n\nAlso rework the statistic handling so that we don't update the eviction\ncounter before the move.\n\nv2: add missing NULL check", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27400", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27400" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32002" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32002" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-319", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32002" + } + } + ], + "created": "2024-05-14T19:15:10Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-32002", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32002" + }, + "cwes": [ + 434, + 22 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:50:23Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49f9637aafa6e63ba686c13cb8549bf5e6920402" + }, + { + "url": "https://git.kernel.org/stable/c/e2b77d107b33bb31c8b1f5c4cb8f277b23728f1e" + }, + { + "url": "https://git.kernel.org/stable/c/f423528488e4f9606cef858eceea210bf1163f41" + }, + { + "url": "https://git.kernel.org/stable/c/6996d43b14486f4a6655b10edc541ada1b580b4b" + }, + { + "url": "https://git.kernel.org/stable/c/de6a91aed1e0b1a23e9c11e7d7557f088eeeb017" + }, + { + "url": "https://git.kernel.org/stable/c/3537f92cd22c672db97fae6997481e678ad14641" + }, + { + "url": "https://git.kernel.org/stable/c/5a6660139195f5e2fbbda459eeecb8788f3885fe" + }, + { + "url": "https://git.kernel.org/stable/c/6aa30020879042d46df9f747e4f0a486eea6fe98" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/49f9637aafa6e63ba686c13cb8549bf5e6920402(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52599" + } + ], + "bom-ref": "vuln-320", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52599" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diNewExt\n\n[Syz report]\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2360:2\nindex -878706688 is out of range for type 'struct iagctl[128]'\nCPU: 1 PID: 5065 Comm: syz-executor282 Not tainted 6.7.0-rc4-syzkaller-00009-gbee0e7762ad2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348\n diNewExt+0x3cf3/0x4000 fs/jfs/jfs_imap.c:2360\n diAllocExt fs/jfs/jfs_imap.c:1949 [inline]\n diAllocAG+0xbe8/0x1e50 fs/jfs/jfs_imap.c:1666\n diAlloc+0x1d3/0x1760 fs/jfs/jfs_imap.c:1587\n ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56\n jfs_mkdir+0x1c5/0xb90 fs/jfs/namei.c:225\n vfs_mkdir+0x2f1/0x4b0 fs/namei.c:4106\n do_mkdirat+0x264/0x3a0 fs/namei.c:4129\n __do_sys_mkdir fs/namei.c:4149 [inline]\n __se_sys_mkdir fs/namei.c:4147 [inline]\n __x64_sys_mkdir+0x6e/0x80 fs/namei.c:4147\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\nRIP: 0033:0x7fcb7e6a0b57\nCode: ff ff 77 07 31 c0 c3 0f 1f 40 00 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd83023038 EFLAGS: 00000286 ORIG_RAX: 0000000000000053\nRAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007fcb7e6a0b57\nRDX: 00000000000a1020 RSI: 00000000000001ff RDI: 0000000020000140\nRBP: 0000000020000140 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000286 R12: 00007ffd830230d0\nR13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n\n[Analysis]\nWhen the agstart is too large, it can cause agno overflow.\n\n[Fix]\nAfter obtaining agno, if the value is invalid, exit the subsequent process.\n\n\nModified the test from agno > MAXAG to agno >= MAXAG based on linux-next\nreport by kernel test robot (Dan Carpenter).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52599" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/afe6fcb9775882230cd29b529203eabd5d2a638d" + }, + { + "url": "https://git.kernel.org/stable/c/52aa507148c4aad41436e2005d742ffcafad9976" + }, + { + "url": "https://git.kernel.org/stable/c/3169eaf1365541fd8e521091010c44fbe14691fc" + }, + { + "url": "https://git.kernel.org/stable/c/50c0ad785a780c72a2fdaba10b38c645ffb4eae6" + }, + { + "url": "https://git.kernel.org/stable/c/f05631a8525c3b5e5994ecb1304d2d878956c0f5" + }, + { + "url": "https://git.kernel.org/stable/c/93128052bf832359531c3c0a9e3567b2b8682a2d" + }, + { + "url": "https://git.kernel.org/stable/c/92003981a6df5dc84af8a5904f8ee112fa324129" + }, + { + "url": "https://git.kernel.org/stable/c/c5d2342d24ef6e08fc90a529fe3dc59de421a2b9" + }, + { + "url": "https://git.kernel.org/stable/c/47a13d0b9d8527518639ab5c39667f69d6203e80" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52650" + }, + { + "url": "https://git.kernel.org/linus/afe6fcb9775882230cd29b529203eabd5d2a638d(6.9-rc1)" + } + ], + "bom-ref": "vuln-321", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52650" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: dsi: Add missing check for of_find_device_by_node\n\nAdd check for the return value of of_find_device_by_node() and return\nthe error if it fails in order to avoid NULL pointer dereference.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52650", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52650" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/10204df9beda4978bd1d0c2db0d8375bfb03b915" + }, + { + "url": "https://git.kernel.org/stable/c/43be590456e1f3566054ce78ae2dbb68cbe1a536" + }, + { + "url": "https://git.kernel.org/stable/c/357163fff3a6e48fe74745425a32071ec9caf852" + }, + { + "url": "https://git.kernel.org/stable/c/d3adf11d7993518a39bd02b383cfe657ccc0023c" + }, + { + "url": "https://git.kernel.org/stable/c/3c1ae6de74e3d2d6333d29a2d3e13e6094596c79" + }, + { + "url": "https://git.kernel.org/stable/c/4a1b65d1e55d53b397cb27014208be1e04172670" + }, + { + "url": "https://git.kernel.org/stable/c/d8a6213d70accb403b82924a1c229e733433a5ef" + }, + { + "url": "https://git.kernel.org/stable/c/190d9efa5773f26d6f334b1b8be282c4fa13fd5e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35973" + }, + { + "url": "https://git.kernel.org/linus/d8a6213d70accb403b82924a1c229e733433a5ef(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-322", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35973" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: fix header validation in geneve[6]_xmit_skb\n\nsyzbot is able to trigger an uninit-value in geneve_xmit() [1]\n\nProblem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())\nuses skb_protocol(skb, true), pskb_inet_may_pull() is only using\nskb->protocol.\n\nIf anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,\npskb_inet_may_pull() does nothing at all.\n\nIf a vlan tag was provided by the caller (af_packet in the syzbot case),\nthe network header might not point to the correct location, and skb\nlinear part could be smaller than expected.\n\nAdd skb_vlan_inet_prepare() to perform a complete mac validation.\n\nUse this in geneve for the moment, I suspect we need to adopt this\nmore broadly.\n\nv4 - Jakub reported v3 broke l2_tos_ttl_inherit.sh selftest\n - Only call __vlan_get_protocol() for vlan types.\n\nv2,v3 - Addressed Sabrina comments on v1 and v2\n\n[1]\n\nBUG: KMSAN: uninit-value in geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n BUG: KMSAN: uninit-value in geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n geneve_xmit_skb drivers/net/geneve.c:910 [inline]\n geneve_xmit+0x302d/0x5420 drivers/net/geneve.c:1030\n __netdev_start_xmit include/linux/netdevice.h:4903 [inline]\n netdev_start_xmit include/linux/netdevice.h:4917 [inline]\n xmit_one net/core/dev.c:3531 [inline]\n dev_hard_start_xmit+0x247/0xa20 net/core/dev.c:3547\n __dev_queue_xmit+0x348d/0x52c0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n packet_xmit+0x9c/0x6c0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8bb0/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3804 [inline]\n slab_alloc_node mm/slub.c:3845 [inline]\n kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577\n __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668\n alloc_skb include/linux/skbuff.h:1318 [inline]\n alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504\n sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x722d/0x9ef0 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n __sys_sendto+0x685/0x830 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1d0 net/socket.c:2199\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nCPU: 0 PID: 5033 Comm: syz-executor346 Not tainted 6.9.0-rc1-syzkaller-00005-g928a87efa423 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35973", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35973" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/93f0f4e846fcb682c3ec436e3b2e30e5a3a8ee6a" + }, + { + "url": "https://git.kernel.org/stable/c/f0da068c75c20ffc5ba28243ff577531dc2af1fd" + }, + { + "url": "https://git.kernel.org/stable/c/3a7753bda55985dc26fae17795cb10d825453ad1" + }, + { + "url": "https://git.kernel.org/stable/c/4e440abc894585a34c2904a32cd54af1742311b3" + }, + { + "url": "https://git.kernel.org/stable/c/a16afec8e83c56b14a4a73d2e3fb8eec3a8a057e" + }, + { + "url": "https://git.kernel.org/stable/c/1eb74c00c9c3b13cb65e508c5d5a2f11afb96b8b" + }, + { + "url": "https://git.kernel.org/stable/c/9bce69419271eb8b2b3ab467387cb59c99d80deb" + }, + { + "url": "https://git.kernel.org/stable/c/853a6503c586a71abf27e60a7f8c4fb28092976d" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26664" + }, + { + "url": "https://git.kernel.org/linus/4e440abc894585a34c2904a32cd54af1742311b3(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-323", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26664" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (coretemp) Fix out-of-bounds memory access\n\nFix a bug that pdata->cpu_map[] is set before out-of-bounds check.\nThe problem might be triggered on systems with more than 128 cores per\npackage.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26664", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26664" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49955b24002dc16a0ae2e83a57a2a6c863a1845c" + }, + { + "url": "https://git.kernel.org/stable/c/882e1180c83f5b75bae03d0ccc31ccedfe5159de" + }, + { + "url": "https://git.kernel.org/stable/c/1983184c22dd84a4d95a71e5c6775c2638557dc7" + }, + { + "url": "https://git.kernel.org/stable/c/5ef7ba2799a3b5ed292b8f6407376e2c25ef002e" + }, + { + "url": "https://git.kernel.org/linus/1983184c22dd84a4d95a71e5c6775c2638557dc7(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26987" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-324", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26987" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled\n\nWhen I did hard offline test with hugetlb pages, below deadlock occurs:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.8.0-11409-gf6cef5f8c37f #1 Not tainted\n------------------------------------------------------\nbash/46904 is trying to acquire lock:\nffffffffabe68910 (cpu_hotplug_lock){++++}-{0:0}, at: static_key_slow_dec+0x16/0x60\n\nbut task is already holding lock:\nffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (pcp_batch_high_lock){+.+.}-{3:3}:\n __mutex_lock+0x6c/0x770\n page_alloc_cpu_online+0x3c/0x70\n cpuhp_invoke_callback+0x397/0x5f0\n __cpuhp_invoke_callback_range+0x71/0xe0\n _cpu_up+0xeb/0x210\n cpu_up+0x91/0xe0\n cpuhp_bringup_mask+0x49/0xb0\n bringup_nonboot_cpus+0xb7/0xe0\n smp_init+0x25/0xa0\n kernel_init_freeable+0x15f/0x3e0\n kernel_init+0x15/0x1b0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30\n\n-> #0 (cpu_hotplug_lock){++++}-{0:0}:\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(pcp_batch_high_lock);\n lock(cpu_hotplug_lock);\n lock(pcp_batch_high_lock);\n rlock(cpu_hotplug_lock);\n\n *** DEADLOCK ***\n\n5 locks held by bash/46904:\n #0: ffff98f6c3bb23f0 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x64/0xe0\n #1: ffff98f6c328e488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0xf8/0x1d0\n #2: ffff98ef83b31890 (kn->active#113){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x100/0x1d0\n #3: ffffffffabf9db48 (mf_mutex){+.+.}-{3:3}, at: memory_failure+0x44/0xc70\n #4: ffffffffabf92ea8 (pcp_batch_high_lock){+.+.}-{3:3}, at: zone_pcp_disable+0x16/0x40\n\nstack backtrace:\nCPU: 10 PID: 46904 Comm: bash Kdump: loaded Not tainted 6.8.0-11409-gf6cef5f8c37f #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x68/0xa0\n check_noncircular+0x129/0x140\n __lock_acquire+0x1298/0x1cd0\n lock_acquire+0xc0/0x2b0\n cpus_read_lock+0x2a/0xc0\n static_key_slow_dec+0x16/0x60\n __hugetlb_vmemmap_restore_folio+0x1b9/0x200\n dissolve_free_huge_page+0x211/0x260\n __page_handle_poison+0x45/0xc0\n memory_failure+0x65e/0xc70\n hard_offline_page_store+0x55/0xa0\n kernfs_fop_write_iter+0x12c/0x1d0\n vfs_write+0x387/0x550\n ksys_write+0x64/0xe0\n do_syscall_64+0xca/0x1e0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fc862314887\nCode: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24\nRSP: 002b:00007fff19311268 EFLAGS: 00000246 ORIG_RAX: 0000000000000001\nRAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007fc862314887\nRDX: 000000000000000c RSI: 000056405645fe10 RDI: 0000000000000001\nRBP: 000056405645fe10 R08: 00007fc8623d1460 R09: 000000007fffffff\nR10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c\nR13: 00007fc86241b780 R14: 00007fc862417600 R15: 00007fc862416a00\n\nIn short, below scene breaks the \n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26987", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26987" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/645f332c6b63499cc76197f9b6bffcc659ba64cc" + }, + { + "url": "https://git.kernel.org/stable/c/e1db9ae87b7148c021daee1fcc4bc71b2ac58a79" + }, + { + "url": "https://git.kernel.org/stable/c/062a7f0ff46eb57aff526897bd2bebfdb1d3046a" + }, + { + "url": "https://git.kernel.org/linus/062a7f0ff46eb57aff526897bd2bebfdb1d3046a(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35869" + } + ], + "bom-ref": "vuln-325", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35869" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: guarantee refcounted children from parent session\n\nAvoid potential use-after-free bugs when walking DFS referrals,\nmounting and performing DFS failover by ensuring that all children\nfrom parent @tcon->ses are also refcounted. They're all needed across\nthe entire DFS mount. Get rid of @tcon->dfs_ses_list while we're at\nit, too.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35869", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35869" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3d4b909704bf2114f64f87363fa22b5ef8ac4a33" + }, + { + "url": "https://git.kernel.org/stable/c/1fb52bc1de55e9e0bdf71fe078efd4da0889710f" + }, + { + "url": "https://git.kernel.org/stable/c/48d6bcfc31751ca2e753d901a2d82f27edf8a029" + }, + { + "url": "https://git.kernel.org/stable/c/c2d953276b8b27459baed1277a4fdd5dd9bd4126" + }, + { + "url": "https://git.kernel.org/stable/c/951838fee462aa01fa2a6a91d56f9a495082e7f0" + }, + { + "url": "https://git.kernel.org/stable/c/1b107d637fed68a787da77a3514ad06e57abd0b4" + }, + { + "url": "https://git.kernel.org/stable/c/664206ff8b019bcd1e55b10b2eea3add8761b971" + }, + { + "url": "https://git.kernel.org/stable/c/72d091b7515e0532ee015e144c906f3bcfdd6270" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35922" + }, + { + "url": "https://git.kernel.org/linus/c2d953276b8b27459baed1277a4fdd5dd9bd4126(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-326", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35922" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbmon: prevent division by zero in fb_videomode_from_videomode()\n\nThe expression htotal * vtotal can have a zero value on\noverflow. It is necessary to prevent division by zero like in\nfb_var_to_videomode().\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35922", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35922" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/61ac7284346c32f9a8c8ceac56102f7914060428" + }, + { + "url": "https://git.kernel.org/stable/c/2cee2ff7f8cce12a63a0a23ffe27f08d99541494" + }, + { + "url": "https://git.kernel.org/stable/c/eb769ff4e281f751adcaf4f4445cbf30817be139" + }, + { + "url": "https://git.kernel.org/stable/c/a34ba4bdeec0c3b629160497594908dc820110f1" + }, + { + "url": "https://git.kernel.org/stable/c/8038ee3c3e5b59bcd78467686db5270c68544e30" + }, + { + "url": "https://git.kernel.org/stable/c/0d459e2ffb541841714839e8228b845458ed3b27" + }, + { + "url": "https://git.kernel.org/stable/c/8d3a58af50e46167b6f1db47adadad03c0045dae" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-056.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26925" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-064.html" + }, + { + "url": "https://git.kernel.org/linus/0d459e2ffb541841714839e8228b845458ed3b27(6.9-rc3)" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-613.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-042.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-327", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26925" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: release mutex after nft_gc_seq_end from abort path\n\nThe commit mutex should not be released during the critical section\nbetween nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC\nworker could collect expired objects and get the released commit lock\nwithin the same GC sequence.\n\nnf_tables_module_autoload() temporarily releases the mutex to load\nmodule dependencies, then it goes back to replay the transaction again.\nMove it at the end of the abort phase after nft_gc_seq_end() is called.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26925", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26925" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a" + }, + { + "url": "https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705" + }, + { + "url": "https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4" + }, + { + "url": "https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26789" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-328", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26789" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: arm64/neonbs - fix out-of-bounds access on short input\n\nThe bit-sliced implementation of AES-CTR operates on blocks of 128\nbytes, and will fall back to the plain NEON version for tail blocks or\ninputs that are shorter than 128 bytes to begin with.\n\nIt will call straight into the plain NEON asm helper, which performs all\nmemory accesses in granules of 16 bytes (the size of a NEON register).\nFor this reason, the associated plain NEON glue code will copy inputs\nshorter than 16 bytes into a temporary buffer, given that this is a rare\noccurrence and it is not worth the effort to work around this in the asm\ncode.\n\nThe fallback from the bit-sliced NEON version fails to take this into\naccount, potentially resulting in out-of-bounds accesses. So clone the\nsame workaround, and use a temp buffer for short in/outputs.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26789", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26789" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1" + }, + { + "url": "https://git.kernel.org/stable/c/8f6b62125befe1675446923e4171eac2c012959c" + }, + { + "url": "https://git.kernel.org/stable/c/0d130158db29f5e0b3893154908cf618896450a8" + }, + { + "url": "https://git.kernel.org/stable/c/89af25bd4b4bf6a71295f07e07a8ae7dc03c6595" + }, + { + "url": "https://git.kernel.org/stable/c/756c5cb7c09e537b87b5d3acafcb101b2ccf394f" + }, + { + "url": "https://git.kernel.org/stable/c/8defb1d22ba0395b81feb963b96e252b097ba76f" + }, + { + "url": "https://git.kernel.org/stable/c/0efb15c14c493263cb3a5f65f5ddfd4603d19a76" + }, + { + "url": "https://git.kernel.org/stable/c/6401038acfa24cba9c28cce410b7505efadd0222" + }, + { + "url": "https://git.kernel.org/linus/c8d2f34ea96ea3bce6ba2535f867f0d4ee3b22e1(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26994" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-329", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26994" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspeakup: Avoid crash on very long word\n\nIn case a console is set up really large and contains a really long word\n(> 256 characters), we have to stop before the length of the word buffer.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26994", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26994" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/10c02aad111df02088d1a81792a709f6a7eca6cc" + }, + { + "url": "https://git.kernel.org/stable/c/3ab1c40a1e915e350d9181a4603af393141970cc" + }, + { + "url": "https://git.kernel.org/stable/c/3d16cebf01127f459dcfeb79ed77bd68b124c228" + }, + { + "url": "https://git.kernel.org/linus/10c02aad111df02088d1a81792a709f6a7eca6cc(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26691" + } + ], + "bom-ref": "vuln-330", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26691" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix circular locking dependency\n\nThe rule inside kvm enforces that the vcpu->mutex is taken *inside*\nkvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquires\nthe kvm->lock while already holding the vcpu->mutex lock from\nkvm_vcpu_ioctl(). Avoid the circular locking dependency altogether by\nprotecting the hyp vm handle with the config_lock, much like we already\ndo for other forms of VM-scoped data.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26691", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26691" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f860c8407470baff2beb9982ad6b172c94f1d0a" + }, + { + "url": "https://git.kernel.org/stable/c/e8ca3e73301e23e8c0ac0ce2e6bac4545cd776e0" + }, + { + "url": "https://git.kernel.org/stable/c/7a96d85bf196c170dcf1b47a82e9bb97cca69aa6" + }, + { + "url": "https://git.kernel.org/stable/c/69c7eeb4f622c2a28da965f970f982db171f3dc6" + }, + { + "url": "https://git.kernel.org/stable/c/c430e6bb43955c6bf573665fcebf31694925b9f7" + }, + { + "url": "https://git.kernel.org/stable/c/31b62908693c90d4d07db597e685d9f25a120073" + }, + { + "url": "https://git.kernel.org/stable/c/fece80a2a6718ed58487ce397285bb1b83a3e54e" + }, + { + "url": "https://git.kernel.org/stable/c/f8cf4dabbdcb8bef85335b0ed7ad5b25fd82ff56" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52623" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/31b62908693c90d4d07db597e685d9f25a120073(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-331", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52623" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix a suspicious RCU usage warning\n\nI received the following warning while running cthon against an ontap\nserver running pNFS:\n\n[ 57.202521] =============================\n[ 57.202522] WARNING: suspicious RCU usage\n[ 57.202523] 6.7.0-rc3-g2cc14f52aeb7 #41492 Not tainted\n[ 57.202525] -----------------------------\n[ 57.202525] net/sunrpc/xprtmultipath.c:349 RCU-list traversed in non-reader section!!\n[ 57.202527]\n other info that might help us debug this:\n\n[ 57.202528]\n rcu_scheduler_active = 2, debug_locks = 1\n[ 57.202529] no locks held by test5/3567.\n[ 57.202530]\n stack backtrace:\n[ 57.202532] CPU: 0 PID: 3567 Comm: test5 Not tainted 6.7.0-rc3-g2cc14f52aeb7 #41492 5b09971b4965c0aceba19f3eea324a4a806e227e\n[ 57.202534] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022\n[ 57.202536] Call Trace:\n[ 57.202537] \n[ 57.202540] dump_stack_lvl+0x77/0xb0\n[ 57.202551] lockdep_rcu_suspicious+0x154/0x1a0\n[ 57.202556] rpc_xprt_switch_has_addr+0x17c/0x190 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202596] rpc_clnt_setup_test_and_add_xprt+0x50/0x180 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202621] ? rpc_clnt_add_xprt+0x254/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202646] rpc_clnt_add_xprt+0x27a/0x300 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202671] ? __pfx_rpc_clnt_setup_test_and_add_xprt+0x10/0x10 [sunrpc ebe02571b9a8ceebf7d98e71675af20c19bdb1f6]\n[ 57.202696] nfs4_pnfs_ds_connect+0x345/0x760 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202728] ? __pfx_nfs4_test_session_trunk+0x10/0x10 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202754] nfs4_fl_prepare_ds+0x75/0xc0 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202760] filelayout_write_pagelist+0x4a/0x200 [nfs_layout_nfsv41_files e3a4187f18ae8a27b630f9feae6831b584a9360a]\n[ 57.202765] pnfs_generic_pg_writepages+0xbe/0x230 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202788] __nfs_pageio_add_request+0x3fd/0x520 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202813] nfs_pageio_add_request+0x18b/0x390 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202831] nfs_do_writepage+0x116/0x1e0 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202849] nfs_writepages_callback+0x13/0x30 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202866] write_cache_pages+0x265/0x450\n[ 57.202870] ? __pfx_nfs_writepages_callback+0x10/0x10 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202891] nfs_writepages+0x141/0x230 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202913] do_writepages+0xd2/0x230\n[ 57.202917] ? filemap_fdatawrite_wbc+0x5c/0x80\n[ 57.202921] filemap_fdatawrite_wbc+0x67/0x80\n[ 57.202924] filemap_write_and_wait_range+0xd9/0x170\n[ 57.202930] nfs_wb_all+0x49/0x180 [nfs 6c976fa593a7c2976f5a0aeb4965514a828e6902]\n[ 57.202947] nfs4_file_flush+0x72/0xb0 [nfsv4 c716d88496ded0ea6d289bbea684fa996f9b57a9]\n[ 57.202969] __se_sys_close+0x46/0xd0\n[ 57.202972] do_syscall_64+0x68/0x100\n[ 57.202975] ? do_syscall_64+0x77/0x100\n[ 57.202976] ? do_syscall_64+0x77/0x100\n[ 57.202979] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 57.202982] RIP: 0033:0x7fe2b12e4a94\n[ 57.202985] Code: 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d d5 18 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 c3\n[ 57.202987] RSP: 002b:00007ffe857ddb38 EFLAGS: 00000202 ORIG_RAX: 0000000000000003\n[ 57.202989] RAX: ffffffffffffffda RBX: 00007ffe857dfd68 RCX: 00007fe2b12e4a94\n[ 57.202991] RDX: 0000000000002000 RSI: 00007ffe857ddc40 RDI: 0000000000000003\n[ 57.202992] RBP: 00007ffe857dfc50 R08: 7fffffffffffffff R09: 0000000065650f49\n[ 57.202993] R10: 00007f\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52623", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52623" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/00aab7dcb2267f2aef59447602f34501efe1a07f" + }, + { + "url": "https://git.kernel.org/stable/c/62f5d219edbd174829aa18d4b3d97cd5fefbb783" + }, + { + "url": "https://git.kernel.org/stable/c/4cad91344a62536a2949873bad6365fbb6232776" + }, + { + "url": "https://git.kernel.org/stable/c/e28d6b63aeecbda450935fb58db0e682ea8212d3" + }, + { + "url": "https://git.kernel.org/stable/c/d7d7a0e3b6f5adc45f23667cbb919e99093a5b5c" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/00aab7dcb2267f2aef59447602f34501efe1a07f(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26717" + } + ], + "bom-ref": "vuln-332", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26717" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid-of: fix NULL-deref on failed power up\n\nA while back the I2C HID implementation was split in an ACPI and OF\npart, but the new OF driver never initialises the client pointer which\nis dereferenced on power-up failures.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26717", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26717" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4f5b15c15e6016efb3e14582d02cc4ddf57227df" + }, + { + "url": "https://git.kernel.org/stable/c/3c31b18a8dd8b7bf36af1cd723d455853b8f94fe" + }, + { + "url": "https://git.kernel.org/stable/c/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a" + }, + { + "url": "https://git.kernel.org/stable/c/b9433b25cb06c415c9cb24782599649a406c8d6d" + }, + { + "url": "https://git.kernel.org/linus/5761eb9761d2d5fe8248a9b719efc4d8baf1f24a(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26742" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-333", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26742" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Fix disable_managed_interrupts\n\nCorrect blk-mq registration issue with module parameter\ndisable_managed_interrupts enabled.\n\nWhen we turn off the default PCI_IRQ_AFFINITY flag, the driver needs to\nregister with blk-mq using blk_mq_map_queues(). The driver is currently\ncalling blk_mq_pci_map_queues() which results in a stack trace and possibly\nundefined behavior.\n\nStack Trace:\n[ 7.860089] scsi host2: smartpqi\n[ 7.871934] WARNING: CPU: 0 PID: 238 at block/blk-mq-pci.c:52 blk_mq_pci_map_queues+0xca/0xd0\n[ 7.889231] Modules linked in: sd_mod t10_pi sg uas smartpqi(+) crc32c_intel scsi_transport_sas usb_storage dm_mirror dm_region_hash dm_log dm_mod ipmi_devintf ipmi_msghandler fuse\n[ 7.924755] CPU: 0 PID: 238 Comm: kworker/0:3 Not tainted 4.18.0-372.88.1.el8_6_smartpqi_test.x86_64 #1\n[ 7.944336] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 03/08/2022\n[ 7.963026] Workqueue: events work_for_cpu_fn\n[ 7.978275] RIP: 0010:blk_mq_pci_map_queues+0xca/0xd0\n[ 7.978278] Code: 48 89 de 89 c7 e8 f6 0f 4f 00 3b 05 c4 b7 8e 01 72 e1 5b 31 c0 5d 41 5c 41 5d 41 5e 41 5f e9 7d df 73 00 31 c0 e9 76 df 73 00 <0f> 0b eb bc 90 90 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54\n[ 7.978280] RSP: 0018:ffffa95fc3707d50 EFLAGS: 00010216\n[ 7.978283] RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 0000000000000010\n[ 7.978284] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff9190c32d4310\n[ 7.978286] RBP: 0000000000000000 R08: ffffa95fc3707d38 R09: ffff91929b81ac00\n[ 7.978287] R10: 0000000000000001 R11: ffffa95fc3707ac0 R12: 0000000000000000\n[ 7.978288] R13: ffff9190c32d4000 R14: 00000000ffffffff R15: ffff9190c4c950a8\n[ 7.978290] FS: 0000000000000000(0000) GS:ffff9193efc00000(0000) knlGS:0000000000000000\n[ 7.978292] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 8.172814] CR2: 000055d11166c000 CR3: 00000002dae10002 CR4: 00000000007706f0\n[ 8.172816] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 8.172817] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 8.172818] PKRU: 55555554\n[ 8.172819] Call Trace:\n[ 8.172823] blk_mq_alloc_tag_set+0x12e/0x310\n[ 8.264339] scsi_add_host_with_dma.cold.9+0x30/0x245\n[ 8.279302] pqi_ctrl_init+0xacf/0xc8e [smartpqi]\n[ 8.294085] ? pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.309015] pqi_pci_probe+0x480/0x4c8 [smartpqi]\n[ 8.323286] local_pci_probe+0x42/0x80\n[ 8.337855] work_for_cpu_fn+0x16/0x20\n[ 8.351193] process_one_work+0x1a7/0x360\n[ 8.364462] ? create_worker+0x1a0/0x1a0\n[ 8.379252] worker_thread+0x1ce/0x390\n[ 8.392623] ? create_worker+0x1a0/0x1a0\n[ 8.406295] kthread+0x10a/0x120\n[ 8.418428] ? set_kthread_struct+0x50/0x50\n[ 8.431532] ret_from_fork+0x1f/0x40\n[ 8.444137] ---[ end trace 1bf0173d39354506 ]---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26742", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26742" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2" + }, + { + "url": "https://git.kernel.org/stable/c/b6d46f306b3964d05055ddaa96b58cd8bd3a472c" + }, + { + "url": "https://git.kernel.org/stable/c/309ef7de5d840e17607e7d65cbf297c0564433ef" + }, + { + "url": "https://git.kernel.org/stable/c/a71302c8638939c45e4ba5a99ea438185fd3f418" + }, + { + "url": "https://git.kernel.org/stable/c/5b10a88f64c0315cfdef45de0aaaa4eef57de0b7" + }, + { + "url": "https://git.kernel.org/stable/c/c7441c77c91e47f653104be8353b44a3366a5366" + }, + { + "url": "https://git.kernel.org/stable/c/4d29a58d96a78728cb01ee29ed70dc4bd642f135" + }, + { + "url": "https://git.kernel.org/stable/c/bcb7164258d0a9a8aa2e73ddccc2d78f67d2519d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26820" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2(6.8-rc4)" + } + ], + "bom-ref": "vuln-334", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26820" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed\n\nIf hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER\nhandler cannot perform VF register successfully as the register call\nis received before netvsc_probe is finished. This is because we\nregister register_netdevice_notifier() very early( even before\nvmbus_driver_register()).\nTo fix this, we try to register each such matching VF( if it is visible\nas a netdevice) at the end of netvsc_probe.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26820", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26820" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/92309bed3c5fbe2ccd4c45056efd42edbd06162d" + }, + { + "url": "https://git.kernel.org/stable/c/6794090c742008c53b344b35b021d4a3093dc50a" + }, + { + "url": "https://git.kernel.org/stable/c/bcd46782e2ec3825d10c1552fcb674d491cc09f9" + }, + { + "url": "https://git.kernel.org/stable/c/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b" + }, + { + "url": "https://git.kernel.org/stable/c/d275de8ea7be3a453629fddae41d4156762e814c" + }, + { + "url": "https://git.kernel.org/stable/c/cfb786b03b03c5ff38882bee38525eb9987e4d14" + }, + { + "url": "https://git.kernel.org/stable/c/d49fac38479bfdaec52b3ea274d290c47a294029" + }, + { + "url": "https://git.kernel.org/stable/c/cbaac2e5488ed54833897264a5ffb2a341a9f196" + }, + { + "url": "https://git.kernel.org/linus/62fc3357e079a07a22465b9b6ef71bb6ea75ee4b(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35902" + } + ], + "bom-ref": "vuln-335", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35902" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix possible cp null dereference\n\ncp might be null, calling cp->cp_conn would produce null dereference\n\n[Simon Horman adds:]\n\nAnalysis:\n\n* cp is a parameter of __rds_rdma_map and is not reassigned.\n\n* The following call-sites pass a NULL cp argument to __rds_rdma_map()\n\n - rds_get_mr()\n - rds_get_mr_for_dest\n\n* Prior to the code above, the following assumes that cp may be NULL\n (which is indicative, but could itself be unnecessary)\n\n\ttrans_private = rs->rs_transport->get_mr(\n\t\tsg, nents, rs, &mr->r_key, cp ? cp->cp_conn : NULL,\n\t\targs->vec.addr, args->vec.bytes,\n\t\tneed_odp ? ODP_ZEROBASED : ODP_NOT_NEEDED);\n\n* The code modified by this patch is guarded by IS_ERR(trans_private),\n where trans_private is assigned as per the previous point in this analysis.\n\n The only implementation of get_mr that I could locate is rds_ib_get_mr()\n which can return an ERR_PTR if the conn (4th) argument is NULL.\n\n* ret is set to PTR_ERR(trans_private).\n rds_ib_get_mr can return ERR_PTR(-ENODEV) if the conn (4th) argument is NULL.\n Thus ret may be -ENODEV in which case the code in question will execute.\n\nConclusion:\n* cp may be NULL at the point where this patch adds a check;\n this patch does seem to address a possible bug", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35902", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35902" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/675daf435e9f8e5a5eab140a9864dfad6668b375" + }, + { + "url": "https://git.kernel.org/stable/c/62d4e43a569b67929eb3319780be5359694c8086" + }, + { + "url": "https://git.kernel.org/stable/c/cc5838f19d39a5fef04c468199699d2a4578be3a" + }, + { + "url": "https://git.kernel.org/stable/c/0f8d8f9c2173a541812dd750529f4a415117eb29" + }, + { + "url": "https://git.kernel.org/stable/c/07afdfd8a68f9eea8db0ddc4626c874f29d2ac5e" + }, + { + "url": "https://git.kernel.org/stable/c/d6bedd6acc0bcb1e7e010bc046032e47f08d379f" + }, + { + "url": "https://git.kernel.org/stable/c/7932db06c82c5b2f42a4d1a849d97dba9ce4a362" + }, + { + "url": "https://git.kernel.org/stable/c/09452c8fcbd7817c06e8e3212d99b45917e603a5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26813" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-336", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26813" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: Create persistent IRQ handlers\n\nThe vfio-platform SET_IRQS ioctl currently allows loopback triggering of\nan interrupt before a signaling eventfd has been configured by the user,\nwhich thereby allows a NULL pointer dereference.\n\nRather than register the IRQ relative to a valid trigger, register all\nIRQs in a disabled state in the device open path. This allows mask\noperations on the IRQ to nest within the overall enable state governed\nby a valid eventfd signal. This decouples @masked, protected by the\n@locked spinlock from @trigger, protected via the @igate mutex.\n\nIn doing so, it's guaranteed that changes to @trigger cannot race the\nIRQ handlers because the IRQ handler is synchronously disabled before\nmodifying the trigger, and loopback triggering of the IRQ via ioctl is\nsafe due to serialization with trigger changes via igate.\n\nFor compatibility, request_irq() failures are maintained to be local to\nthe SET_IRQS ioctl rather than a fatal error in the open device path.\nThis allows, for example, a userspace driver with polling mode support\nto continue to work regardless of moving the request_irq() call site.\nThis necessarily blocks all SET_IRQS access to the failed index.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26813", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26813" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b3fd51f684a0711504f82de510da109ae639722d" + }, + { + "url": "https://git.kernel.org/stable/c/c6f3fa7f5a748bf6e5c4eb742686d6952f854e76" + }, + { + "url": "https://git.kernel.org/stable/c/b822644fd90992ee362c5e0c8d2556efc8856c76" + }, + { + "url": "https://git.kernel.org/stable/c/8ca3f7a7b61393804c46f170743c3b839df13977" + }, + { + "url": "https://git.kernel.org/stable/c/413a01886c3958d4b8aac23a3bff3d430b92093e" + }, + { + "url": "https://git.kernel.org/stable/c/617e98ba4c50f4547c9eb0946b1cfc26937d70d1" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ff7b6d42e33943af462910bdcfa2ec0cb8cf" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8ca3f7a7b61393804c46f170743c3b839df13977(6.9-rc6)" + } + ], + "bom-ref": "vuln-337", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35853" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during rehash\n\nThe rehash delayed work migrates filters from one region to another.\nThis is done by iterating over all chunks (all the filters with the same\npriority) in the region and in each chunk iterating over all the\nfilters.\n\nIf the migration fails, the code tries to migrate the filters back to\nthe old region. However, the rollback itself can also fail in which case\nanother migration will be erroneously performed. Besides the fact that\nthis ping pong is not a very good idea, it also creates a problem.\n\nEach virtual chunk references two chunks: The currently used one\n('vchunk->chunk') and a backup ('vchunk->chunk2'). During migration the\nfirst holds the chunk we want to migrate filters to and the second holds\nthe chunk we are migrating filters from.\n\nThe code currently assumes - but does not verify - that the backup chunk\ndoes not exist (NULL) if the currently used chunk does not reference the\ntarget region. This assumption breaks when we are trying to rollback a\nrollback, resulting in the backup chunk being overwritten and leaked\n[1].\n\nFix by not rolling back a failed rollback and add a warning to avoid\nfuture cases.\n\n[1]\nWARNING: CPU: 5 PID: 1063 at lib/parman.c:291 parman_destroy+0x17/0x20\nModules linked in:\nCPU: 5 PID: 1063 Comm: kworker/5:11 Tainted: G W 6.9.0-rc2-custom-00784-gc6a05c468a0b #14\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:parman_destroy+0x17/0x20\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_region_fini+0x19/0x60\n mlxsw_sp_acl_tcam_region_destroy+0x49/0xf0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x1f1/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35853", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35853" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5cd466673b34bac369334f66cbe14bb77b7d7827" + }, + { + "url": "https://git.kernel.org/stable/c/9af1658ba293458ca6a13f70637b9654fa4be064" + }, + { + "url": "https://git.kernel.org/stable/c/6d88b289fb0a8d055cb79d1c46a56aba7809d96d" + }, + { + "url": "https://git.kernel.org/stable/c/22cad1b841a63635a38273b799b4791f202ade72" + }, + { + "url": "https://git.kernel.org/stable/c/c8a24fd281dcdf3c926413dafbafcf35cde517a9" + }, + { + "url": "https://git.kernel.org/stable/c/6d5dc96b154be371df0d62ecb07efe400701ed8a" + }, + { + "url": "https://git.kernel.org/stable/c/7e2c1b0f6dd9abde9e60f0f9730026714468770f" + }, + { + "url": "https://git.kernel.org/stable/c/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7" + }, + { + "url": "https://git.kernel.org/stable/c/629af0d5fe94a35f498ba2c3f19bd78bfa591be6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27436" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a39d51ff1f52cd0b6fe7d379ac93bd8b4237d1b7(6.9-rc1)" + } + ], + "bom-ref": "vuln-338", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27436" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Stop parsing channels bits when all channels are found.\n\nIf a usb audio device sets more bits than the amount of channels\nit could write outside of the map array.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27436", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27436" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-339", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-416" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13eca403876bbea3716e82cdfe6f1e6febb38754" + }, + { + "url": "https://git.kernel.org/stable/c/cd1bbca03f3c1d845ce274c0d0a66de8e5929f72" + }, + { + "url": "https://git.kernel.org/stable/c/8590541473188741055d27b955db0777569438e3" + }, + { + "url": "https://git.kernel.org/stable/c/ab6397f072e5097f267abf5cb08a8004e6b17694" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-043.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8590541473188741055d27b955db0777569438e3(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26584" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-057.html" + } + ], + "bom-ref": "vuln-340", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26584" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: handle backlogging of crypto requests\n\nSince we're setting the CRYPTO_TFM_REQ_MAY_BACKLOG flag on our\nrequests to the crypto API, crypto_aead_{encrypt,decrypt} can return\n -EBUSY instead of -EINPROGRESS in valid situations. For example, when\nthe cryptd queue for AESNI is full (easy to trigger with an\nartificially low cryptd.cryptd_max_cpu_qlen), requests will be enqueued\nto the backlog but still processed. In that case, the async callback\nwill also be called twice: first with err == -EINPROGRESS, which it\nseems we can just ignore, then with err == 0.\n\nCompared to Sabrina's original patch this version uses the new\ntls_*crypt_async_wait() helpers and converts the EBUSY to\nEINPROGRESS to avoid having to modify all the error handling\npaths. The handling is identical.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26584", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26584" + }, + "cwes": [ + 755 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T19:35:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d951cf510fb0df91d3abac0121a59ebbc63c0567" + }, + { + "url": "https://git.kernel.org/stable/c/74b84d0d71180330efe67c82f973a87f828323e5" + }, + { + "url": "https://git.kernel.org/stable/c/9127599c075caff234359950117018a010dd01db" + }, + { + "url": "https://git.kernel.org/stable/c/f661017e6d326ee187db24194cabb013d81bc2a6" + }, + { + "url": "https://git.kernel.org/stable/c/b25b64a241d769e932a022e5c780cf135ef56035" + }, + { + "url": "https://git.kernel.org/stable/c/e72160cb6e23b78b41999d6885a34ce8db536095" + }, + { + "url": "https://git.kernel.org/stable/c/e6e3e51ffba0784782b1a076d7441605697ea3c6" + }, + { + "url": "https://git.kernel.org/linus/f661017e6d326ee187db24194cabb013d81bc2a6(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27051" + } + ], + "bom-ref": "vuln-341", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27051" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value\n\ncpufreq_cpu_get may return NULL. To avoid NULL-dereference check it\nand return 0 in case of error.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27051", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27051" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c8dc26e31b8b410ad1895e0d314def50c76eed0" + }, + { + "url": "https://git.kernel.org/stable/c/f3f407ccbe84a34de9be3195d22cdd5969f3fd9f" + }, + { + "url": "https://git.kernel.org/stable/c/45c8034db47842b25a3ab6139d71e13b4e67b9b3" + }, + { + "url": "https://git.kernel.org/stable/c/845322a9c06dd1dcf35b6c4e3af89684297c23cc" + }, + { + "url": "https://git.kernel.org/stable/c/2388c36e028fff7f8ffd515681a14c6c2c07fea7" + }, + { + "url": "https://git.kernel.org/stable/c/fa74e4f5d0821829545b9f7034a0e577c205c101" + }, + { + "url": "https://git.kernel.org/linus/45c8034db47842b25a3ab6139d71e13b4e67b9b3(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52661" + } + ], + "bom-ref": "vuln-342", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52661" + } + } + ], + "created": "2024-05-17T14:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()\n\nIf clk_get_sys(..., \"pll_d2_out0\") fails, the clk_get_sys() call must be\nundone.\n\nAdd the missing clk_put and a new 'put_pll_d_out0' label in the error\nhandling path, and use it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52661", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52661" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/af1689a9b7701d9907dfc84d2a4b57c4bc907144" + }, + { + "url": "https://git.kernel.org/stable/c/1ae3c59355dc9882e09c020afe8ffbd895ad0f29" + }, + { + "url": "https://git.kernel.org/stable/c/890bc4fac3c0973a49cac35f634579bebba7fe48" + }, + { + "url": "https://git.kernel.org/stable/c/17a0f64cc02d4972e21c733d9f21d1c512963afa" + }, + { + "url": "https://git.kernel.org/stable/c/13fb0fc4917621f3dfa285a27eaf7151d770b5e5" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-052.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-040.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://git.kernel.org/linus/af1689a9b7701d9907dfc84d2a4b57c4bc907144(6.7-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52434" + } + ], + "bom-ref": "vuln-343", + "ratings": [ + { + "severity": "high", + "score": 8.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52434" + } + } + ], + "created": "2024-02-20T18:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential OOBs in smb2_parse_contexts()\n\nValidate offsets and lengths before dereferencing create contexts in\nsmb2_parse_contexts().\n\nThis fixes following oops when accessing invalid create contexts from\nserver:\n\n BUG: unable to handle page fault for address: ffff8881178d8cc3\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 4a01067 P4D 4a01067 PUD 0\n Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 PID: 1736 Comm: mount.cifs Not tainted 6.7.0-rc4 #1\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS\n rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:smb2_parse_contexts+0xa0/0x3a0 [cifs]\n Code: f8 10 75 13 48 b8 93 ad 25 50 9c b4 11 e7 49 39 06 0f 84 d2 00\n 00 00 8b 45 00 85 c0 74 61 41 29 c5 48 01 c5 41 83 fd 0f 76 55 <0f> b7\n 7d 04 0f b7 45 06 4c 8d 74 3d 00 66 83 f8 04 75 bc ba 04 00\n RSP: 0018:ffffc900007939e0 EFLAGS: 00010216\n RAX: ffffc90000793c78 RBX: ffff8880180cc000 RCX: ffffc90000793c90\n RDX: ffffc90000793cc0 RSI: ffff8880178d8cc0 RDI: ffff8880180cc000\n RBP: ffff8881178d8cbf R08: ffffc90000793c22 R09: 0000000000000000\n R10: ffff8880180cc000 R11: 0000000000000024 R12: 0000000000000000\n R13: 0000000000000020 R14: 0000000000000000 R15: ffffc90000793c22\n FS: 00007f873753cbc0(0000) GS:ffff88806bc00000(0000)\n knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: ffff8881178d8cc3 CR3: 00000000181ca000 CR4: 0000000000750ef0\n PKRU: 55555554\n Call Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x181/0x480\n ? search_module_extables+0x19/0x60\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? exc_page_fault+0x1b6/0x1c0\n ? asm_exc_page_fault+0x26/0x30\n ? smb2_parse_contexts+0xa0/0x3a0 [cifs]\n SMB2_open+0x38d/0x5f0 [cifs]\n ? smb2_is_path_accessible+0x138/0x260 [cifs]\n smb2_is_path_accessible+0x138/0x260 [cifs]\n cifs_is_path_remote+0x8d/0x230 [cifs]\n cifs_mount+0x7e/0x350 [cifs]\n cifs_smb3_do_mount+0x128/0x780 [cifs]\n smb3_get_tree+0xd9/0x290 [cifs]\n vfs_get_tree+0x2c/0x100\n ? capable+0x37/0x70\n path_mount+0x2d7/0xb80\n ? srso_alias_return_thunk+0x5/0xfbef5\n ? _raw_spin_unlock_irqrestore+0x44/0x60\n __x64_sys_mount+0x11a/0x150\n do_syscall_64+0x47/0xf0\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n RIP: 0033:0x7f8737657b1e", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52434", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52434" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-15T14:21:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3ee2424107546d882e1ddd75333ca9c32879908c" + }, + { + "url": "https://git.kernel.org/stable/c/7b6df050c45a1ea158fd50bc32a8e1447dd1e951" + }, + { + "url": "https://git.kernel.org/stable/c/ae6d76e4f06c37a623e357e79d49b17411db6f5c" + }, + { + "url": "https://git.kernel.org/stable/c/801c8b8ec5bfb3519566dff16a5ecd48302fca82" + }, + { + "url": "https://git.kernel.org/stable/c/3127b2ee50c424a96eb3559fbb7b43cf0b111c7a" + }, + { + "url": "https://git.kernel.org/stable/c/8917e7385346bd6584890ed362985c219fe6ae84" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35879" + }, + { + "url": "https://git.kernel.org/linus/8917e7385346bd6584890ed362985c219fe6ae84(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-344", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35879" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: dynamic: Synchronize of_changeset_destroy() with the devlink removals\n\nIn the following sequence:\n 1) of_platform_depopulate()\n 2) of_overlay_remove()\n\nDuring the step 1, devices are destroyed and devlinks are removed.\nDuring the step 2, OF nodes are destroyed but\n__of_changeset_entry_destroy() can raise warnings related to missing\nof_node_put():\n ERROR: memory leak, expected refcount 1 instead of 2 ...\n\nIndeed, during the devlink removals performed at step 1, the removal\nitself releasing the device (and the attached of_node) is done by a job\nqueued in a workqueue and so, it is done asynchronously with respect to\nfunction calls.\nWhen the warning is present, of_node_put() will be called but wrongly\ntoo late from the workqueue job.\n\nIn order to be sure that any ongoing devlink removals are done before\nthe of_node destruction, synchronize the of_changeset_destroy() with the\ndevlink removals.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35879", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35879" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2384833" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" + } + ], + "bom-ref": "vuln-345", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-303" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b4fbb89d722cbb16beaaea234b7230faaaf68c71" + }, + { + "url": "https://git.kernel.org/stable/c/559ddacb90da1d8786dd8ec4fd76bbfa404eaef6" + }, + { + "url": "https://git.kernel.org/stable/c/d033a555d9a1cf53dbf3301af7199cc4a4c8f537" + }, + { + "url": "https://git.kernel.org/stable/c/afba9d11320dad5ce222ac8964caf64b7b4bedb1" + }, + { + "url": "https://git.kernel.org/stable/c/2883940b19c38d5884c8626483811acf4d7e148f" + }, + { + "url": "https://git.kernel.org/stable/c/afbcad9ae7d6d11608399188f03a837451b6b3a1" + }, + { + "url": "https://git.kernel.org/stable/c/185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1" + }, + { + "url": "https://git.kernel.org/stable/c/55583e899a5357308274601364741a83e78d6ac4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26704" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/55583e899a5357308274601364741a83e78d6ac4(6.8-rc3)" + } + ], + "bom-ref": "vuln-346", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26704" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double-free of blocks due to wrong extents moved_len\n\nIn ext4_move_extents(), moved_len is only updated when all moves are\nsuccessfully executed, and only discards orig_inode and donor_inode\npreallocations when moved_len is not zero. When the loop fails to exit\nafter successfully moving some extents, moved_len is not updated and\nremains at 0, so it does not discard the preallocations.\n\nIf the moved extents overlap with the preallocated extents, the\noverlapped extents are freed twice in ext4_mb_release_inode_pa() and\next4_process_freed_data() (as described in commit 94d7c16cbbbd (\"ext4:\nFix double-free of blocks with EXT4_IOC_MOVE_EXT\")), and bb_free is\nincremented twice. Hence when trim is executed, a zero-division bug is\ntriggered in mb_update_avg_fragment_size() because bb_free is not zero\nand bb_fragments is zero.\n\nTherefore, update move_len after each extent move to avoid the issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26704", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26704" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:58:29Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=68a24aba7c593eafa8fd00f2f76407b9b32b47a9" + }, + { + "url": "https://lore.kernel.org/all/20240124063702.5642-1-richard@nod.at/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25739" + } + ], + "bom-ref": "vuln-347", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25739" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-25739", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-25T01:15:55Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ff91059932401894e6c86341915615c5eb0eca48" + }, + { + "url": "https://git.kernel.org/stable/c/6af057ccdd8e7619960aca1f0428339f213b31cd" + }, + { + "url": "https://git.kernel.org/stable/c/dd54b48db0c822ae7b520bc80751f0a0a173ef75" + }, + { + "url": "https://git.kernel.org/stable/c/d1e73fb19a4c872d7a399ad3c66e8ca30e0875ec" + }, + { + "url": "https://git.kernel.org/stable/c/668b3074aa14829e2ac2759799537a93b60fef86" + }, + { + "url": "https://git.kernel.org/stable/c/f7990498b05ac41f7d6a190dc0418ef1d21bf058" + }, + { + "url": "https://git.kernel.org/stable/c/a44770fed86515eedb5a7c00b787f847ebb134a5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35895" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ff91059932401894e6c86341915615c5eb0eca48(6.9-rc3)" + } + ], + "bom-ref": "vuln-348", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35895" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Prevent lock inversion deadlock in map delete elem\n\nsyzkaller started using corpuses where a BPF tracing program deletes\nelements from a sockmap/sockhash map. Because BPF tracing programs can be\ninvoked from any interrupt context, locks taken during a map_delete_elem\noperation must be hardirq-safe. Otherwise a deadlock due to lock inversion\nis possible, as reported by lockdep:\n\n CPU0 CPU1\n ---- ----\n lock(&htab->buckets[i].lock);\n local_irq_disable();\n lock(&host->lock);\n lock(&htab->buckets[i].lock);\n \n lock(&host->lock);\n\nLocks in sockmap are hardirq-unsafe by design. We expects elements to be\ndeleted from sockmap/sockhash only in task (normal) context with interrupts\nenabled, or in softirq context.\n\nDetect when map_delete_elem operation is invoked from a context which is\n_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an\nerror.\n\nNote that map updates are not affected by this issue. BPF verifier does not\nallow updating sockmap/sockhash from a BPF tracing program today.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35895", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35895" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c089cefe30924fbe20dd1ee92774ea1f5eca834" + }, + { + "url": "https://git.kernel.org/stable/c/0e09cf81959d9f12b75ad5c6dd53d237432ed034" + }, + { + "url": "https://git.kernel.org/stable/c/b18fa894d615c8527e15d96b76c7448800e13899" + }, + { + "url": "https://git.kernel.org/stable/c/4cb0d7532126d23145329826c38054b4e9a05e7c" + }, + { + "url": "https://git.kernel.org/stable/c/18c198c96a815c962adc2b9b77909eec0be7df4d" + }, + { + "url": "https://git.kernel.org/stable/c/7d29d4c72c1e196cce6969c98072a272d1a703b3" + }, + { + "url": "https://git.kernel.org/stable/c/69276a555c740acfbff13fb5769ee9c92e1c828e" + }, + { + "url": "https://git.kernel.org/stable/c/27d40bf72dd9a6600b76ad05859176ea9a1b4897" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26812" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-349", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26812" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Create persistent INTx handler\n\nA vulnerability exists where the eventfd for INTx signaling can be\ndeconfigured, which unregisters the IRQ handler but still allows\neventfds to be signaled with a NULL context through the SET_IRQS ioctl\nor through unmask irqfd if the device interrupt is pending.\n\nIdeally this could be solved with some additional locking; the igate\nmutex serializes the ioctl and config space accesses, and the interrupt\nhandler is unregistered relative to the trigger, but the irqfd path\nruns asynchronous to those. The igate mutex cannot be acquired from the\natomic context of the eventfd wake function. Disabling the irqfd\nrelative to the eventfd registration is potentially incompatible with\nexisting userspace.\n\nAs a result, the solution implemented here moves configuration of the\nINTx interrupt handler to track the lifetime of the INTx context object\nand irq_type configuration, rather than registration of a particular\ntrigger eventfd. Synchronization is added between the ioctl path and\neventfd_signal() wrapper such that the eventfd trigger can be\ndynamically updated relative to in-flight interrupts or irqfd callbacks.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb4f56f3ff5799ca754ae6d811803a63fe25a4a2" + }, + { + "url": "https://git.kernel.org/stable/c/7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52" + }, + { + "url": "https://git.kernel.org/stable/c/79592a6e7bdc1d05460c95f891f5e5263a107af8" + }, + { + "url": "https://git.kernel.org/stable/c/fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17" + }, + { + "url": "https://git.kernel.org/linus/7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26667" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-350", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26667" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup\n\nThe commit 8b45a26f2ba9 (\"drm/msm/dpu: reserve cdm blocks for writeback\nin case of YUV output\") introduced a smatch warning about another\nconditional block in dpu_encoder_helper_phys_cleanup() which had assumed\nhw_pp will always be valid which may not necessarily be true.\n\nLets fix the other conditional block by making sure hw_pp is valid\nbefore dereferencing it.\n\nPatchwork: https://patchwork.freedesktop.org/patch/574878/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26667", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26667" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ce8bc22e948634a5c0a3fa58a179177d0e3f3950" + }, + { + "url": "https://git.kernel.org/stable/c/fa5492ee89463a7590a1449358002ff7ef63529f" + }, + { + "url": "https://git.kernel.org/stable/c/1c40ca3d39d769931b28295b3145c25f1decf5a6" + }, + { + "url": "https://git.kernel.org/stable/c/cab0c265ba182fd266c2aa3c69d7e40640a7f612" + }, + { + "url": "https://git.kernel.org/stable/c/1b9d6828589d57f94a23fb1c46112cda39d7efdb" + }, + { + "url": "https://git.kernel.org/stable/c/7110650b85dd2f1cee819acd1345a9013a1a62f7" + }, + { + "url": "https://git.kernel.org/stable/c/6c6a96c3d74df185ee344977d46944d6f33bb4dd" + }, + { + "url": "https://git.kernel.org/stable/c/bff9d4078a232c01e42e9377d005fb2f4d31a472" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52602" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/fa5492ee89463a7590a1449358002ff7ef63529f(6.8-rc1)" + } + ], + "bom-ref": "vuln-351", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52602" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix slab-out-of-bounds Read in dtSearch\n\nCurrently while searching for current page in the sorted entry table\nof the page there is a out of bound access. Added a bound check to fix\nthe error.\n\nDave:\nSet return code to -EIO", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52602" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/beaf11969fd5cbe6f09cefaa34df1ce8578e8dd9" + }, + { + "url": "https://git.kernel.org/stable/c/fb5b347efd1bda989846ffc74679d181222fb123" + }, + { + "url": "https://git.kernel.org/stable/c/f3a1787dc48213f6caea5ba7d47e0222e7fa34a9" + }, + { + "url": "https://git.kernel.org/stable/c/6cf350658736681b9d6b0b6e58c5c76b235bb4c4" + }, + { + "url": "https://git.kernel.org/stable/c/9fd0198f7ef06ae0d6636fb0578560857dead995" + }, + { + "url": "https://git.kernel.org/stable/c/6d32c832a88513f65c2c2c9c75954ee8b387adea" + }, + { + "url": "https://git.kernel.org/stable/c/4c1021ce46fc2fb6115f7e79d353941e6dcad366" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26900" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/6cf350658736681b9d6b0b6e58c5c76b235bb4c4(6.9-rc1)" + } + ], + "bom-ref": "vuln-352", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26900" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix kmemleak of rdev->serial\n\nIf kobject_add() is fail in bind_rdev_to_array(), 'rdev->serial' will be\nalloc not be freed, and kmemleak occurs.\n\nunreferenced object 0xffff88815a350000 (size 49152):\n comm \"mdadm\", pid 789, jiffies 4294716910\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc f773277a):\n [<0000000058b0a453>] kmemleak_alloc+0x61/0xe0\n [<00000000366adf14>] __kmalloc_large_node+0x15e/0x270\n [<000000002e82961b>] __kmalloc_node.cold+0x11/0x7f\n [<00000000f206d60a>] kvmalloc_node+0x74/0x150\n [<0000000034bf3363>] rdev_init_serial+0x67/0x170\n [<0000000010e08fe9>] mddev_create_serial_pool+0x62/0x220\n [<00000000c3837bf0>] bind_rdev_to_array+0x2af/0x630\n [<0000000073c28560>] md_add_new_disk+0x400/0x9f0\n [<00000000770e30ff>] md_ioctl+0x15bf/0x1c10\n [<000000006cfab718>] blkdev_ioctl+0x191/0x3f0\n [<0000000085086a11>] vfs_ioctl+0x22/0x60\n [<0000000018b656fe>] __x64_sys_ioctl+0xba/0xe0\n [<00000000e54e675e>] do_syscall_64+0x71/0x150\n [<000000008b0ad622>] entry_SYSCALL_64_after_hwframe+0x6c/0x74", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26900", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26900" + }, + "cwes": [ + 401 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c3116e62ddeff79cae342147753ce596f01fcf06" + }, + { + "url": "https://git.kernel.org/stable/c/fa18aa507ea71d8914b6acb2c94db311c757c650" + }, + { + "url": "https://git.kernel.org/stable/c/ec09bcab32fc4765e0cc97e1b72cdd067135f37e" + }, + { + "url": "https://git.kernel.org/stable/c/ad999aa18103fa038787b6a8a55020abcf34df1a" + }, + { + "url": "https://git.kernel.org/stable/c/edbdb0d94143db46edd373cc93e433832d29fe19" + }, + { + "url": "https://git.kernel.org/stable/c/ebc5a3bd79e54f98c885c26f0862a27a02c487c5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27054" + }, + { + "url": "https://git.kernel.org/linus/c3116e62ddeff79cae342147753ce596f01fcf06(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-353", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27054" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/dasd: fix double module refcount decrement\n\nOnce the discipline is associated with the device, deleting the device\ntakes care of decrementing the module's refcount. Doing it manually on\nthis error path causes refcount to artificially decrease on each error\nwhile it should just stay the same.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27054", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27054" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef90508574d7af48420bdc5f7b9a4f1cdd26bc70" + }, + { + "url": "https://git.kernel.org/stable/c/1e560864159d002b453da42bd2c13a1805515a20" + }, + { + "url": "https://git.kernel.org/stable/c/0f7908a016c092cfdaa16d785fa5099d867bc1a3" + }, + { + "url": "https://git.kernel.org/stable/c/b0f4478838be1f1d330061201898fef65bf8fd7c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26605" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1e560864159d002b453da42bd2c13a1805515a20(6.8-rc3)" + } + ], + "bom-ref": "vuln-354", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26605" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/ASPM: Fix deadlock when enabling ASPM\n\nA last minute revert in 6.7-final introduced a potential deadlock when\nenabling ASPM during probe of Qualcomm PCIe controllers as reported by\nlockdep:\n\n ============================================\n WARNING: possible recursive locking detected\n 6.7.0 #40 Not tainted\n --------------------------------------------\n kworker/u16:5/90 is trying to acquire lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pcie_aspm_pm_state_change+0x58/0xdc\n\n but task is already holding lock:\n ffffacfa78ced000 (pci_bus_sem){++++}-{3:3}, at: pci_walk_bus+0x34/0xbc\n\n other info that might help us debug this:\n Possible unsafe locking scenario:\n\n CPU0\n ----\n lock(pci_bus_sem);\n lock(pci_bus_sem);\n\n *** DEADLOCK ***\n\n Call trace:\n print_deadlock_bug+0x25c/0x348\n __lock_acquire+0x10a4/0x2064\n lock_acquire+0x1e8/0x318\n down_read+0x60/0x184\n pcie_aspm_pm_state_change+0x58/0xdc\n pci_set_full_power_state+0xa8/0x114\n pci_set_power_state+0xc4/0x120\n qcom_pcie_enable_aspm+0x1c/0x3c [pcie_qcom]\n pci_walk_bus+0x64/0xbc\n qcom_pcie_host_post_init_2_7_0+0x28/0x34 [pcie_qcom]\n\nThe deadlock can easily be reproduced on machines like the Lenovo ThinkPad\nX13s by adding a delay to increase the race window during asynchronous\nprobe where another thread can take a write lock.\n\nAdd a new pci_set_power_state_locked() and associated helper functions that\ncan be called with the PCI bus semaphore held to avoid taking the read lock\ntwice.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26605", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26605" + }, + "cwes": [ + 667 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-28T12:15:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4010" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-355", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4010" + } + }, + { + "severity": "medium", + "score": 4.6, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + } + } + ], + "created": "2023-07-31T17:15:10Z", + "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-4010", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + }, + "cwes": [ + 835 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T04:22:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1ede7f1d7eed1738d1b9333fd1e152ccb450b86a" + }, + { + "url": "https://git.kernel.org/stable/c/3ce4c4c653e4e478ecb15d3c88e690f12cbf6b39" + }, + { + "url": "https://git.kernel.org/stable/c/2da5568ee222ce0541bfe446a07998f92ed1643e" + }, + { + "url": "https://git.kernel.org/stable/c/d85c11c97ecf92d47a4b29e3faca714dc1f18d0d" + }, + { + "url": "https://git.kernel.org/stable/c/82b1c07a0af603e3c47b906c8e991dc96f01688e" + }, + { + "url": "https://git.kernel.org/stable/c/363d17e7f7907c8e27a9e86968af0eaa2301787b" + }, + { + "url": "https://git.kernel.org/stable/c/0f98f6d2fb5fad00f8299b84b85b6bc1b6d7d19a" + }, + { + "url": "https://git.kernel.org/linus/82b1c07a0af603e3c47b906c8e991dc96f01688e(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26960" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-356", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26960" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: swap: fix race between free_swap_and_cache() and swapoff()\n\nThere was previously a theoretical window where swapoff() could run and\nteardown a swap_info_struct while a call to free_swap_and_cache() was\nrunning in another thread. This could cause, amongst other bad\npossibilities, swap_page_trans_huge_swapped() (called by\nfree_swap_and_cache()) to access the freed memory for swap_map.\n\nThis is a theoretical problem and I haven't been able to provoke it from a\ntest case. But there has been agreement based on code review that this is\npossible (see link below).\n\nFix it by using get_swap_device()/put_swap_device(), which will stall\nswapoff(). There was an extra check in _swap_info_get() to confirm that\nthe swap entry was not free. This isn't present in get_swap_device()\nbecause it doesn't make sense in general due to the race between getting\nthe reference and swapoff. So I've added an equivalent check directly in\nfree_swap_and_cache().\n\nDetails of how to provoke one possible issue (thanks to David Hildenbrand\nfor deriving this):\n\n--8<-----\n\n__swap_entry_free() might be the last user and result in\n\"count == SWAP_HAS_CACHE\".\n\nswapoff->try_to_unuse() will stop as soon as soon as si->inuse_pages==0.\n\nSo the question is: could someone reclaim the folio and turn\nsi->inuse_pages==0, before we completed swap_page_trans_huge_swapped().\n\nImagine the following: 2 MiB folio in the swapcache. Only 2 subpages are\nstill references by swap entries.\n\nProcess 1 still references subpage 0 via swap entry.\nProcess 2 still references subpage 1 via swap entry.\n\nProcess 1 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n[then, preempted in the hypervisor etc.]\n\nProcess 2 quits. Calls free_swap_and_cache().\n-> count == SWAP_HAS_CACHE\n\nProcess 2 goes ahead, passes swap_page_trans_huge_swapped(), and calls\n__try_to_reclaim_swap().\n\n__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->\nput_swap_folio()->free_swap_slot()->swapcache_free_entries()->\nswap_entry_free()->swap_range_free()->\n...\nWRITE_ONCE(si->inuse_pages, si->inuse_pages - nr_entries);\n\nWhat stops swapoff to succeed after process 2 reclaimed the swap cache\nbut before process1 finished its call to swap_page_trans_huge_swapped()?\n\n--8<-----", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26960", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26960" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7b6fba6918714afee3e17796113ccab636255c7b" + }, + { + "url": "https://git.kernel.org/stable/c/e95bb4cba94c018be24b11f017d1c55dd6cda31a" + }, + { + "url": "https://git.kernel.org/stable/c/994209ddf4f430946f6247616b2e33d179243769" + }, + { + "url": "https://git.kernel.org/stable/c/41bad13c0e8a5a2b47a7472cced922555372daab" + }, + { + "url": "https://git.kernel.org/stable/c/8ba81dca416adf82fc5a2a23abc1a8cc02ad32fb" + }, + { + "url": "https://git.kernel.org/stable/c/745cf6a843896cdac8766c74379300ed73c78830" + }, + { + "url": "https://git.kernel.org/stable/c/420132bee3d0136b7fba253a597b098fe15493a7" + }, + { + "url": "https://git.kernel.org/linus/994209ddf4f430946f6247616b2e33d179243769(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35900" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-357", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35900" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject new basechain after table flag update\n\nWhen dormant flag is toggled, hooks are disabled in the commit phase by\niterating over current chains in table (existing and new).\n\nThe following configuration allows for an inconsistent state:\n\n add table x\n add chain x y { type filter hook input priority 0; }\n add table x { flags dormant; }\n add chain x w { type filter hook input priority 1; }\n\nwhich triggers the following warning when trying to unregister chain w\nwhich is already unregistered.\n\n[ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[ 127.322519] Call Trace:\n[ 127.322521] \n[ 127.322524] ? __warn+0x9f/0x1a0\n[ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322537] ? report_bug+0x1b1/0x1e0\n[ 127.322545] ? handle_bug+0x3c/0x70\n[ 127.322552] ? exc_invalid_op+0x17/0x40\n[ 127.322556] ? asm_exc_invalid_op+0x1a/0x20\n[ 127.322563] ? kasan_save_free_info+0x3b/0x60\n[ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260\n[ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260\n[ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables]\n[ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables]\n[ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35900", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35900" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fba268ac36ab19f9763ff90d276cde0ce6cd5f31" + }, + { + "url": "https://git.kernel.org/stable/c/c3df637266df29edee85e94cab5fd7041e5753ba" + }, + { + "url": "https://git.kernel.org/stable/c/30a5e812f78e3d1cced90e1ed750bf027599205f" + }, + { + "url": "https://git.kernel.org/stable/c/8e2758cc25891d2b76717aaf89b40ed215de188c" + }, + { + "url": "https://git.kernel.org/stable/c/afec8f772296dd8e5a2a6f83bbf99db1b9ca877f" + }, + { + "url": "https://git.kernel.org/stable/c/79820a7e1e057120c49be07cbe10643d0706b259" + }, + { + "url": "https://git.kernel.org/stable/c/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865" + }, + { + "url": "https://git.kernel.org/stable/c/df193568d61234c81de7ed4d540c01975de60277" + }, + { + "url": "https://git.kernel.org/linus/7e74aa53a68bf60f6019bd5d9a9a1406ec4d4865(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27416" + } + ], + "bom-ref": "vuln-358", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27416" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST\n\nIf we received HCI_EV_IO_CAPA_REQUEST while\nHCI_OP_READ_REMOTE_EXT_FEATURES is yet to be responded assume the remote\ndoes support SSP since otherwise this event shouldn't be generated.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27416", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27416" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d8eb1238377cd994829f9162ae396a84ae037b2" + }, + { + "url": "https://git.kernel.org/stable/c/c8df9203bf22c66fa26e8d8c7f8ce181cf88099d" + }, + { + "url": "https://git.kernel.org/stable/c/3b1e8a617eb0f4cdc19def530047a95b5abde07d" + }, + { + "url": "https://git.kernel.org/stable/c/0d387dc503f9a53e6d1f6e9dd0292d38f083eba5" + }, + { + "url": "https://git.kernel.org/stable/c/408ba7fd04f959c61b50db79c983484312fea642" + }, + { + "url": "https://git.kernel.org/stable/c/d746889db75a76aeee95fb705b8e1ac28c684a2e" + }, + { + "url": "https://git.kernel.org/stable/c/c9b4e220dd18f79507803f38a55d53b483f6c9c3" + }, + { + "url": "https://git.kernel.org/stable/c/84e95149bd341705f0eca6a7fcb955c548805002" + }, + { + "url": "https://git.kernel.org/stable/c/928705e341010dd910fdece61ccb974f494a758f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27046" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/84e95149bd341705f0eca6a7fcb955c548805002(6.9-rc1)" + } + ], + "bom-ref": "vuln-359", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27046" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfp: flower: handle acti_netdevs allocation failure\n\nThe kmalloc_array() in nfp_fl_lag_do_work() will return null, if\nthe physical memory has run out. As a result, if we dereference\nthe acti_netdevs, the null pointer dereference bugs will happen.\n\nThis patch adds a check to judge whether allocation failure occurs.\nIf it happens, the delayed work will be rescheduled and try again.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27046", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27046" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9eeb8e1231f6450c574c1db979122e171a1813ab" + }, + { + "url": "https://git.kernel.org/stable/c/ced7df8b3c5c4751244cad79011e86cf1f809153" + }, + { + "url": "https://git.kernel.org/stable/c/98f681b0f84cfc3a1d83287b77697679e0398306" + }, + { + "url": "https://git.kernel.org/stable/c/044e220667157fb9d59320341badec59cf45ba48" + }, + { + "url": "https://git.kernel.org/stable/c/d133d67e7e724102d1e53009c4f88afaaf3e167c" + }, + { + "url": "https://git.kernel.org/linus/98f681b0f84cfc3a1d83287b77697679e0398306(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26927" + } + ], + "bom-ref": "vuln-360", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26927" + } + } + ], + "created": "2024-04-28T12:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: Add some bounds checking to firmware data\n\nSmatch complains about \"head->full_size - head->header_size\" can\nunderflow. To some extent, we're always going to have to trust the\nfirmware a bit. However, it's easy enough to add a check for negatives,\nand let's add a upper bounds check as well.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26927", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26927" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T12:42:03Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4526a56e02da3725db979358964df9cd9c567154" + }, + { + "url": "https://git.kernel.org/stable/c/b377add0f0117409c418ddd6504bd682ebe0bf79" + }, + { + "url": "https://git.kernel.org/stable/c/ab4ecfb627338e440ae11def004c524a00d93e40" + }, + { + "url": "https://git.kernel.org/stable/c/09846c2309b150b8ce4e0ce96f058197598fc530" + }, + { + "url": "https://git.kernel.org/stable/c/af8b593c3dd9df82cb199be65863af004b09fd97" + }, + { + "url": "https://git.kernel.org/stable/c/64435b64e43d8ee60faa46c0cd04e323e8b2a7b0" + }, + { + "url": "https://git.kernel.org/stable/c/0b2c13b670b168e324e1cf109e67056a20fd610a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36006" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b377add0f0117409c418ddd6504bd682ebe0bf79(6.9-rc6)" + } + ], + "bom-ref": "vuln-361", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36006" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix incorrect list API usage\n\nBoth the function that migrates all the chunks within a region and the\nfunction that migrates all the entries within a chunk call\nlist_first_entry() on the respective lists without checking that the\nlists are not empty. This is incorrect usage of the API, which leads to\nthe following warning [1].\n\nFix by returning if the lists are empty as there is nothing to migrate\nin this case.\n\n[1]\nWARNING: CPU: 0 PID: 6437 at drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c:1266 mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0>\nModules linked in:\nCPU: 0 PID: 6437 Comm: kworker/0:37 Not tainted 6.9.0-rc3-custom-00883-g94a65f079ef6 #39\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_sp_acl_tcam_vchunk_migrate_all+0x1f1/0x2c0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x4a0\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ret_from_fork_asm+0x1a/0x30\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36006", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36006" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a11d965a218f0cd95b13fe44d0bcd8a20ce134a8" + }, + { + "url": "https://git.kernel.org/stable/c/4cc198580a7b93a36f5beb923f40f7ae27a3716c" + }, + { + "url": "https://git.kernel.org/stable/c/fdb580ed05df8973aa5149cafa598c64bebcd0cb" + }, + { + "url": "https://git.kernel.org/stable/c/e1f113b57ddd18274d7c83618deca25cc880bc48" + }, + { + "url": "https://git.kernel.org/stable/c/739b3ccd9486dff04af95f9a890846d088a84957" + }, + { + "url": "https://git.kernel.org/stable/c/04cfe4a5da57ab9358cdfadea22bcb37324aaf83" + }, + { + "url": "https://git.kernel.org/stable/c/69e905beca193125820c201ab3db4fb0e245124e" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/a11d965a218f0cd95b13fe44d0bcd8a20ce134a8(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52595" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-362", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52595" + } + } + ], + "created": "2024-03-06T07:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: restart beacon queue when hardware reset\n\nWhen a hardware reset is triggered, all registers are reset, so all\nqueues are forced to stop in hardware interface. However, mac80211\nwill not automatically stop the queue. If we don't manually stop the\nbeacon queue, the queue will be deadlocked and unable to start again.\nThis patch fixes the issue where Apple devices cannot connect to the\nAP after calling ieee80211_restart_hw().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52595", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52595" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2b539c88940e22494da80a93ee1c5a28bbad10f6" + }, + { + "url": "https://git.kernel.org/stable/c/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014" + }, + { + "url": "https://git.kernel.org/stable/c/7d0e8a6147550aa058fa6ade8583ad252aa61304" + }, + { + "url": "https://git.kernel.org/stable/c/4466677dcabe2d70de6aa3d4bd4a4fafa94a71f2" + }, + { + "url": "https://git.kernel.org/stable/c/064db53f9023a2d5877a2d12de6bc27995f6ca56" + }, + { + "url": "https://git.kernel.org/stable/c/81b8645feca08a54c7c4bf36e7b176f4983b2f28" + }, + { + "url": "https://git.kernel.org/stable/c/ad9cc5e9e53ab94aa0c7ac65d43be7eb208dcb55" + }, + { + "url": "https://git.kernel.org/stable/c/b9a7339ae403035ffe7fc37cb034b36947910f68" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35813" + }, + { + "url": "https://git.kernel.org/linus/cf55a7acd1ed38afe43bba1c8a0935b51d1dc014(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-363", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35813" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: core: Avoid negative index with array access\n\nCommit 4d0c8d0aef63 (\"mmc: core: Use mrq.sbc in close-ended ffu\") assigns\nprev_idata = idatas[i - 1], but doesn't check that the iterator i is\ngreater than zero. Let's fix this by adding a check.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35813", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35813" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe4de493572a4263554903bf9c3afc5c196e15f0" + }, + { + "url": "https://git.kernel.org/stable/c/21ec68234826b1b54ab980a8df6e33c74cfbee58" + }, + { + "url": "https://git.kernel.org/stable/c/f26091a981318b5b7451d61f99bc073a6af8db67" + }, + { + "url": "https://git.kernel.org/stable/c/8844b2f8a3f0c428b74672f9726f9950b1a7764c" + }, + { + "url": "https://git.kernel.org/stable/c/d034810d02a5af8eb74debe29877dcaf5f00fdd1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27032" + }, + { + "url": "https://git.kernel.org/linus/21ec68234826b1b54ab980a8df6e33c74cfbee58(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-364", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27032" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential panic during recovery\n\nDuring recovery, if FAULT_BLOCK is on, it is possible that\nf2fs_reserve_new_block() will return -ENOSPC during recovery,\nthen it may trigger panic.\n\nAlso, if fault injection rate is 1 and only FAULT_BLOCK fault\ntype is on, it may encounter deadloop in loop of block reservation.\n\nLet's change as below to fix these issues:\n- remove bug_on() to avoid panic.\n- limit the loop count of block reservation to avoid potential\ndeadloop.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27032", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27032" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ea169c5a0b1134d573d07fc27a16f327ad0e7d3" + }, + { + "url": "https://git.kernel.org/stable/c/55a48ad2db64737f7ffc0407634218cc6e4c513b" + }, + { + "url": "https://git.kernel.org/linus/55a48ad2db64737f7ffc0407634218cc6e4c513b(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26757" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-365", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26757" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't ignore read-only array in md_check_recovery()\n\nUsually if the array is not read-write, md_check_recovery() won't\nregister new sync_thread in the first place. And if the array is\nread-write and sync_thread is registered, md_set_readonly() will\nunregister sync_thread before setting the array read-only. md/raid\nfollow this behavior hence there is no problem.\n\nAfter commit f52f5c71f3d4 (\"md: fix stopping sync thread\"), following\nhang can be triggered by test shell/integrity-caching.sh:\n\n1) array is read-only. dm-raid update super block:\nrs_update_sbs\n ro = mddev->ro\n mddev->ro = 0\n -> set array read-write\n md_update_sb\n\n2) register new sync thread concurrently.\n\n3) dm-raid set array back to read-only:\nrs_update_sbs\n mddev->ro = ro\n\n4) stop the array:\nraid_dtr\n md_stop\n stop_sync_thread\n set_bit(MD_RECOVERY_INTR, &mddev->recovery);\n md_wakeup_thread_directly(mddev->sync_thread);\n wait_event(..., !test_bit(MD_RECOVERY_RUNNING, &mddev->recovery))\n\n5) sync thread done:\n md_do_sync\n set_bit(MD_RECOVERY_DONE, &mddev->recovery);\n md_wakeup_thread(mddev->thread);\n\n6) daemon thread can't unregister sync thread:\n md_check_recovery\n if (!md_is_rdwr(mddev) &&\n !test_bit(MD_RECOVERY_NEEDED, &mddev->recovery))\n return;\n -> -> MD_RECOVERY_RUNNING can't be cleared, hence step 4 hang;\n\nThe root cause is that dm-raid manipulate 'mddev->ro' by itself,\nhowever, dm-raid really should stop sync thread before setting the\narray read-only. Unfortunately, I need to read more code before I\ncan refacter the handler of 'mddev->ro' in dm-raid, hence let's fix\nthe problem the easy way for now to prevent dm-raid regression.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26757", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26757" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/097c7918fcfa1dee233acfd1f3029f00c3bc8062" + }, + { + "url": "https://git.kernel.org/stable/c/26212da39ee14a52c76a202c6ae5153a84f579a5" + }, + { + "url": "https://git.kernel.org/stable/c/5fd4b090304e450aa0e7cc9cc2b4873285c6face" + }, + { + "url": "https://git.kernel.org/stable/c/c2b97f26f081ceec3298151481687071075a25cb" + }, + { + "url": "https://git.kernel.org/stable/c/5050ae879a828d752b439e3827aac126709da6d1" + }, + { + "url": "https://git.kernel.org/stable/c/6690cc2732e2a8d0eaca44dcbac032a4b0148042" + }, + { + "url": "https://git.kernel.org/stable/c/cf92bb778eda7830e79452c6917efa8474a30c1e" + }, + { + "url": "https://git.kernel.org/stable/c/df0991da7db846f7fa4ec6740350f743d3b69b04" + }, + { + "url": "https://git.kernel.org/linus/cf92bb778eda7830e79452c6917efa8474a30c1e(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27008" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-366", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27008" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: nv04: Fix out of bounds access\n\nWhen Output Resource (dcb->or) value is assigned in\nfabricate_dcb_output(), there may be out of bounds access to\ndac_users array in case dcb->or is zero because ffs(dcb->or) is\nused as index there.\nThe 'or' argument of fabricate_dcb_output() must be interpreted as a\nnumber of bit to set, not value.\n\nUtilize macros from 'enum nouveau_or' in calls instead of hardcoding.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27008", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27008" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-367", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-371" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1e9fd5cf8d7f487332560f7bb312fc7d416817f3" + }, + { + "url": "https://git.kernel.org/stable/c/f901ee07853ce97e9f1104c7c898fbbe447f0279" + }, + { + "url": "https://git.kernel.org/stable/c/9ceac040506a05a30b104b2aa2e9146810704500" + }, + { + "url": "https://git.kernel.org/stable/c/9905a157048f441f1412e7bd13372f4a971d75c6" + }, + { + "url": "https://git.kernel.org/stable/c/2a750d6a5b365265dbda33330a6188547ddb5c24" + }, + { + "url": "https://git.kernel.org/linus/2a750d6a5b365265dbda33330a6188547ddb5c24(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26865" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-368", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26865" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrds: tcp: Fix use-after-free of net in reqsk_timer_handler().\n\nsyzkaller reported a warning of netns tracker [0] followed by KASAN\nsplat [1] and another ref tracker warning [1].\n\nsyzkaller could not find a repro, but in the log, the only suspicious\nsequence was as follows:\n\n 18:26:22 executing program 1:\n r0 = socket$inet6_mptcp(0xa, 0x1, 0x106)\n ...\n connect$inet6(r0, &(0x7f0000000080)={0xa, 0x4001, 0x0, @loopback}, 0x1c) (async)\n\nThe notable thing here is 0x4001 in connect(), which is RDS_TCP_PORT.\n\nSo, the scenario would be:\n\n 1. unshare(CLONE_NEWNET) creates a per netns tcp listener in\n rds_tcp_listen_init().\n 2. syz-executor connect()s to it and creates a reqsk.\n 3. syz-executor exit()s immediately.\n 4. netns is dismantled. [0]\n 5. reqsk timer is fired, and UAF happens while freeing reqsk. [1]\n 6. listener is freed after RCU grace period. [2]\n\nBasically, reqsk assumes that the listener guarantees netns safety\nuntil all reqsk timers are expired by holding the listener's refcount.\nHowever, this was not the case for kernel sockets.\n\nCommit 740ea3c4a0b2 (\"tcp: Clean up kernel listener's reqsk in\ninet_twsk_purge()\") fixed this issue only for per-netns ehash.\n\nLet's apply the same fix for the global ehash.\n\n[0]:\nref_tracker: net notrefcnt@0000000065449cc3 has 1/1 users at\n sk_alloc (./include/net/net_namespace.h:337 net/core/sock.c:2146)\n inet6_create (net/ipv6/af_inet6.c:192 net/ipv6/af_inet6.c:119)\n __sock_create (net/socket.c:1572)\n rds_tcp_listen_init (net/rds/tcp_listen.c:279)\n rds_tcp_init_net (net/rds/tcp.c:577)\n ops_init (net/core/net_namespace.c:137)\n setup_net (net/core/net_namespace.c:340)\n copy_net_ns (net/core/net_namespace.c:497)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_namespaces (kernel/nsproxy.c:228 (discriminator 4))\n ksys_unshare (kernel/fork.c:3429)\n __x64_sys_unshare (kernel/fork.c:3496)\n do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:129)\n...\nWARNING: CPU: 0 PID: 27 at lib/ref_tracker.c:179 ref_tracker_dir_exit (lib/ref_tracker.c:179)\n\n[1]:\nBUG: KASAN: slab-use-after-free in inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\nRead of size 8 at addr ffff88801b370400 by task swapper/0/0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))\n print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)\n kasan_report (mm/kasan/report.c:603)\n inet_csk_reqsk_queue_drop (./include/net/inet_hashtables.h:180 net/ipv4/inet_connection_sock.c:952 net/ipv4/inet_connection_sock.c:966)\n reqsk_timer_handler (net/ipv4/inet_connection_sock.c:979 net/ipv4/inet_connection_sock.c:1092)\n call_timer_fn (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/timer.h:127 kernel/time/timer.c:1701)\n __run_timers.part.0 (kernel/time/timer.c:1752 kernel/time/timer.c:2038)\n run_timer_softirq (kernel/time/timer.c:2053)\n __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)\n irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632 kernel/softirq.c:644)\n sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1076 (discriminator 14))\n \n\nAllocated by task 258 on cpu 0 at 83.612050s:\n kasan_save_stack (mm/kasan/common.c:48)\n kasan_save_track (mm/kasan/common.c:68)\n __kasan_slab_alloc (mm/kasan/common.c:343)\n kmem_cache_alloc (mm/slub.c:3813 mm/slub.c:3860 mm/slub.c:3867)\n copy_net_ns (./include/linux/slab.h:701 net/core/net_namespace.c:421 net/core/net_namespace.c:480)\n create_new_namespaces (kernel/nsproxy.c:110)\n unshare_nsproxy_name\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26865", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26865" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fdf87a0dc26d0550c60edc911cda42f9afec3557" + }, + { + "url": "https://git.kernel.org/stable/c/786f089086b505372fb3f4f008d57e7845fff0d8" + }, + { + "url": "https://git.kernel.org/stable/c/9e200a06ae2abb321939693008290af32b33dd6e" + }, + { + "url": "https://git.kernel.org/stable/c/6abe0895b63c20de06685c8544b908c7e413efa8" + }, + { + "url": "https://git.kernel.org/stable/c/999a8bb70da2946336327b4480824d1691cae1fa" + }, + { + "url": "https://git.kernel.org/stable/c/70d92abbe29692a3de8697ae082c60f2d21ab482" + }, + { + "url": "https://git.kernel.org/stable/c/eec6cbbfa1e8d685cc245cfd5626d0715a127a48" + }, + { + "url": "https://git.kernel.org/stable/c/97ba7c1f9c0a2401e644760d857b2386aa895997" + }, + { + "url": "https://git.kernel.org/linus/fdf87a0dc26d0550c60edc911cda42f9afec3557(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26751" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-369", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26751" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: ep93xx: Add terminator to gpiod_lookup_table\n\nWithout the terminator, if a con_id is passed to gpio_find() that\ndoes not exist in the lookup table the function will not stop looping\ncorrectly, and eventually cause an oops.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26751", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26751" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/75cc31c2e7193b69f5d25650bda5bb42ed92f8a1" + }, + { + "url": "https://git.kernel.org/stable/c/239c669edb2bffa1aa2612519b1d438ab35d6be6" + }, + { + "url": "https://git.kernel.org/stable/c/e8e8b197317228b5089ed9e7802dadf3ccaa027a" + }, + { + "url": "https://git.kernel.org/stable/c/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc" + }, + { + "url": "https://git.kernel.org/stable/c/ee4e9c1976147a850f6085a13fca95bcaa00d84c" + }, + { + "url": "https://git.kernel.org/stable/c/722d2c01b8b108f8283d1b7222209d5b2a5aa7bd" + }, + { + "url": "https://git.kernel.org/stable/c/fb1088d51bbaa0faec5a55d4f5818a9ab79e24df" + }, + { + "url": "https://git.kernel.org/stable/c/37b6a3ba793bbbae057f5b991970ebcc52cb3db5" + }, + { + "url": "https://git.kernel.org/stable/c/b461910af8ba3bed80f48c2bf852686d05c6fc5c" + }, + { + "url": "https://git.kernel.org/linus/a6b3bfe176e8a5b05ec4447404e412c2a3fc92cc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35807" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-370", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35807" + } + } + ], + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix corruption during on-line resize\n\nWe observed a corruption during on-line resize of a file system that is\nlarger than 16 TiB with 4k block size. With having more then 2^32 blocks\nresize_inode is turned off by default by mke2fs. The issue can be\nreproduced on a smaller file system for convenience by explicitly\nturning off resize_inode. An on-line resize across an 8 GiB boundary (the\nsize of a meta block group in this setup) then leads to a corruption:\n\n dev=/dev/ # should be >= 16 GiB\n mkdir -p /corruption\n /sbin/mke2fs -t ext4 -b 4096 -O ^resize_inode $dev $((2 * 2**21 - 2**15))\n mount -t ext4 $dev /corruption\n\n dd if=/dev/zero bs=4096 of=/corruption/test count=$((2*2**21 - 4*2**15))\n sha1sum /corruption/test\n # 79d2658b39dcfd77274e435b0934028adafaab11 /corruption/test\n\n /sbin/resize2fs $dev $((2*2**21))\n # drop page cache to force reload the block from disk\n echo 1 > /proc/sys/vm/drop_caches\n\n sha1sum /corruption/test\n # 3c2abc63cbf1a94c9e6977e0fbd72cd832c4d5c3 /corruption/test\n\n2^21 = 2^15*2^6 equals 8 GiB whereof 2^15 is the number of blocks per\nblock group and 2^6 are the number of block groups that make a meta\nblock group.\n\nThe last checksum might be different depending on how the file is laid\nout across the physical blocks. The actual corruption occurs at physical\nblock 63*2^15 = 2064384 which would be the location of the backup of the\nmeta block group's block descriptor. During the on-line resize the file\nsystem will be converted to meta_bg starting at s_first_meta_bg which is\n2 in the example - meaning all block groups after 16 GiB. However, in\next4_flex_group_add we might add block groups that are not part of the\nfirst meta block group yet. In the reproducer we achieved this by\nsubstracting the size of a whole block group from the point where the\nmeta block group would start. This must be considered when updating the\nbackup block group descriptors to follow the non-meta_bg layout. The fix\nis to add a test whether the group to add is already part of the meta\nblock group or not.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35807", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35807" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8d14a4d0afb49a5b8535d414c782bb334860e73e" + }, + { + "url": "https://git.kernel.org/stable/c/d351bcadab6caa6d8ce7159ff4b77e2da35c09fa" + }, + { + "url": "https://git.kernel.org/stable/c/cd5c2d0b09d5b6d3f0a7bbabe6761a4997e9dee9" + }, + { + "url": "https://git.kernel.org/stable/c/fad9bcd4d754cc689c19dc04d2c44b82c1a5d6c8" + }, + { + "url": "https://git.kernel.org/stable/c/e18afcb7b2a12b635ac10081f943fcf84ddacc51" + }, + { + "url": "https://git.kernel.org/stable/c/ea96bf3f80625cddba1391a87613356b1b45716d" + }, + { + "url": "https://git.kernel.org/stable/c/1cbaf4c793b0808532f4e7b40bc4be7cec2c78f2" + }, + { + "url": "https://git.kernel.org/stable/c/c2a30c81bf3cb9033fa9f5305baf7c377075e2e5" + }, + { + "url": "https://git.kernel.org/stable/c/3d48e5be107429ff5d824e7f2a00d1b610d36fbc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26894" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e18afcb7b2a12b635ac10081f943fcf84ddacc51(6.9-rc1)" + } + ], + "bom-ref": "vuln-371", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26894" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()\n\nAfter unregistering the CPU idle device, the memory associated with\nit is not freed, leading to a memory leak:\n\nunreferenced object 0xffff896282f6c000 (size 1024):\n comm \"swapper/0\", pid 1, jiffies 4294893170\n hex dump (first 32 bytes):\n 00 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 8836a742):\n [] kmalloc_trace+0x29d/0x340\n [] acpi_processor_power_init+0xf3/0x1c0\n [] __acpi_processor_start+0xd3/0xf0\n [] acpi_processor_start+0x2c/0x50\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] acpi_processor_driver_init+0x3b/0xc0\n [] do_one_initcall+0x41/0x300\n [] kernel_init_freeable+0x320/0x470\n [] kernel_init+0x16/0x1b0\n [] ret_from_fork+0x2d/0x50\n\nFix this by freeing the CPU idle device after unregistering it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26894", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26894" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f7e3c88cc2a977c2b9a8aa52c1ce689e7b394e49" + }, + { + "url": "https://git.kernel.org/stable/c/4e8447a9a3d367b5065a0b7abe101da6e0037b6e" + }, + { + "url": "https://git.kernel.org/stable/c/d2c9eb19fc3b11caebafde4c30a76a49203d18a6" + }, + { + "url": "https://git.kernel.org/stable/c/46c4481938e2ca62343b16ea83ab28f4c1733d31" + }, + { + "url": "https://git.kernel.org/stable/c/f4e14695fe805eb0f0cb36e0ad6a560b9f985e86" + }, + { + "url": "https://git.kernel.org/stable/c/333b5085522cf1898d5a0d92616046b414f631a7" + }, + { + "url": "https://git.kernel.org/stable/c/24cea9677025e0de419989ecb692acd4bb34cac2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35899" + }, + { + "url": "https://git.kernel.org/linus/24cea9677025e0de419989ecb692acd4bb34cac2(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-372", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35899" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: flush pending destroy work before exit_net release\n\nSimilar to 2c9f0293280e (\"netfilter: nf_tables: flush pending destroy\nwork before netlink notifier\") to address a race between exit_net and\nthe destroy workqueue.\n\nThe trace below shows an element to be released via destroy workqueue\nwhile exit_net path (triggered via module removal) has already released\nthe set that is used in such transaction.\n\n[ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465\n[ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359\n[ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables]\n[ 1360.547984] Call Trace:\n[ 1360.547991] \n[ 1360.547998] dump_stack_lvl+0x53/0x70\n[ 1360.548014] print_report+0xc4/0x610\n[ 1360.548026] ? __virt_addr_valid+0xba/0x160\n[ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10\n[ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548176] kasan_report+0xae/0xe0\n[ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables]\n[ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables]\n[ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30\n[ 1360.548591] process_one_work+0x2f1/0x670\n[ 1360.548610] worker_thread+0x4d3/0x760\n[ 1360.548627] ? __pfx_worker_thread+0x10/0x10\n[ 1360.548640] kthread+0x16b/0x1b0\n[ 1360.548653] ? __pfx_kthread+0x10/0x10\n[ 1360.548665] ret_from_fork+0x2f/0x50\n[ 1360.548679] ? __pfx_kthread+0x10/0x10\n[ 1360.548690] ret_from_fork_asm+0x1a/0x30\n[ 1360.548707] \n\n[ 1360.548719] Allocated by task 192061:\n[ 1360.548726] kasan_save_stack+0x20/0x40\n[ 1360.548739] kasan_save_track+0x14/0x30\n[ 1360.548750] __kasan_kmalloc+0x8f/0xa0\n[ 1360.548760] __kmalloc_node+0x1f1/0x450\n[ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables]\n[ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink]\n[ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink]\n[ 1360.548927] netlink_unicast+0x367/0x4f0\n[ 1360.548935] netlink_sendmsg+0x34b/0x610\n[ 1360.548944] ____sys_sendmsg+0x4d4/0x510\n[ 1360.548953] ___sys_sendmsg+0xc9/0x120\n[ 1360.548961] __sys_sendmsg+0xbe/0x140\n[ 1360.548971] do_syscall_64+0x55/0x120\n[ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n[ 1360.548994] Freed by task 192222:\n[ 1360.548999] kasan_save_stack+0x20/0x40\n[ 1360.549009] kasan_save_track+0x14/0x30\n[ 1360.549019] kasan_save_free_info+0x3b/0x60\n[ 1360.549028] poison_slab_object+0x100/0x180\n[ 1360.549036] __kasan_slab_free+0x14/0x30\n[ 1360.549042] kfree+0xb6/0x260\n[ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables]\n[ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables]\n[ 1360.549221] ops_exit_list+0x50/0xa0\n[ 1360.549229] free_exit_list+0x101/0x140\n[ 1360.549236] unregister_pernet_operations+0x107/0x160\n[ 1360.549245] unregister_pernet_subsys+0x1c/0x30\n[ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables]\n[ 1360.549345] __do_sys_delete_module+0x253/0x370\n[ 1360.549352] do_syscall_64+0x55/0x120\n[ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d\n\n(gdb) list *__nft_release_table+0x473\n0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354).\n11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {\n11350 list_del(&flowtable->list);\n11351 nft_use_dec(&table->use);\n11352 nf_tables_flowtable_destroy(flowtable);\n11353 }\n11354 list_for_each_entry_safe(set, ns, &table->sets, list) {\n11355 list_del(&set->list);\n11356 nft_use_dec(&table->use);\n11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))\n11358 nft_map_deactivat\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35899", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35899" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24861" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-373", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24861" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + } + } + ], + "created": "2024-02-05T08:15:45Z", + "description": "A race condition was found in the Linux kernel's media/xc4000 device driver in xc4000 xc4000_get_frequency() function. This can result in return value overflow issue, possibly leading to malfunction or denial of service issue.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-24861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24861" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:59Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fcdbc1d7a4b638e5d5668de461f320386f3002aa" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fcdbc1d7a4b638e5d5668de461f320386f3002aa(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35948" + } + ], + "bom-ref": "vuln-374", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35948" + } + } + ], + "created": "2024-05-20T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: Check for journal entries overruning end of sb clean section\n\nFix a missing bounds check in superblock validation.\n\nNote that we don't yet have repair code for this case - repair code for\nindividual items is generally low priority, since the whole superblock\nis checksummed, validated prior to write, and we have backups.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35948", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35948" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4d58c9fb45c70e62c19e8be3f3605889c47601bc" + }, + { + "url": "https://git.kernel.org/stable/c/dda98810b552fc6bf650f4270edeebdc2f28bd3f" + }, + { + "url": "https://git.kernel.org/stable/c/927d1f4f77e4784ab3944a9df86ab14d1cd3185a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35929" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/dda98810b552fc6bf650f4270edeebdc2f28bd3f(6.9-rc1)" + } + ], + "bom-ref": "vuln-375", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35929" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock()\n\nFor the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y and\nCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()\nin the rcu_nocb_bypass_lock() and rcu_nocb_wait_contended() functions:\n\n CPU2 CPU11\nkthread\nrcu_nocb_cb_kthread ksys_write\nrcu_do_batch vfs_write\nrcu_torture_timer_cb proc_sys_write\n__kmem_cache_free proc_sys_call_handler\nkmemleak_free drop_caches_sysctl_handler\ndelete_object_full drop_slab\n__delete_object shrink_slab\nput_object lazy_rcu_shrink_scan\ncall_rcu rcu_nocb_flush_bypass\n__call_rcu_commn rcu_nocb_bypass_lock\n raw_spin_trylock(&rdp->nocb_bypass_lock) fail\n atomic_inc(&rdp->nocb_lock_contended);\nrcu_nocb_wait_contended WARN_ON_ONCE(smp_processor_id() != rdp->cpu);\n WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)) |\n |_ _ _ _ _ _ _ _ _ _same rdp and rdp->cpu != 11_ _ _ _ _ _ _ _ _ __|\n\nReproduce this bug with \"echo 3 > /proc/sys/vm/drop_caches\".\n\nThis commit therefore uses rcu_nocb_try_flush_bypass() instead of\nrcu_nocb_flush_bypass() in lazy_rcu_shrink_scan(). If the nocb_bypass\nqueue is being flushed, then rcu_nocb_try_flush_bypass will return\ndirectly.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35929", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35929" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b41d3fd04c6757b9c2a60a0c5b2609cae9999df" + }, + { + "url": "https://git.kernel.org/stable/c/2acc59dd88d27ad69b66ded80df16c042b04eeec" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26658" + }, + { + "url": "https://git.kernel.org/linus/2acc59dd88d27ad69b66ded80df16c042b04eeec(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-376", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26658" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcachefs: grab s_umount only if snapshotting\n\nWhen I was testing mongodb over bcachefs with compression,\nthere is a lockdep warning when snapshotting mongodb data volume.\n\n$ cat test.sh\nprog=bcachefs\n\n$prog subvolume create /mnt/data\n$prog subvolume create /mnt/data/snapshots\n\nwhile true;do\n $prog subvolume snapshot /mnt/data /mnt/data/snapshots/$(date +%s)\n sleep 1s\ndone\n\n$ cat /etc/mongodb.conf\nsystemLog:\n destination: file\n logAppend: true\n path: /mnt/data/mongod.log\n\nstorage:\n dbPath: /mnt/data/\n\nlockdep reports:\n[ 3437.452330] ======================================================\n[ 3437.452750] WARNING: possible circular locking dependency detected\n[ 3437.453168] 6.7.0-rc7-custom+ #85 Tainted: G E\n[ 3437.453562] ------------------------------------------------------\n[ 3437.453981] bcachefs/35533 is trying to acquire lock:\n[ 3437.454325] ffffa0a02b2b1418 (sb_writers#10){.+.+}-{0:0}, at: filename_create+0x62/0x190\n[ 3437.454875]\n but task is already holding lock:\n[ 3437.455268] ffffa0a02b2b10e0 (&type->s_umount_key#48){.+.+}-{3:3}, at: bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.456009]\n which lock already depends on the new lock.\n\n[ 3437.456553]\n the existing dependency chain (in reverse order) is:\n[ 3437.457054]\n -> #3 (&type->s_umount_key#48){.+.+}-{3:3}:\n[ 3437.457507] down_read+0x3e/0x170\n[ 3437.457772] bch2_fs_file_ioctl+0x232/0xc90 [bcachefs]\n[ 3437.458206] __x64_sys_ioctl+0x93/0xd0\n[ 3437.458498] do_syscall_64+0x42/0xf0\n[ 3437.458779] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.459155]\n -> #2 (&c->snapshot_create_lock){++++}-{3:3}:\n[ 3437.459615] down_read+0x3e/0x170\n[ 3437.459878] bch2_truncate+0x82/0x110 [bcachefs]\n[ 3437.460276] bchfs_truncate+0x254/0x3c0 [bcachefs]\n[ 3437.460686] notify_change+0x1f1/0x4a0\n[ 3437.461283] do_truncate+0x7f/0xd0\n[ 3437.461555] path_openat+0xa57/0xce0\n[ 3437.461836] do_filp_open+0xb4/0x160\n[ 3437.462116] do_sys_openat2+0x91/0xc0\n[ 3437.462402] __x64_sys_openat+0x53/0xa0\n[ 3437.462701] do_syscall_64+0x42/0xf0\n[ 3437.462982] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.463359]\n -> #1 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}:\n[ 3437.463843] down_write+0x3b/0xc0\n[ 3437.464223] bch2_write_iter+0x5b/0xcc0 [bcachefs]\n[ 3437.464493] vfs_write+0x21b/0x4c0\n[ 3437.464653] ksys_write+0x69/0xf0\n[ 3437.464839] do_syscall_64+0x42/0xf0\n[ 3437.465009] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.465231]\n -> #0 (sb_writers#10){.+.+}-{0:0}:\n[ 3437.465471] __lock_acquire+0x1455/0x21b0\n[ 3437.465656] lock_acquire+0xc6/0x2b0\n[ 3437.465822] mnt_want_write+0x46/0x1a0\n[ 3437.465996] filename_create+0x62/0x190\n[ 3437.466175] user_path_create+0x2d/0x50\n[ 3437.466352] bch2_fs_file_ioctl+0x2ec/0xc90 [bcachefs]\n[ 3437.466617] __x64_sys_ioctl+0x93/0xd0\n[ 3437.466791] do_syscall_64+0x42/0xf0\n[ 3437.466957] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ 3437.467180]\n other info that might help us debug this:\n\n[ 3437.469670] 2 locks held by bcachefs/35533:\n other info that might help us debug this:\n\n[ 3437.467507] Chain exists of:\n sb_writers#10 --> &c->snapshot_create_lock --> &type->s_umount_key#48\n\n[ 3437.467979] Possible unsafe locking scenario:\n\n[ 3437.468223] CPU0 CPU1\n[ 3437.468405] ---- ----\n[ 3437.468585] rlock(&type->s_umount_key#48);\n[ 3437.468758] lock(&c->snapshot_create_lock);\n[ 3437.469030] lock(&type->s_umount_key#48);\n[ 3437.469291] rlock(sb_writers#10);\n[ 3437.469434]\n *** DEADLOCK ***\n\n[ 3437.469\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26658", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26658" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/70af82bb9c897faa25a44e4181f36c60312b71ef" + }, + { + "url": "https://git.kernel.org/stable/c/d610a307225951929b9dff807788439454476f85" + }, + { + "url": "https://git.kernel.org/stable/c/176e66269f0de327375fc0ea51c12c2f5a97e4c4" + }, + { + "url": "https://git.kernel.org/stable/c/6b1ba3f9040be5efc4396d86c9752cdc564730be" + }, + { + "url": "https://git.kernel.org/stable/c/5ae5060e17a3fc38e54c3e5bd8abd6b1d5bfae7c" + }, + { + "url": "https://git.kernel.org/stable/c/0224cbc53ba82b84affa7619b6d1b1a254bc2c53" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26787" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-377", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26787" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmmc: mmci: stm32: fix DMA API overlapping mappings warning\n\nTurning on CONFIG_DMA_API_DEBUG_SG results in the following warning:\n\nDMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,\noverlapping mappings aren't supported\nWARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568\nadd_dma_entry+0x234/0x2f4\nModules linked in:\nCPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1\nHardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)\nWorkqueue: events_freezable mmc_rescan\nCall trace:\nadd_dma_entry+0x234/0x2f4\ndebug_dma_map_sg+0x198/0x350\n__dma_map_sg_attrs+0xa0/0x110\ndma_map_sg_attrs+0x10/0x2c\nsdmmc_idma_prep_data+0x80/0xc0\nmmci_prep_data+0x38/0x84\nmmci_start_data+0x108/0x2dc\nmmci_request+0xe4/0x190\n__mmc_start_request+0x68/0x140\nmmc_start_request+0x94/0xc0\nmmc_wait_for_req+0x70/0x100\nmmc_send_tuning+0x108/0x1ac\nsdmmc_execute_tuning+0x14c/0x210\nmmc_execute_tuning+0x48/0xec\nmmc_sd_init_uhs_card.part.0+0x208/0x464\nmmc_sd_init_card+0x318/0x89c\nmmc_attach_sd+0xe4/0x180\nmmc_rescan+0x244/0x320\n\nDMA API debug brings to light leaking dma-mappings as dma_map_sg and\ndma_unmap_sg are not correctly balanced.\n\nIf an error occurs in mmci_cmd_irq function, only mmci_dma_error\nfunction is called and as this API is not managed on stm32 variant,\ndma_unmap_sg is never called in this error path.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26787", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26787" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/36b32816fbab267611f073223f1b0b816ec5920f" + }, + { + "url": "https://git.kernel.org/stable/c/fe42754b94a42d08cf9501790afc25c4f6a5f631" + }, + { + "url": "https://git.kernel.org/stable/c/af6d6a923b40bf6471e44067ac61cc5814b48e7f" + }, + { + "url": "https://git.kernel.org/stable/c/fd8547ebc187037cc69441a15c1441aeaab80f49" + }, + { + "url": "https://git.kernel.org/stable/c/8292f4f8dd1b005d0688d726261004f816ef730a" + }, + { + "url": "https://git.kernel.org/stable/c/38f17d1fbb5bfb56ca1419e2d06376d57a9396f9" + }, + { + "url": "https://git.kernel.org/linus/fe42754b94a42d08cf9501790afc25c4f6a5f631(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35996" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-378", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35996" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpu: Re-enable CPU mitigations by default for !X86 architectures\n\nRename x86's to CPU_MITIGATIONS, define it in generic code, and force it\non for all architectures exception x86. A recent commit to turn\nmitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta\nmissed that \"cpu_mitigations\" is completely generic, whereas\nSPECULATION_MITIGATIONS is x86-specific.\n\nRename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it\nselect CPU_MITIGATIONS, as having two configs for the same thing is\nunnecessary and confusing. This will also allow x86 to use the knob to\nmanage mitigations that aren't strictly related to speculative\nexecution.\n\nUse another Kconfig to communicate to common code that CPU_MITIGATIONS\nis already defined instead of having x86's menu depend on the common\nCPU_MITIGATIONS. This allows keeping a single point of contact for all\nof x86's mitigations, and it's not clear that other architectures *want*\nto allow disabling mitigations at compile-time.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35996", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35996" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13ba94f6cc820fdea15efeaa17d4c722874eebf9" + }, + { + "url": "https://git.kernel.org/stable/c/5c45feb3c288cf44a529e2657b36c259d86497d2" + }, + { + "url": "https://git.kernel.org/stable/c/ca34c40d1c22c555fa7f4a21a1c807fea7290a0a" + }, + { + "url": "https://git.kernel.org/stable/c/8260c980aee7d8d8a3db39faf19c391d2f898816" + }, + { + "url": "https://git.kernel.org/stable/c/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2" + }, + { + "url": "https://git.kernel.org/stable/c/e4bb6da24de336a7899033a65490ed2d892efa5b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36005" + }, + { + "url": "https://git.kernel.org/linus/8e30abc9ace4f0add4cd761dfdbfaebae5632dd2(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-379", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36005" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from netdev release event path\n\nCheck for table dormant flag otherwise netdev release event path tries\nto unregister an already unregistered hook.\n\n[524854.857999] ------------[ cut here ]------------\n[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260\n[...]\n[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365\n[524854.858869] Workqueue: netns cleanup_net\n[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260\n[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41\n[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246\n[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a\n[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438\n[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34\n[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005\n[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00\n[524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0\n[524854.859000] Call Trace:\n[524854.859006] \n[524854.859013] ? __warn+0x9f/0x1a0\n[524854.859027] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859044] ? report_bug+0x1b1/0x1e0\n[524854.859060] ? handle_bug+0x3c/0x70\n[524854.859071] ? exc_invalid_op+0x17/0x40\n[524854.859083] ? asm_exc_invalid_op+0x1a/0x20\n[524854.859100] ? __nf_unregister_net_hook+0x6a/0x260\n[524854.859116] ? __nf_unregister_net_hook+0x21a/0x260\n[524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables]\n[524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859461] ? packet_notifier+0xb3/0x360\n[524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40\n[524854.859489] ? dcbnl_netdevice_event+0x35/0x140\n[524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]\n[524854.859661] notifier_call_chain+0x7d/0x140\n[524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36005", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36005" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2d5b4b3376fa146a23917b8577064906d643925f" + }, + { + "url": "https://git.kernel.org/stable/c/e0b4c5b1d760008f1dd18c07c35af0442e54f9c8" + }, + { + "url": "https://git.kernel.org/stable/c/dc489f86257cab5056e747344f17a164f63bff4b" + }, + { + "url": "https://git.kernel.org/stable/c/603be95437e7fd85ba694e75918067fb9e7754db" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26837" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/dc489f86257cab5056e747344f17a164f63bff4b(6.8-rc6)" + } + ], + "bom-ref": "vuln-380", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26837" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: switchdev: Skip MDB replays of deferred events on offload\n\nBefore this change, generation of the list of MDB events to replay\nwould race against the creation of new group memberships, either from\nthe IGMP/MLD snooping logic or from user configuration.\n\nWhile new memberships are immediately visible to walkers of\nbr->mdb_list, the notification of their existence to switchdev event\nsubscribers is deferred until a later point in time. So if a replay\nlist was generated during a time that overlapped with such a window,\nit would also contain a replay of the not-yet-delivered event.\n\nThe driver would thus receive two copies of what the bridge internally\nconsidered to be one single event. On destruction of the bridge, only\na single membership deletion event was therefore sent. As a\nconsequence of this, drivers which reference count memberships (at\nleast DSA), would be left with orphan groups in their hardware\ndatabase when the bridge was destroyed.\n\nThis is only an issue when replaying additions. While deletion events\nmay still be pending on the deferred queue, they will already have\nbeen removed from br->mdb_list, so no duplicates can be generated in\nthat scenario.\n\nTo a user this meant that old group memberships, from a bridge in\nwhich a port was previously attached, could be reanimated (in\nhardware) when the port joined a new bridge, without the new bridge's\nknowledge.\n\nFor example, on an mv88e6xxx system, create a snooping bridge and\nimmediately add a port to it:\n\n root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \\\n > ip link set dev x3 up master br0\n\nAnd then destroy the bridge:\n\n root@infix-06-0b-00:~$ ip link del dev br0\n root@infix-06-0b-00:~$ mvls atu\n ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a\n DEV:0 Marvell 88E6393X\n 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . .\n 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . .\n ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a\n root@infix-06-0b-00:~$\n\nThe two IPv6 groups remain in the hardware database because the\nport (x3) is notified of the host's membership twice: once via the\noriginal event and once via a replay. Since only a single delete\nnotification is sent, the count remains at 1 when the bridge is\ndestroyed.\n\nThen add the same port (or another port belonging to the same hardware\ndomain) to a new bridge, this time with snooping disabled:\n\n root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \\\n > ip link set dev x3 up master br1\n\nAll multicast, including the two IPv6 groups from br0, should now be\nflooded, according to the policy of br1. But instead the old\nmemberships are still active in the hardware database, causing the\nswitch to only forward traffic to those groups towards the CPU (port\n0).\n\nEliminate the race in two steps:\n\n1. Grab the write-side lock of the MDB while generating the replay\n list.\n\nThis prevents new memberships from showing up while we are generating\nthe replay list. But it leaves the scenario in which a deferred event\nwas already generated, but not delivered, before we grabbed the\nlock. Therefore:\n\n2. Make sure that no deferred version of a replay event is already\n enqueued to the switchdev deferred queue, before adding it to the\n replay list, when replaying additions.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26837", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26837" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2221702" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-4133" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-4133" + }, + { + "url": "https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15(6.3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-381", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4133" + } + } + ], + "created": "2023-08-03T15:15:33Z", + "description": "A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-4133", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4133" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-30T14:15:10Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ecb829459a841198e142f72fadab56424ae96519" + }, + { + "url": "https://git.kernel.org/stable/c/6bd77865fda662913dcb5722a66a773840370aa7" + }, + { + "url": "https://git.kernel.org/stable/c/ad26f26abd353113dea4e8d5ebadccdab9b61e76" + }, + { + "url": "https://git.kernel.org/stable/c/f9ac93b6f3de34aa0bb983b9be4f69ca50fc70f3" + }, + { + "url": "https://git.kernel.org/linus/ecb829459a841198e142f72fadab56424ae96519(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35959" + } + ], + "bom-ref": "vuln-382", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35959" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen mlx5e_priv_init() fails, the cleanup flow calls mlx5e_selq_cleanup which\ncalls mlx5e_selq_apply() that assures that the `priv->state_lock` is held using\nlockdep_is_held().\n\nAcquire the state_lock in mlx5e_selq_cleanup().\n\nKernel log:\n=============================\nWARNING: suspicious RCU usage\n6.8.0-rc3_net_next_841a9b5 #1 Not tainted\n-----------------------------\ndrivers/net/ethernet/mellanox/mlx5/core/en/selq.c:124 suspicious rcu_dereference_protected() usage!\n\nother info that might help us debug this:\n\nrcu_scheduler_active = 2, debug_locks = 1\n2 locks held by systemd-modules/293:\n #0: ffffffffa05067b0 (devices_rwsem){++++}-{3:3}, at: ib_register_client+0x109/0x1b0 [ib_core]\n #1: ffff8881096c65c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x104/0x1c0 [ib_core]\n\nstack backtrace:\nCPU: 4 PID: 293 Comm: systemd-modules Not tainted 6.8.0-rc3_net_next_841a9b5 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x8a/0xa0\n lockdep_rcu_suspicious+0x154/0x1a0\n mlx5e_selq_apply+0x94/0xa0 [mlx5_core]\n mlx5e_selq_cleanup+0x3a/0x60 [mlx5_core]\n mlx5e_priv_init+0x2be/0x2f0 [mlx5_core]\n mlx5_rdma_setup_rn+0x7c/0x1a0 [mlx5_core]\n rdma_init_netdev+0x4e/0x80 [ib_core]\n ? mlx5_rdma_netdev_free+0x70/0x70 [mlx5_core]\n ipoib_intf_init+0x64/0x550 [ib_ipoib]\n ipoib_intf_alloc+0x4e/0xc0 [ib_ipoib]\n ipoib_add_one+0xb0/0x360 [ib_ipoib]\n add_client_context+0x112/0x1c0 [ib_core]\n ib_register_client+0x166/0x1b0 [ib_core]\n ? 0xffffffffa0573000\n ipoib_init_module+0xeb/0x1a0 [ib_ipoib]\n do_one_initcall+0x61/0x250\n do_init_module+0x8a/0x270\n init_module_from_file+0x8b/0xd0\n idempotent_init_module+0x17d/0x230\n __x64_sys_finit_module+0x61/0xb0\n do_syscall_64+0x71/0x140\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35959", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35959" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef1e47d50324e232d2da484fe55a54274eeb9bc1" + }, + { + "url": "https://git.kernel.org/stable/c/62f361bfea60c6afc3df09c1ad4152e6507f6f47" + }, + { + "url": "https://git.kernel.org/stable/c/c0ec2a712daf133d9996a8a1b7ee2d4996080363" + }, + { + "url": "https://git.kernel.org/stable/c/b0365460e945e1117b47cf7329d86de752daff63" + }, + { + "url": "https://git.kernel.org/stable/c/37077ed16c7793e21b005979d33f8a61565b7e86" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26753" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c0ec2a712daf133d9996a8a1b7ee2d4996080363(6.8-rc6)" + } + ], + "bom-ref": "vuln-383", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26753" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: virtio/akcipher - Fix stack overflow on memcpy\n\nsizeof(struct virtio_crypto_akcipher_session_para) is less than\nsizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from\nstack variable leads stack overflow. Clang reports this issue by\ncommands:\nmake -j CC=clang-14 mrproper >/dev/null 2>&1\nmake -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1\nmake -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/\n virtio_crypto_akcipher_algs.o", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26753", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26753" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/710c69dbaccdac312e32931abcb8499c1525d397" + }, + { + "url": "https://git.kernel.org/stable/c/5e0bc09a52b6169ce90f7ac6e195791adb16cec4" + }, + { + "url": "https://git.kernel.org/stable/c/9e6987f8937a7bd7516aa52f25cb7e12c0c92ee8" + }, + { + "url": "https://git.kernel.org/stable/c/eaf0971fdabf2a93c1429dc6bedf3bbe85dffa30" + }, + { + "url": "https://git.kernel.org/stable/c/1d86f79287206deec36d63b89c741cf542b6cadd" + }, + { + "url": "https://git.kernel.org/linus/710c69dbaccdac312e32931abcb8499c1525d397(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26769" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-384", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26769" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet-fc: avoid deadlock on delete association path\n\nWhen deleting an association the shutdown path is deadlocking because we\ntry to flush the nvmet_wq nested. Avoid this by deadlock by deferring\nthe put work into its own work item.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26769", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26769" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c4a09fdac625e64abe478dcf88bfa20406616928" + }, + { + "url": "https://git.kernel.org/stable/c/f3e4963566f58726d3265a727116a42b591f6596" + }, + { + "url": "https://git.kernel.org/stable/c/d31c8721e816eff5ca6573cc487754f357c093cd" + }, + { + "url": "https://git.kernel.org/stable/c/2c3bdba00283a6c7a5b19481a59a730f46063803" + }, + { + "url": "https://git.kernel.org/stable/c/5bc09b397cbf1221f8a8aacb1152650c9195b02b" + }, + { + "url": "https://git.kernel.org/stable/c/626daab3811b772086aef1bf8eed3ffe6f523eff" + }, + { + "url": "https://git.kernel.org/stable/c/8fa90634ec3e9cc50f42dd605eec60f2d146ced8" + }, + { + "url": "https://git.kernel.org/stable/c/6589f0f72f8edd1fa11adce4eedbd3615f2e78ab" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/5bc09b397cbf1221f8a8aacb1152650c9195b02b(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26685" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-385", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26685" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix potential bug in end_buffer_async_write\n\nAccording to a syzbot report, end_buffer_async_write(), which handles the\ncompletion of block device writes, may detect abnormal condition of the\nbuffer async_write flag and cause a BUG_ON failure when using nilfs2.\n\nNilfs2 itself does not use end_buffer_async_write(). But, the async_write\nflag is now used as a marker by commit 7f42ec394156 (\"nilfs2: fix issue\nwith race condition of competition between segments for dirty blocks\") as\na means of resolving double list insertion of dirty blocks in\nnilfs_lookup_dirty_data_buffers() and nilfs_lookup_node_buffers() and the\nresulting crash.\n\nThis modification is safe as long as it is used for file data and b-tree\nnode blocks where the page caches are independent. However, it was\nirrelevant and redundant to also introduce async_write for segment summary\nand super root blocks that share buffers with the backing device. This\nled to the possibility that the BUG_ON check in end_buffer_async_write\nwould fail as described above, if independent writebacks of the backing\ndevice occurred in parallel.\n\nThe use of async_write for segment summary buffers has already been\nremoved in a previous change.\n\nFix this issue by removing the manipulation of the async_write flag for\nthe remaining super root block buffer.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26685", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26685" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15" + }, + { + "url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a" + }, + { + "url": "https://git.kernel.org/linus/def054b01a867822254e1dda13d587f5c7a99e2a(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35843" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-386", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35843" + } + } + ], + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35843", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35843" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535" + }, + { + "url": "https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731" + }, + { + "url": "https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340" + }, + { + "url": "https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e" + }, + { + "url": "https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b" + }, + { + "url": "https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a" + }, + { + "url": "https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49" + }, + { + "url": "https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7" + }, + { + "url": "https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710" + }, + { + "url": "https://git.kernel.org/linus/c958e86e9cc1b48cac004a6e245154dfba8e163b(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26874" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-387", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26874" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip\n\nIt's possible that mtk_crtc->event is NULL in\nmtk_drm_crtc_finish_page_flip().\n\npending_needs_vblank value is set by mtk_crtc->event, but in\nmtk_drm_crtc_atomic_flush(), it's is not guarded by the same\nlock in mtk_drm_finish_page_flip(), thus a race condition happens.\n\nConsider the following case:\n\nCPU1 CPU2\nstep 1:\nmtk_drm_crtc_atomic_begin()\nmtk_crtc->event is not null,\n step 1:\n mtk_drm_crtc_atomic_flush:\n mtk_drm_crtc_update_config(\n !!mtk_crtc->event)\nstep 2:\nmtk_crtc_ddp_irq ->\nmtk_drm_finish_page_flip:\nlock\nmtk_crtc->event set to null,\npending_needs_vblank set to false\nunlock\n pending_needs_vblank set to true,\n\n step 2:\n mtk_crtc_ddp_irq ->\n mtk_drm_finish_page_flip called again,\n pending_needs_vblank is still true\n //null pointer\n\nInstead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more\nefficient to just check if mtk_crtc->event is null before use.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26874", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26874" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d7d7c6cdea875be3b241d7d39873bb431db7154d" + }, + { + "url": "https://git.kernel.org/stable/c/9adec248bba33b1503252caf8e59d81febfc5ceb" + }, + { + "url": "https://git.kernel.org/stable/c/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd" + }, + { + "url": "https://git.kernel.org/stable/c/97cd43ba824aec764f5ea2790d0c0a318f885167" + }, + { + "url": "https://git.kernel.org/stable/c/0b61a7dc6712b78799b3949997e8a5e94db5c4b0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35818" + }, + { + "url": "https://git.kernel.org/linus/9c68ece8b2a5c5ff9b2fcaea923dd73efeb174cd(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-388", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35818" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Define the __io_aw() hook as mmiowb()\n\nCommit fb24ea52f78e0d595852e (\"drivers: Remove explicit invocations of\nmmiowb()\") remove all mmiowb() in drivers, but it says:\n\n\"NOTE: mmiowb() has only ever guaranteed ordering in conjunction with\nspin_unlock(). However, pairing each mmiowb() removal in this patch with\nthe corresponding call to spin_unlock() is not at all trivial, so there\nis a small chance that this change may regress any drivers incorrectly\nrelying on mmiowb() to order MMIO writes between CPUs using lock-free\nsynchronisation.\"\n\nThe mmio in radeon_ring_commit() is protected by a mutex rather than a\nspinlock, but in the mutex fastpath it behaves similar to spinlock. We\ncan add mmiowb() calls in the radeon driver but the maintainer says he\ndoesn't like such a workaround, and radeon is not the only example of\nmutex protected mmio.\n\nSo we should extend the mmiowb tracking system from spinlock to mutex,\nand maybe other locking primitives. This is not easy and error prone, so\nwe solve it in the architectural code, by simply defining the __io_aw()\nhook as mmiowb(). And we no longer need to override queued_spin_unlock()\nso use the generic definition.\n\nWithout this, we get such an error when run 'glxgears' on weak ordering\narchitectures such as LoongArch:\n\nradeon 0000:04:00.0: ring 0 stalled for more than 10324msec\nradeon 0000:04:00.0: ring 3 stalled for more than 10240msec\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000001f412 last fence id 0x000000000001f414 on ring 3)\nradeon 0000:04:00.0: GPU lockup (current fence id 0x000000000000f940 last fence id 0x000000000000f941 on ring 0)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)\nradeon 0000:04:00.0: scheduling IB failed (-35).\n[drm:radeon_gem_va_ioctl [radeon]] *ERROR* Couldn't update BO_VA (-35)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35818", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35818" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04226d8e3c4028dc451e9d8777356ec0f7919253" + }, + { + "url": "https://git.kernel.org/stable/c/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65" + }, + { + "url": "https://git.kernel.org/stable/c/c92f2927df860a60ba815d3ee610a944b92a8694" + }, + { + "url": "https://git.kernel.org/stable/c/77bfdb89cc222fc7bfe198eda77bdc427d5ac189" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26869" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/9f0c4a46be1fe9b97dbe66d49204c1371e3ece65(6.9-rc1)" + } + ], + "bom-ref": "vuln-389", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26869" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate meta inode pages forcely\n\nBelow race case can cause data corruption:\n\nThread A\t\t\t\tGC thread\n\t\t\t\t\t- gc_data_segment\n\t\t\t\t\t - ra_data_block\n\t\t\t\t\t - locked meta_inode page\n- f2fs_inplace_write_data\n - invalidate_mapping_pages\n : fail to invalidate meta_inode page\n due to lock failure or dirty|writeback\n status\n - f2fs_submit_page_bio\n : write last dirty data to old blkaddr\n\t\t\t\t\t - move_data_block\n\t\t\t\t\t - load old data from meta_inode page\n\t\t\t\t\t - f2fs_submit_page_write\n\t\t\t\t\t : write old data to new blkaddr\n\nBecause invalidate_mapping_pages() will skip invalidating page which\nhas unclear status including locked, dirty, writeback and so on, so\nwe need to use truncate_inode_pages_range() instead of\ninvalidate_mapping_pages() to make sure meta_inode page will be dropped.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26869", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26869" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0f038242b77ddfc505bf4163d4904c1abd2e74d6" + }, + { + "url": "https://git.kernel.org/stable/c/440e948cf0eff32cfe322dcbca3f2525354b159b" + }, + { + "url": "https://git.kernel.org/stable/c/0c83842df40f86e529db6842231154772c20edcc" + }, + { + "url": "https://git.kernel.org/stable/c/81d51b9b7c95e791ba3c1a2dd77920a9d3b3f525" + }, + { + "url": "https://git.kernel.org/stable/c/18aae2cb87e5faa9c5bd865260ceadac60d5a6c5" + }, + { + "url": "https://git.kernel.org/stable/c/58f2bfb789e6bd3bc24a2c9c1580f3c67aec3018" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0c83842df40f86e529db6842231154772c20edcc(6.9-rc3)" + } + ], + "bom-ref": "vuln-390", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35896" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: validate user input for expected length\n\nI got multiple syzbot reports showing old bugs exposed\nby BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc\nin cgroup/{s,g}etsockopt\")\n\nsetsockopt() @optlen argument should be taken into account\nbefore copying data.\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\nRead of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238\n\nCPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]\n do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627\n nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\nRIP: 0033:0x7fd22067dde9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003\nRBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8\n \n\nAllocated by task 7238:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:4069 [inline]\n __kmalloc_noprof+0x200/0x410 mm/slub.c:4082\n kmalloc_noprof include/linux/slab.h:664 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x72/0x7a\n\nThe buggy address belongs to the object at ffff88802cd73da0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 0 bytes inside of\n allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)\n\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73\nflags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff)\npage_type: 0xffffefff(slab)\nraw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122\nraw: ffff88802cd73020 000000008080007f 00000001ffffefff 00\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35896", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35896" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fe79b2c83461edbbf86ed8a6f3924820ff89259" + }, + { + "url": "https://git.kernel.org/stable/c/ca54e2671548616ad34885f90d4f26f7adb088f0" + }, + { + "url": "https://git.kernel.org/stable/c/04720ea2e6c64459a90ca28570ea78335eccd924" + }, + { + "url": "https://git.kernel.org/stable/c/70a8be9dc2fb65d67f8c1e0c88c587e08e2e575d" + }, + { + "url": "https://git.kernel.org/stable/c/87b6af1a7683e021710c08fc0551fc078346032f" + }, + { + "url": "https://git.kernel.org/stable/c/b3ddf6904073990492454b1dd1c10a24be8c74c6" + }, + { + "url": "https://git.kernel.org/stable/c/b1f532a3b1e6d2e5559c7ace49322922637a28aa" + }, + { + "url": "https://git.kernel.org/stable/c/4ca2a5fb54ea2cc43edea614207fcede562d91c2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35982" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b1f532a3b1e6d2e5559c7ace49322922637a28aa(6.9-rc4)" + } + ], + "bom-ref": "vuln-391", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35982" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: Avoid infinite loop trying to resize local TT\n\nIf the MTU of one of an attached interface becomes too small to transmit\nthe local translation table then it must be resized to fit inside all\nfragments (when enabled) or a single packet.\n\nBut if the MTU becomes too low to transmit even the header + the VLAN\nspecific part then the resizing of the local TT will never succeed. This\ncan for example happen when the usable space is 110 bytes and 11 VLANs are\non top of batman-adv. In this case, at least 116 byte would be needed.\nThere will just be an endless spam of\n\n batman_adv: batadv0: Forced to purge local tt entries to fit new maximum fragment MTU (110)\n\nin the log but the function will never finish. Problem here is that the\ntimeout will be halved all the time and will then stagnate at 0 and\ntherefore never be able to reduce the table even more.\n\nThere are other scenarios possible with a similar result. The number of\nBATADV_TT_CLIENT_NOPURGE entries in the local TT can for example be too\nhigh to fit inside a packet. Such a scenario can therefore happen also with\nonly a single VLAN + 7 non-purgable addresses - requiring at least 120\nbytes.\n\nWhile this should be handled proactively when:\n\n* interface with too low MTU is added\n* VLAN is added\n* non-purgeable local mac is added\n* MTU of an attached interface is reduced\n* fragmentation setting gets disabled (which most likely requires dropping\n attached interfaces)\n\nnot all of these scenarios can be prevented because batman-adv is only\nconsuming events without the the possibility to prevent these actions\n(non-purgable MAC address added, MTU of an attached interface is reduced).\nIt is therefore necessary to also make sure that the code is able to handle\nalso the situations when there were already incompatible system\nconfiguration are present.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35982", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35982" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6915b1b28fe57e92c78e664366dc61c4f15ff03b" + }, + { + "url": "https://git.kernel.org/stable/c/343041b59b7810f9cdca371f445dd43b35c740b1" + }, + { + "url": "https://git.kernel.org/stable/c/860e838fb089d652a446ced52cbdf051285b68e7" + }, + { + "url": "https://git.kernel.org/stable/c/bd2474a45df7c11412c2587de3d4e43760531418" + }, + { + "url": "https://git.kernel.org/stable/c/9b720bb1a69a9f12a4a5c86b6f89386fe05ed0f2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26815" + }, + { + "url": "https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-392", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26815" + } + } + ], + "created": "2024-04-10T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check\n\ntaprio_parse_tc_entry() is not correctly checking\nTCA_TAPRIO_TC_ENTRY_INDEX attribute:\n\n\tint tc; // Signed value\n\n\ttc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);\n\tif (tc >= TC_QOPT_MAX_QUEUE) {\n\t\tNL_SET_ERR_MSG_MOD(extack, \"TC entry index out of range\");\n\t\treturn -ERANGE;\n\t}\n\nsyzbot reported that it could fed arbitary negative values:\n\nUBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18\nshift exponent -2147418108 is negative\nCPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:217 [inline]\n __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386\n taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]\n taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]\n taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877\n taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134\n qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355\n tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776\n rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617\n netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f1b2dea3759\nCode: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759\nRDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004\nRBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000\nR10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340\nR13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26815", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26815" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-10T13:23:38Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2b1414d5e94e477edff1d2c79030f1d742625ea0" + }, + { + "url": "https://git.kernel.org/stable/c/62e7151ae3eb465e0ab52a20c941ff33bb6332e9" + }, + { + "url": "https://git.kernel.org/stable/c/7c3f28599652acf431a2211168de4a583f30b6d5" + }, + { + "url": "https://git.kernel.org/stable/c/cb734975b0ffa688ff6cc0eed463865bf07b6c01" + }, + { + "url": "https://git.kernel.org/stable/c/80cd0487f630b5382734997c3e5e3003a77db315" + }, + { + "url": "https://git.kernel.org/linus/62e7151ae3eb465e0ab52a20c941ff33bb6332e9(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27415" + } + ], + "bom-ref": "vuln-393", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27415" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: bridge: confirm multicast packets before passing them up the stack\n\nconntrack nf_confirm logic cannot handle cloned skbs referencing\nthe same nf_conn entry, which will happen for multicast (broadcast)\nframes on bridges.\n\n Example:\n macvlan0\n |\n br0\n / \\\n ethX ethY\n\n ethX (or Y) receives a L2 multicast or broadcast packet containing\n an IP packet, flow is not yet in conntrack table.\n\n 1. skb passes through bridge and fake-ip (br_netfilter)Prerouting.\n -> skb->_nfct now references a unconfirmed entry\n 2. skb is broad/mcast packet. bridge now passes clones out on each bridge\n interface.\n 3. skb gets passed up the stack.\n 4. In macvlan case, macvlan driver retains clone(s) of the mcast skb\n and schedules a work queue to send them out on the lower devices.\n\n The clone skb->_nfct is not a copy, it is the same entry as the\n original skb. The macvlan rx handler then returns RX_HANDLER_PASS.\n 5. Normal conntrack hooks (in NF_INET_LOCAL_IN) confirm the orig skb.\n\nThe Macvlan broadcast worker and normal confirm path will race.\n\nThis race will not happen if step 2 already confirmed a clone. In that\ncase later steps perform skb_clone() with skb->_nfct already confirmed (in\nhash table). This works fine.\n\nBut such confirmation won't happen when eb/ip/nftables rules dropped the\npackets before they reached the nf_confirm step in postrouting.\n\nPablo points out that nf_conntrack_bridge doesn't allow use of stateful\nnat, so we can safely discard the nf_conn entry and let inet call\nconntrack again.\n\nThis doesn't work for bridge netfilter: skb could have a nat\ntransformation. Also bridge nf prevents re-invocation of inet prerouting\nvia 'sabotage_in' hook.\n\nWork around this problem by explicit confirmation of the entry at LOCAL_IN\ntime, before upper layer has a chance to clone the unconfirmed entry.\n\nThe downside is that this disables NAT and conntrack helpers.\n\nAlternative fix would be to add locking to all code parts that deal with\nunconfirmed packets, but even if that could be done in a sane way this\nopens up other problems, for example:\n\n-m physdev --physdev-out eth0 -j SNAT --snat-to 1.2.3.4\n-m physdev --physdev-out eth1 -j SNAT --snat-to 1.2.3.5\n\nFor multicast case, only one of such conflicting mappings will be\ncreated, conntrack only handles 1:1 NAT mappings.\n\nUsers should set create a setup that explicitly marks such traffic\nNOTRACK (conntrack bypass) to avoid this, but we cannot auto-bypass\nthem, ruleset might have accept rules for untracked traffic already,\nso user-visible behaviour would change.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27415", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27415" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f976eca36cdf94e32fa4f865db0e7c427c9aa33c" + }, + { + "url": "https://git.kernel.org/stable/c/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be" + }, + { + "url": "https://git.kernel.org/stable/c/023b6390a15a98f9c3aa5e7da78d485d5384a08e" + }, + { + "url": "https://git.kernel.org/stable/c/9edd3aa34d50f27b97be30b2ba4a6af0945ff56b" + }, + { + "url": "https://git.kernel.org/stable/c/47533176fdcef17b114a6f688bc872901c1ec6bb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35989" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f221033f5c24659dc6ad7e5cf18fb1b075f4a8be(6.9-rc6)" + } + ], + "bom-ref": "vuln-394", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35989" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CPU platforms\n\nDuring the removal of the idxd driver, registered offline callback is\ninvoked as part of the clean up process. However, on systems with only\none CPU online, no valid target is available to migrate the\nperf context, resulting in a kernel oops:\n\n BUG: unable to handle page fault for address: 000000000002a2b8\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1470e1067 P4D 0\n Oops: 0002 [#1] PREEMPT SMP NOPTI\n CPU: 0 PID: 20 Comm: cpuhp/0 Not tainted 6.8.0-rc6-dsa+ #57\n Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n RIP: 0010:mutex_lock+0x2e/0x50\n ...\n Call Trace:\n \n __die+0x24/0x70\n page_fault_oops+0x82/0x160\n do_user_addr_fault+0x65/0x6b0\n __pfx___rdmsr_safe_on_cpu+0x10/0x10\n exc_page_fault+0x7d/0x170\n asm_exc_page_fault+0x26/0x30\n mutex_lock+0x2e/0x50\n mutex_lock+0x1e/0x50\n perf_pmu_migrate_context+0x87/0x1f0\n perf_event_cpu_offline+0x76/0x90 [idxd]\n cpuhp_invoke_callback+0xa2/0x4f0\n __pfx_perf_event_cpu_offline+0x10/0x10 [idxd]\n cpuhp_thread_fun+0x98/0x150\n smpboot_thread_fn+0x27/0x260\n smpboot_thread_fn+0x1af/0x260\n __pfx_smpboot_thread_fn+0x10/0x10\n kthread+0x103/0x140\n __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x50\n __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\nFix the issue by preventing the migration of the perf context to an\ninvalid target.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35989", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35989" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368" + }, + { + "url": "https://git.kernel.org/stable/c/33713945cc92ea9c4a1a9479d5c1b7acb7fc4df3" + }, + { + "url": "https://git.kernel.org/stable/c/330d22aba17a4d30a56f007d0f51291d7e00862b" + }, + { + "url": "https://git.kernel.org/stable/c/d31b886ed6a5095214062ee4fb55037eb930adb6" + }, + { + "url": "https://git.kernel.org/linus/3caf2b2ad7334ef35f55b95f3e1b138c6f77b368(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26919" + } + ], + "bom-ref": "vuln-395", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26919" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: ulpi: Fix debugfs directory leak\n\nThe ULPI per-device debugfs root is named after the ulpi device's\nparent, but ulpi_unregister_interface tries to remove a debugfs\ndirectory named after the ulpi device itself. This results in the\ndirectory sticking around and preventing subsequent (deferred) probes\nfrom succeeding. Change the directory name to match the ulpi device.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26919", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26919" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/08044b08b37528b82f70a87576c692b4e4b7716e" + }, + { + "url": "https://git.kernel.org/stable/c/22943e4fe4b3a2dcbadc3d38d5bf840bbdbfe374" + }, + { + "url": "https://git.kernel.org/stable/c/453b5f2dec276c1bb4ea078bf8c0da57ee4627e5" + }, + { + "url": "https://git.kernel.org/stable/c/99485c4c026f024e7cb82da84c7951dbe3deb584" + }, + { + "url": "https://git.kernel.org/linus/99485c4c026f024e7cb82da84c7951dbe3deb584(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35875" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-396", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35875" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/coco: Require seeding RNG with RDRAND on CoCo systems\n\nThere are few uses of CoCo that don't rely on working cryptography and\nhence a working RNG. Unfortunately, the CoCo threat model means that the\nVM host cannot be trusted and may actively work against guests to\nextract secrets or manipulate computation. Since a malicious host can\nmodify or observe nearly all inputs to guests, the only remaining source\nof entropy for CoCo guests is RDRAND.\n\nIf RDRAND is broken -- due to CPU hardware fault -- the RNG as a whole\nis meant to gracefully continue on gathering entropy from other sources,\nbut since there aren't other sources on CoCo, this is catastrophic.\nThis is mostly a concern at boot time when initially seeding the RNG, as\nafter that the consequences of a broken RDRAND are much more\ntheoretical.\n\nSo, try at boot to seed the RNG using 256 bits of RDRAND output. If this\nfails, panic(). This will also trigger if the system is booted without\nRDRAND, as RDRAND is essential for a safe CoCo boot.\n\nAdd this deliberately to be \"just a CoCo x86 driver feature\" and not\npart of the RNG itself. Many device drivers and platforms have some\ndesire to contribute something to the RNG, and add_device_randomness()\nis specifically meant for this purpose.\n\nAny driver can call it with seed data of any quality, or even garbage\nquality, and it can only possibly make the quality of the RNG better or\nhave no effect, but can never make it worse.\n\nRather than trying to build something into the core of the RNG, consider\nthe particular CoCo issue just a CoCo issue, and therefore separate it\nall out into driver (well, arch/platform) code.\n\n [ bp: Massage commit message. ]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35875", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35875" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e421946be7d9bf545147bea8419ef8239cb7ca52" + }, + { + "url": "https://git.kernel.org/stable/c/84246c35ca34207114055a87552a1c4289c8fd7e" + }, + { + "url": "https://git.kernel.org/stable/c/6db07619d173765bd8622d63809cbfe361f04207" + }, + { + "url": "https://git.kernel.org/stable/c/df6e2088c6f4cad539cf67cba2d6764461e798d1" + }, + { + "url": "https://git.kernel.org/stable/c/99f1abc34a6dde248d2219d64aa493c76bbdd9eb" + }, + { + "url": "https://git.kernel.org/stable/c/1d11dd3ea5d039c7da089f309f39c4cd363b924b" + }, + { + "url": "https://git.kernel.org/stable/c/f329523f6a65c3bbce913ad35473d83a319d5d99" + }, + { + "url": "https://git.kernel.org/stable/c/cd36da760bd1f78c63c7078407baf01dd724f313" + }, + { + "url": "https://git.kernel.org/linus/e421946be7d9bf545147bea8419ef8239cb7ca52(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26777" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-397", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26777" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: sis: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nIn sisfb_check_var(), var->pixclock is used as a divisor to caculate\ndrate before it is checked against zero. Fix this by checking it\nat the beginning.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26777", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26777" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c3311694b9bcced233548574d414c91d39214684" + }, + { + "url": "https://git.kernel.org/stable/c/8a430dd49e9cb021372b0ad91e60aeef9c6ced00" + }, + { + "url": "https://git.kernel.org/stable/c/82704e598d7b33c7e45526e34d3c585426319bed" + }, + { + "url": "https://git.kernel.org/stable/c/57e8b17d0522c8f4daf0c4d9969b4d7358033532" + }, + { + "url": "https://git.kernel.org/stable/c/e54cce8137258a550b49cae45d09e024821fb28d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27035" + }, + { + "url": "https://git.kernel.org/linus/8a430dd49e9cb021372b0ad91e60aeef9c6ced00(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-398", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27035" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix to guarantee persisting compressed blocks by CP\n\nIf data block in compressed cluster is not persisted with metadata\nduring checkpoint, after SPOR, the data may be corrupted, let's\nguarantee to write compressed page by checkpoint.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27035", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27035" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1a770927dc1d642b22417c3e668c871689fc58b3" + }, + { + "url": "https://git.kernel.org/stable/c/afdd29726a6de4ba27cd15590661424c888dc596" + }, + { + "url": "https://git.kernel.org/stable/c/d9fefc51133107e59d192d773be86c1150cfeebb" + }, + { + "url": "https://git.kernel.org/stable/c/0e296067ae0d74a10b4933601f9aa9f0ec8f157f" + }, + { + "url": "https://git.kernel.org/stable/c/8d95465d9a424200485792858c5b3be54658ce19" + }, + { + "url": "https://git.kernel.org/stable/c/37fe99016b12d32100ce670216816dba6c48b309" + }, + { + "url": "https://git.kernel.org/stable/c/06e456a05d669ca30b224b8ed962421770c1496c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26855" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/06e456a05d669ca30b224b8ed962421770c1496c(6.8)" + } + ], + "bom-ref": "vuln-399", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26855" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()\n\nThe function ice_bridge_setlink() may encounter a NULL pointer dereference\nif nlmsg_find_attr() returns NULL and br_spec is dereferenced subsequently\nin nla_for_each_nested(). To address this issue, add a check to ensure that\nbr_spec is not NULL before proceeding with the nested attribute iteration.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26855", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26855" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/61a348857e869432e6a920ad8ea9132e8d44c316" + }, + { + "url": "https://git.kernel.org/stable/c/57e2e42ccd3cd6183228269715ed032f44536751" + }, + { + "url": "https://git.kernel.org/stable/c/88936ceab6b426f1312327e9ef849c215c6007a7" + }, + { + "url": "https://git.kernel.org/stable/c/c7ebd8149ee519d27232e6e4940e9c02071b568b" + }, + { + "url": "https://git.kernel.org/stable/c/36695d5eeeefe5a64b47d0336e7c8fc144e78182" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26715" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/61a348857e869432e6a920ad8ea9132e8d44c316(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-400", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26715" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: gadget: Fix NULL pointer dereference in dwc3_gadget_suspend\n\nIn current scenario if Plug-out and Plug-In performed continuously\nthere could be a chance while checking for dwc->gadget_driver in\ndwc3_gadget_suspend, a NULL pointer dereference may occur.\n\nCall Stack:\n\n\tCPU1: CPU2:\n\tgadget_unbind_driver dwc3_suspend_common\n\tdwc3_gadget_stop dwc3_gadget_suspend\n dwc3_disconnect_gadget\n\nCPU1 basically clears the variable and CPU2 checks the variable.\nConsider CPU1 is running and right before gadget_driver is cleared\nand in parallel CPU2 executes dwc3_gadget_suspend where it finds\ndwc->gadget_driver which is not NULL and resumes execution and then\nCPU1 completes execution. CPU2 executes dwc3_disconnect_gadget where\nit checks dwc->gadget_driver is already NULL because of which the\nNULL pointer deference occur.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26715", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26715" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0fcf7e219448e937681216353c9a58abae6d3c2e" + }, + { + "url": "https://git.kernel.org/stable/c/98c7ed29cd754ae7475dc7cb3f33399fda902729" + }, + { + "url": "https://git.kernel.org/stable/c/60ab245292280905603bc0d3654f4cf8fceccb00" + }, + { + "url": "https://git.kernel.org/stable/c/8094a600245e9b28eb36a13036f202ad67c1f887" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35999" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8094a600245e9b28eb36a13036f202ad67c1f887(6.9-rc6)" + } + ], + "bom-ref": "vuln-401", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35999" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb3: missing lock when picking channel\n\nCoverity spotted a place where we should have been holding the\nchannel lock when accessing the ses channel index.\n\nAddresses-Coverity: 1582039 (\"Data race condition (MISSING_LOCK)\")", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35999", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35999" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8b69c30f4e8b69131d92096cb296dc1f217101e4" + }, + { + "url": "https://git.kernel.org/stable/c/d49270a04623ce3c0afddbf3e984cb245aa48e9c" + }, + { + "url": "https://git.kernel.org/stable/c/2a37905d47bffec61e95d99f0c1cc5dc6377956c" + }, + { + "url": "https://git.kernel.org/stable/c/a63e48cd835c34c38ef671d344cc029b1ea5bf10" + }, + { + "url": "https://git.kernel.org/stable/c/cd40e43f870cf21726b22487a95ed223790b3542" + }, + { + "url": "https://git.kernel.org/stable/c/0593cfd321df9001142a9d2c58d4144917dff7ee" + }, + { + "url": "https://git.kernel.org/stable/c/75b0f71b26b3ad833c5c0670109c0af6e021e86a" + }, + { + "url": "https://git.kernel.org/stable/c/e9f6ac50890104fdf8194f2865680689239d30fb" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/d49270a04623ce3c0afddbf3e984cb245aa48e9c(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52619" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-402", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52619" + } + } + ], + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore/ram: Fix crash when setting number of cpus to an odd number\n\nWhen the number of cpu cores is adjusted to 7 or other odd numbers,\nthe zone size will become an odd number.\nThe address of the zone will become:\n addr of zone0 = BASE\n addr of zone1 = BASE + zone_size\n addr of zone2 = BASE + zone_size*2\n ...\nThe address of zone1/3/5/7 will be mapped to non-alignment va.\nEventually crashes will occur when accessing these va.\n\nSo, use ALIGN_DOWN() to make sure the zone size is even\nto avoid this bug.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52619", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52619" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50c2037fc28df870ef29d9728c770c8955d32178" + }, + { + "url": "https://git.kernel.org/stable/c/bfab2c1f7940a232cd519e82fff137e308abfd93" + }, + { + "url": "https://git.kernel.org/stable/c/1b33d55fb7355e27f8c82cd4ecd560f162469249" + }, + { + "url": "https://git.kernel.org/stable/c/3212afd00e3cda790fd0583cb3eaef8f9575a014" + }, + { + "url": "https://git.kernel.org/stable/c/6a18eeb1b3bbc67c20d9609c31dca6a69b4bcde5" + }, + { + "url": "https://git.kernel.org/stable/c/33a6e92161a78c1073d90e27abe28d746feb0a53" + }, + { + "url": "https://git.kernel.org/stable/c/483bc08181827fc475643272ffb69c533007e546" + }, + { + "url": "https://git.kernel.org/stable/c/012363cb1bec5f33a7b94629ab2c1086f30280f2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27398" + }, + { + "url": "https://git.kernel.org/linus/483bc08181827fc475643272ffb69c533007e546(6.9)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-403", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27398" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_sock_timeout\n\nWhen the sco connection is established and then, the sco socket\nis releasing, timeout_work will be scheduled to judge whether\nthe sco disconnection is timeout. The sock will be deallocated\nlater, but it is dereferenced again in sco_sock_timeout. As a\nresult, the use-after-free bugs will happen. The root cause is\nshown below:\n\n Cleanup Thread | Worker Thread\nsco_sock_release |\n sco_sock_close |\n __sco_sock_close |\n sco_sock_set_timer |\n schedule_delayed_work |\n sco_sock_kill | (wait a time)\n sock_put(sk) //FREE | sco_sock_timeout\n | sock_hold(sk) //USE\n\nThe KASAN report triggered by POC is shown below:\n\n[ 95.890016] ==================================================================\n[ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7\n...\n[ 95.890755] Workqueue: events sco_sock_timeout\n[ 95.890755] Call Trace:\n[ 95.890755] \n[ 95.890755] dump_stack_lvl+0x45/0x110\n[ 95.890755] print_address_description+0x78/0x390\n[ 95.890755] print_report+0x11b/0x250\n[ 95.890755] ? __virt_addr_valid+0xbe/0xf0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_report+0x139/0x170\n[ 95.890755] ? update_load_avg+0xe5/0x9f0\n[ 95.890755] ? sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] kasan_check_range+0x2c3/0x2e0\n[ 95.890755] sco_sock_timeout+0x5e/0x1c0\n[ 95.890755] process_one_work+0x561/0xc50\n[ 95.890755] worker_thread+0xab2/0x13c0\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] kthread+0x279/0x300\n[ 95.890755] ? pr_cont_work+0x490/0x490\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork+0x34/0x60\n[ 95.890755] ? kthread_blkcg+0xa0/0xa0\n[ 95.890755] ret_from_fork_asm+0x11/0x20\n[ 95.890755] \n[ 95.890755]\n[ 95.890755] Allocated by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] __kasan_kmalloc+0x86/0x90\n[ 95.890755] __kmalloc+0x17f/0x360\n[ 95.890755] sk_prot_alloc+0xe1/0x1a0\n[ 95.890755] sk_alloc+0x31/0x4e0\n[ 95.890755] bt_sock_alloc+0x2b/0x2a0\n[ 95.890755] sco_sock_create+0xad/0x320\n[ 95.890755] bt_sock_create+0x145/0x320\n[ 95.890755] __sock_create+0x2e1/0x650\n[ 95.890755] __sys_socket+0xd0/0x280\n[ 95.890755] __x64_sys_socket+0x75/0x80\n[ 95.890755] do_syscall_64+0xc4/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] Freed by task 506:\n[ 95.890755] kasan_save_track+0x3f/0x70\n[ 95.890755] kasan_save_free_info+0x40/0x50\n[ 95.890755] poison_slab_object+0x118/0x180\n[ 95.890755] __kasan_slab_free+0x12/0x30\n[ 95.890755] kfree+0xb2/0x240\n[ 95.890755] __sk_destruct+0x317/0x410\n[ 95.890755] sco_sock_release+0x232/0x280\n[ 95.890755] sock_close+0xb2/0x210\n[ 95.890755] __fput+0x37f/0x770\n[ 95.890755] task_work_run+0x1ae/0x210\n[ 95.890755] get_signal+0xe17/0xf70\n[ 95.890755] arch_do_signal_or_restart+0x3f/0x520\n[ 95.890755] syscall_exit_to_user_mode+0x55/0x120\n[ 95.890755] do_syscall_64+0xd1/0x1b0\n[ 95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the object at ffff88800c388000\n[ 95.890755] which belongs to the cache kmalloc-1k of size 1024\n[ 95.890755] The buggy address is located 128 bytes inside of\n[ 95.890755] freed 1024-byte region [ffff88800c388000, ffff88800c388400)\n[ 95.890755]\n[ 95.890755] The buggy address belongs to the physical page:\n[ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388\n[ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n[ 95.890755] ano\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/41d8ac238ab1cab01a8c71798d61903304f4e79b" + }, + { + "url": "https://git.kernel.org/stable/c/343081c21e56bd6690d342e2f5ae8c00183bf081" + }, + { + "url": "https://git.kernel.org/stable/c/529e1852785599160415e964ca322ee7add7aef0" + }, + { + "url": "https://git.kernel.org/stable/c/a69e1bdd777ce51061111dc419801e8a2fd241cc" + }, + { + "url": "https://git.kernel.org/stable/c/3c718bddddca9cbef177ac475b94c5c91147fb38" + }, + { + "url": "https://git.kernel.org/stable/c/ba3c118cff7bcb0fe6aa84ae1f9080d50e31c561" + }, + { + "url": "https://git.kernel.org/stable/c/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/a66c869b17c4c4dcf81d273b02cb0efe88e127ab" + }, + { + "url": "https://git.kernel.org/linus/00e7d3bea2ce7dac7bee1cf501fb071fd0ea8f6c(6.9-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35947" + } + ], + "bom-ref": "vuln-404", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35947" + } + } + ], + "created": "2024-05-19T12:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndyndbg: fix old BUG_ON in >control parser\n\nFix a BUG_ON from 2009. Even if it looks \"unreachable\" (I didn't\nreally look), lets make sure by removing it, doing pr_err and return\n-EINVAL instead.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35947" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/41425f96d7aa59bc865f60f5dda3d7697b555677" + }, + { + "url": "https://git.kernel.org/stable/c/a8d249d770cb357d16a2097b548d2e4c1c137304" + }, + { + "url": "https://git.kernel.org/stable/c/5943a34bf6bab5801e08a55f63e1b8d5bc90dae1" + }, + { + "url": "https://git.kernel.org/linus/41425f96d7aa59bc865f60f5dda3d7697b555677(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26962" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-405", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26962" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-raid456, md/raid456: fix a deadlock for dm-raid456 while io concurrent with reshape\n\nFor raid456, if reshape is still in progress, then IO across reshape\nposition will wait for reshape to make progress. However, for dm-raid,\nin following cases reshape will never make progress hence IO will hang:\n\n1) the array is read-only;\n2) MD_RECOVERY_WAIT is set;\n3) MD_RECOVERY_FROZEN is set;\n\nAfter commit c467e97f079f (\"md/raid6: use valid sector values to determine\nif an I/O should wait on the reshape\") fix the problem that IO across\nreshape position doesn't wait for reshape, the dm-raid test\nshell/lvconvert-raid-reshape.sh start to hang:\n\n[root@fedora ~]# cat /proc/979/stack\n[<0>] wait_woken+0x7d/0x90\n[<0>] raid5_make_request+0x929/0x1d70 [raid456]\n[<0>] md_handle_request+0xc2/0x3b0 [md_mod]\n[<0>] raid_map+0x2c/0x50 [dm_raid]\n[<0>] __map_bio+0x251/0x380 [dm_mod]\n[<0>] dm_submit_bio+0x1f0/0x760 [dm_mod]\n[<0>] __submit_bio+0xc2/0x1c0\n[<0>] submit_bio_noacct_nocheck+0x17f/0x450\n[<0>] submit_bio_noacct+0x2bc/0x780\n[<0>] submit_bio+0x70/0xc0\n[<0>] mpage_readahead+0x169/0x1f0\n[<0>] blkdev_readahead+0x18/0x30\n[<0>] read_pages+0x7c/0x3b0\n[<0>] page_cache_ra_unbounded+0x1ab/0x280\n[<0>] force_page_cache_ra+0x9e/0x130\n[<0>] page_cache_sync_ra+0x3b/0x110\n[<0>] filemap_get_pages+0x143/0xa30\n[<0>] filemap_read+0xdc/0x4b0\n[<0>] blkdev_read_iter+0x75/0x200\n[<0>] vfs_read+0x272/0x460\n[<0>] ksys_read+0x7a/0x170\n[<0>] __x64_sys_read+0x1c/0x30\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nThis is because reshape can't make progress.\n\nFor md/raid, the problem doesn't exist because register new sync_thread\ndoesn't rely on the IO to be done any more:\n\n1) If array is read-only, it can switch to read-write by ioctl/sysfs;\n2) md/raid never set MD_RECOVERY_WAIT;\n3) If MD_RECOVERY_FROZEN is set, mddev_suspend() doesn't hold\n 'reconfig_mutex', hence it can be cleared and reshape can continue by\n sysfs api 'sync_action'.\n\nHowever, I'm not sure yet how to avoid the problem in dm-raid yet. This\npatch on the one hand make sure raid_message() can't change\nsync_thread() through raid_message() after presuspend(), on the other\nhand detect the above 3 cases before wait for IO do be done in\ndm_suspend(), and let dm-raid requeue those IO.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26962", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26962" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0d8a1df39d3fc34560e2cc663b5c340d06a25396" + }, + { + "url": "https://git.kernel.org/stable/c/96312a251d4dcee5d36e32edba3002bfde0ddd9c" + }, + { + "url": "https://git.kernel.org/stable/c/b0b0d811eac6b4c52cb9ad632fa6384cf48869e7" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-406", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/mediatek: Fix coverity issue with unintentional integer overflow\n\n1. Instead of multiplying 2 variable of different types. Change to\nassign a value of one variable and then multiply the other variable.\n\n2. Add a int variable for multiplier calculation instead of calculating\ndifferent types multiplier with dma_addr_t variable directly.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c6f1ca235f68b22b3e691b2ea87ac285e5946848" + }, + { + "url": "https://git.kernel.org/stable/c/bd97cea7b18a0a553773af806dfbfac27a7c4acb" + }, + { + "url": "https://git.kernel.org/stable/c/635d79aa477f9912e602feb5498bdd51fb9cb824" + }, + { + "url": "https://git.kernel.org/stable/c/b2e4a5266e3d133b4c7f0e43bf40d13ce14fd1aa" + }, + { + "url": "https://git.kernel.org/stable/c/0ae8ad0013978f7471f22bcf45b027393e87f5dc" + }, + { + "url": "https://git.kernel.org/linus/bd97cea7b18a0a553773af806dfbfac27a7c4acb(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26838" + } + ], + "bom-ref": "vuln-407", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26838" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Fix KASAN issue with tasklet\n\nKASAN testing revealed the following issue assocated with freeing an IRQ.\n\n[50006.466686] Call Trace:\n[50006.466691] \n[50006.489538] dump_stack+0x5c/0x80\n[50006.493475] print_address_description.constprop.6+0x1a/0x150\n[50006.499872] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.505742] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.511644] kasan_report.cold.11+0x7f/0x118\n[50006.516572] ? irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.522473] irdma_sc_process_ceq+0x483/0x790 [irdma]\n[50006.528232] irdma_process_ceq+0xb2/0x400 [irdma]\n[50006.533601] ? irdma_hw_flush_wqes_callback+0x370/0x370 [irdma]\n[50006.540298] irdma_ceq_dpc+0x44/0x100 [irdma]\n[50006.545306] tasklet_action_common.isra.14+0x148/0x2c0\n[50006.551096] __do_softirq+0x1d0/0xaf8\n[50006.555396] irq_exit_rcu+0x219/0x260\n[50006.559670] irq_exit+0xa/0x20\n[50006.563320] smp_apic_timer_interrupt+0x1bf/0x690\n[50006.568645] apic_timer_interrupt+0xf/0x20\n[50006.573341] \n\nThe issue is that a tasklet could be pending on another core racing\nthe delete of the irq.\n\nFix by insuring any scheduled tasklet is killed after deleting the\nirq.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26838", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26838" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65e6a2773d655172143cc0b927cdc89549842895" + }, + { + "url": "https://git.kernel.org/stable/c/3e7d82ebb86e94643bdb30b0b5b077ed27dce1c2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27072" + }, + { + "url": "https://git.kernel.org/linus/65e6a2773d655172143cc0b927cdc89549842895(6.9-rc1)" + } + ], + "bom-ref": "vuln-408", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27072" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: usbtv: Remove useless locks in usbtv_video_free()\n\nRemove locks calls in usbtv_video_free() because\nare useless and may led to a deadlock as reported here:\nhttps://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000\nAlso remove usbtv_stop() call since it will be called when\nunregistering the device.\n\nBefore 'c838530d230b' this issue would only be noticed if you\ndisconnect while streaming and now it is noticeable even when\ndisconnecting while not streaming.\n\n\n[hverkuil: fix minor spelling mistake in log message]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27072", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27072" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html" + }, + { + "url": "https://www.postgresql.org/support/security/CVE-2024-0985/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1071" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1070" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1195" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL13-2024-006.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL12-2024-009.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6656-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1428" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0956" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1429" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0990" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1422" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0992" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1069" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0950" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0973" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0951" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL12-2024-008.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0974" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1426" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0975" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1348" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1240" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1241" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-547.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL14-2024-006.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6656-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0988" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0985" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1314" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1017" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL14-2024-007.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1437" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1315" + } + ], + "bom-ref": "vuln-409", + "ratings": [ + { + "severity": "none", + "score": 0.0005, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0985" + } + }, + { + "severity": "high", + "score": 8.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0985" + } + } + ], + "created": "2024-02-08T13:15:08Z", + "description": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.", + "affects": [ + { + "ref": "comp-283" + } + ], + "id": "CVE-2024-0985", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0985" + }, + "cwes": [ + 271 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-18T17:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-283", + "value": "0:15.6-0+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.oracle.com/security-alerts/cpuapr2024.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069189" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-21096" + } + ], + "bom-ref": "vuln-410", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21096" + } + }, + { + "severity": "medium", + "score": 4.9, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21096" + } + } + ], + "created": "2024-04-16T22:15:30Z", + "description": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server accessible data as well as unauthorized read access to a subset of MySQL Server accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).", + "affects": [ + { + "ref": "comp-192" + } + ], + "id": "CVE-2024-21096", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21096" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-26T09:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4f97e6a9d62cb1fce82fbf4baff44b83221bc178" + }, + { + "url": "https://git.kernel.org/stable/c/a80a486d72e20bd12c335bcd38b6e6f19356b0aa" + }, + { + "url": "https://git.kernel.org/stable/c/3b8da67191e938a63d2736dabb4ac5d337e5de57" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26954" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a80a486d72e20bd12c335bcd38b6e6f19356b0aa(6.9-rc1)" + } + ], + "bom-ref": "vuln-411", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26954" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()\n\nIf ->NameOffset of smb2_create_req is smaller than Buffer offset of\nsmb2_create_req, slab-out-of-bounds read can happen from smb2_open.\nThis patch set the minimum value of the name offset to the buffer offset\nto validate name length of smb2_create_req().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26954", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26954" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/04d9d1fc428ac9f581d55118d67e0cb546701feb" + }, + { + "url": "https://git.kernel.org/stable/c/1b20e61d36f490319d3fbdedd410155232ab5190" + }, + { + "url": "https://git.kernel.org/stable/c/86d9b040421bbd26425f5a3edc226f57ecdecbfe" + }, + { + "url": "https://git.kernel.org/stable/c/856baaa100cd288d3685eedae9a129c996e7e755" + }, + { + "url": "https://git.kernel.org/stable/c/ad105cde6b261b8b05ec872fe7d1987417d7fe5a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26864" + }, + { + "url": "https://git.kernel.org/linus/04d9d1fc428ac9f581d55118d67e0cb546701feb(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-412", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26864" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix refcnt handling in __inet_hash_connect().\n\nsyzbot reported a warning in sk_nulls_del_node_init_rcu().\n\nThe commit 66b60b0c8c4a (\"dccp/tcp: Unhash sk from ehash for tb2 alloc\nfailure after check_estalblished().\") tried to fix an issue that an\nunconnected socket occupies an ehash entry when bhash2 allocation fails.\n\nIn such a case, we need to revert changes done by check_established(),\nwhich does not hold refcnt when inserting socket into ehash.\n\nSo, to revert the change, we need to __sk_nulls_add_node_rcu() instead\nof sk_nulls_add_node_rcu().\n\nOtherwise, sock_put() will cause refcnt underflow and leak the socket.\n\n[0]:\nWARNING: CPU: 0 PID: 23948 at include/net/sock.h:799 sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nModules linked in:\nCPU: 0 PID: 23948 Comm: syz-executor.2 Not tainted 6.8.0-rc6-syzkaller-00159-gc055fc00c07b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nRIP: 0010:sk_nulls_del_node_init_rcu+0x166/0x1a0 include/net/sock.h:799\nCode: e8 7f 71 c6 f7 83 fb 02 7c 25 e8 35 6d c6 f7 4d 85 f6 0f 95 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 1b 6d c6 f7 90 <0f> 0b 90 eb b2 e8 10 6d c6 f7 4c 89 e7 be 04 00 00 00 e8 63 e7 d2\nRSP: 0018:ffffc900032d7848 EFLAGS: 00010246\nRAX: ffffffff89cd0035 RBX: 0000000000000001 RCX: 0000000000040000\nRDX: ffffc90004de1000 RSI: 000000000003ffff RDI: 0000000000040000\nRBP: 1ffff1100439ac26 R08: ffffffff89ccffe3 R09: 1ffff1100439ac28\nR10: dffffc0000000000 R11: ffffed100439ac29 R12: ffff888021cd6140\nR13: dffffc0000000000 R14: ffff88802a9bf5c0 R15: ffff888021cd6130\nFS: 00007f3b823f16c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f3b823f0ff8 CR3: 000000004674a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n __inet_hash_connect+0x140f/0x20b0 net/ipv4/inet_hashtables.c:1139\n dccp_v6_connect+0xcb9/0x1480 net/dccp/ipv6.c:956\n __inet_stream_connect+0x262/0xf30 net/ipv4/af_inet.c:678\n inet_stream_connect+0x65/0xa0 net/ipv4/af_inet.c:749\n __sys_connect_file net/socket.c:2048 [inline]\n __sys_connect+0x2df/0x310 net/socket.c:2065\n __do_sys_connect net/socket.c:2075 [inline]\n __se_sys_connect net/socket.c:2072 [inline]\n __x64_sys_connect+0x7a/0x90 net/socket.c:2072\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\nRIP: 0033:0x7f3b8167dda9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3b823f10c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 00007f3b817abf80 RCX: 00007f3b8167dda9\nRDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 00007f3b823f1120 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001\nR13: 000000000000000b R14: 00007f3b817abf80 R15: 00007ffd3beb57b8\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26864" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/857f56db8c3a71f9871922b6984ff74ad588cb2c" + }, + { + "url": "https://git.kernel.org/stable/c/8ffaa17ccb1eb1b65cf85db63225a3581c303773" + }, + { + "url": "https://git.kernel.org/stable/c/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd" + }, + { + "url": "https://git.kernel.org/stable/c/ead445dd3d681020af333649a27306160eee761d" + }, + { + "url": "https://git.kernel.org/stable/c/0d276d9f335f41d6524258d58c0c0241ef9a83a4" + }, + { + "url": "https://git.kernel.org/linus/f1d71576d2c9ec8fdb822173fa7f3de79475e9bd(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26893" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-413", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26893" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: arm_scmi: Fix double free in SMC transport cleanup path\n\nWhen the generic SCMI code tears down a channel, it calls the chan_free\ncallback function, defined by each transport. Since multiple protocols\nmight share the same transport_info member, chan_free() might want to\nclean up the same member multiple times within the given SCMI transport\nimplementation. In this case, it is SMC transport. This will lead to a NULL\npointer dereference at the second time:\n\n | scmi_protocol scmi_dev.1: Enabled polling mode TX channel - prot_id:16\n | arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.\n | arm-scmi firmware:scmi: unable to communicate with SCMI\n | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n | Mem abort info:\n | ESR = 0x0000000096000004\n | EC = 0x25: DABT (current EL), IL = 32 bits\n | SET = 0, FnV = 0\n | EA = 0, S1PTW = 0\n | FSC = 0x04: level 0 translation fault\n | Data abort info:\n | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n | CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000881ef8000\n | [0000000000000000] pgd=0000000000000000, p4d=0000000000000000\n | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP\n | Modules linked in:\n | CPU: 4 PID: 1 Comm: swapper/0 Not tainted 6.7.0-rc2-00124-g455ef3d016c9-dirty #793\n | Hardware name: FVP Base RevC (DT)\n | pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n | pc : smc_chan_free+0x3c/0x6c\n | lr : smc_chan_free+0x3c/0x6c\n | Call trace:\n | smc_chan_free+0x3c/0x6c\n | idr_for_each+0x68/0xf8\n | scmi_cleanup_channels.isra.0+0x2c/0x58\n | scmi_probe+0x434/0x734\n | platform_probe+0x68/0xd8\n | really_probe+0x110/0x27c\n | __driver_probe_device+0x78/0x12c\n | driver_probe_device+0x3c/0x118\n | __driver_attach+0x74/0x128\n | bus_for_each_dev+0x78/0xe0\n | driver_attach+0x24/0x30\n | bus_add_driver+0xe4/0x1e8\n | driver_register+0x60/0x128\n | __platform_driver_register+0x28/0x34\n | scmi_driver_init+0x84/0xc0\n | do_one_initcall+0x78/0x33c\n | kernel_init_freeable+0x2b8/0x51c\n | kernel_init+0x24/0x130\n | ret_from_fork+0x10/0x20\n | Code: f0004701 910a0021 aa1403e5 97b91c70 (b9400280)\n | ---[ end trace 0000000000000000 ]---\n\nSimply check for the struct pointer being NULL before trying to access\nits members, to avoid this situation.\n\nThis was found when a transport doesn't really work (for instance no SMC\nservice), the probe routines then tries to clean up, and triggers a crash.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26893", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26893" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/25b3498485ac281e5851700e33b97f12c9533fd8" + }, + { + "url": "https://git.kernel.org/stable/c/73224a5d2180066c7fe05b4656647601ba08d588" + }, + { + "url": "https://git.kernel.org/stable/c/9827caa5105fb16d1fae2e75c8d0e4662014b3ca" + }, + { + "url": "https://git.kernel.org/stable/c/bf6e4ee5c43690e4c5a8a057bbcd4ff986bed052" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35986" + }, + { + "url": "https://git.kernel.org/linus/bf6e4ee5c43690e4c5a8a057bbcd4ff986bed052(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-414", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35986" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered\n\nThe power_supply frame-work is not really designed for there to be\nlong living in kernel references to power_supply devices.\n\nSpecifically unregistering a power_supply while some other code has\na reference to it triggers a WARN in power_supply_unregister():\n\n\tWARN_ON(atomic_dec_return(&psy->use_cnt));\n\nFolllowed by the power_supply still getting removed and the\nbacking data freed anyway, leaving the tusb1210 charger-detect code\nwith a dangling reference, resulting in a crash the next time\ntusb1210_get_online() is called.\n\nFix this by only holding the reference in tusb1210_get_online()\nfreeing it at the end of the function. Note this still leaves\na theoretical race window, but it avoids the issue when manually\nrmmod-ing the charger chip driver during development.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35986", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35986" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a585faf0591548fe0920641950ebfa8a6eefe1cd" + }, + { + "url": "https://git.kernel.org/stable/c/52fff5799e3d1b5803ecd2f5f19c13c65f4f7b23" + }, + { + "url": "https://git.kernel.org/stable/c/731ab1f9828800df871c5a7ab9ffe965317d3f15" + }, + { + "url": "https://git.kernel.org/stable/c/6ed6cdbe88334ca3430c5aee7754dc4597498dfb" + }, + { + "url": "https://git.kernel.org/stable/c/0830c5cf19bdec50d0ede4755ddc463663deb21c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52640" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/731ab1f9828800df871c5a7ab9ffe965317d3f15(6.8-rc4)" + } + ], + "bom-ref": "vuln-415", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52640" + } + } + ], + "created": "2024-04-03T17:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix oob in ntfs_listxattr\n\nThe length of name cannot exceed the space occupied by ea.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52640", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52640" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/edd073c78d2bf48c5b8bf435bbc3d61d6e7c6c14" + }, + { + "url": "https://git.kernel.org/stable/c/5f7fd6aa4c4877d77133ea86c14cf256f390b2fe" + }, + { + "url": "https://git.kernel.org/stable/c/93f52fbeaf4b676b21acfe42a5152620e6770d02" + }, + { + "url": "https://git.kernel.org/stable/c/512a01da7134bac8f8b373506011e8aaa3283854" + }, + { + "url": "https://git.kernel.org/stable/c/b0cb5564c3e8e0ee0a2d28c86fa7f02e82d64c3c" + }, + { + "url": "https://git.kernel.org/stable/c/98ddf2604ade2d954bf5ec193600d5274a43fd68" + }, + { + "url": "https://git.kernel.org/stable/c/6a55dab4ac956deb23690eedd74e70b892a378e7" + }, + { + "url": "https://git.kernel.org/stable/c/21e7d72d0cfcbae6042d498ea2e6f395311767f8" + }, + { + "url": "https://git.kernel.org/linus/93f52fbeaf4b676b21acfe42a5152620e6770d02(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35925" + } + ], + "bom-ref": "vuln-416", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35925" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: prevent division by zero in blk_rq_stat_sum()\n\nThe expression dst->nr_samples + src->nr_samples may\nhave zero value on overflow. It is necessary to add\na check to avoid division by zero.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35925", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35925" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b6eda11c44dc89a681e1c105f0f4660e69b1e183" + }, + { + "url": "https://git.kernel.org/stable/c/83527a13740f57b45f162e3af4c7db4b88521100" + }, + { + "url": "https://git.kernel.org/stable/c/e71cc4a1e584293deafff1a7dea614b0210d0443" + }, + { + "url": "https://git.kernel.org/linus/b6eda11c44dc89a681e1c105f0f4660e69b1e183(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26770" + } + ], + "bom-ref": "vuln-417", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26770" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: nvidia-shield: Add missing null pointer checks to LED initialization\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.\n\n[jkosina@suse.com: tweak changelog a bit]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26770", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26770" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e89386f62ce9a9ab9a94835a9890883c23d9d52c" + }, + { + "url": "https://git.kernel.org/stable/c/22079b3a423382335f47d9ed32114e6c9fe88d7c" + }, + { + "url": "https://git.kernel.org/stable/c/225da02acdc97af01b6bc6ce1a3e5362bf01d3fb" + }, + { + "url": "https://git.kernel.org/stable/c/edf7990baa48de5097daa9ac02e06cb4c798a737" + }, + { + "url": "https://git.kernel.org/stable/c/281d464a34f540de166cee74b723e97ac2515ec3" + }, + { + "url": "https://git.kernel.org/stable/c/c826502bed93970f2fd488918a7b8d5f1d30e2e3" + }, + { + "url": "https://git.kernel.org/stable/c/250051acc21f9d4c5c595e4fcb55986ea08c4691" + }, + { + "url": "https://git.kernel.org/linus/281d464a34f540de166cee74b723e97ac2515ec3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26885" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-418", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26885" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix DEVMAP_HASH overflow check on 32-bit arches\n\nThe devmap code allocates a number hash buckets equal to the next power\nof two of the max_entries value provided when creating the map. When\nrounding up to the next power of two, the 32-bit variable storing the\nnumber of buckets can overflow, and the code checks for overflow by\nchecking if the truncated 32-bit value is equal to 0. However, on 32-bit\narches the rounding up itself can overflow mid-way through, because it\nends up doing a left-shift of 32 bits on an unsigned long value. If the\nsize of an unsigned long is four bytes, this is undefined behaviour, so\nthere is no guarantee that we'll end up with a nice and tidy 0-value at\nthe end.\n\nSyzbot managed to turn this into a crash on arm32 by creating a\nDEVMAP_HASH with max_entries > 0x80000000 and then trying to update it.\nFix this by moving the overflow check to before the rounding up\noperation.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26885", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26885" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T20:02:49Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6202996a1c1887e83d0b3b0fcd86d0e5e6910ea0" + }, + { + "url": "https://git.kernel.org/stable/c/45f2beda1f1bc3d962ec07db1ccc3197c25499a5" + }, + { + "url": "https://git.kernel.org/stable/c/24a9799aa8efecd0eb55a75e35f9d8e6400063aa" + }, + { + "url": "https://git.kernel.org/linus/24a9799aa8efecd0eb55a75e35f9d8e6400063aa(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35870" + } + ], + "bom-ref": "vuln-419", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35870" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in smb2_reconnect_server()\n\nThe UAF bug is due to smb2_reconnect_server() accessing a session that\nis already being teared down by another thread that is executing\n__cifs_put_smb_ses(). This can happen when (a) the client has\nconnection to the server but no session or (b) another thread ends up\nsetting @ses->ses_status again to something different than\nSES_EXITING.\n\nTo fix this, we need to make sure to unconditionally set\n@ses->ses_status to SES_EXITING and prevent any other threads from\nsetting a new status while we're still tearing it down.\n\nThe following can be reproduced by adding some delay to right after\nthe ipc is freed in __cifs_put_smb_ses() - which will give\nsmb2_reconnect_server() worker a chance to run and then accessing\n@ses->ipc:\n\nkinit ...\nmount.cifs //srv/share /mnt/1 -o sec=krb5,nohandlecache,echo_interval=10\n[disconnect srv]\nls /mnt/1 &>/dev/null\nsleep 30\nkdestroy\n[reconnect srv]\nsleep 10\numount /mnt/1\n...\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\nCIFS: VFS: Verify user has a krb5 ticket and keyutils is installed\nCIFS: VFS: \\\\srv Send error in SessSetup = -126\ngeneral protection fault, probably for non-canonical address\n0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 3 PID: 50 Comm: kworker/3:1 Not tainted 6.9.0-rc2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-1.fc39\n04/01/2014\nWorkqueue: cifsiod smb2_reconnect_server [cifs]\nRIP: 0010:__list_del_entry_valid_or_report+0x33/0xf0\nCode: 4f 08 48 85 d2 74 42 48 85 c9 74 59 48 b8 00 01 00 00 00 00 ad\nde 48 39 c2 74 61 48 b8 22 01 00 00 00 00 74 69 <48> 8b 01 48 39 f8 75\n7b 48 8b 72 08 48 39 c6 0f 85 88 00 00 00 b8\nRSP: 0018:ffffc900001bfd70 EFLAGS: 00010a83\nRAX: dead000000000122 RBX: ffff88810da53838 RCX: 6b6b6b6b6b6b6b6b\nRDX: 6b6b6b6b6b6b6b6b RSI: ffffffffc02f6878 RDI: ffff88810da53800\nRBP: ffff88810da53800 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000001 R12: ffff88810c064000\nR13: 0000000000000001 R14: ffff88810c064000 R15: ffff8881039cc000\nFS: 0000000000000000(0000) GS:ffff888157c00000(0000)\nknlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fe3728b1000 CR3: 000000010caa4000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? die_addr+0x36/0x90\n ? exc_general_protection+0x1c1/0x3f0\n ? asm_exc_general_protection+0x26/0x30\n ? __list_del_entry_valid_or_report+0x33/0xf0\n __cifs_put_smb_ses+0x1ae/0x500 [cifs]\n smb2_reconnect_server+0x4ed/0x710 [cifs]\n process_one_work+0x205/0x6b0\n worker_thread+0x191/0x360\n ? __pfx_worker_thread+0x10/0x10\n kthread+0xe2/0x110\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x34/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35870", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35870" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24225011d81b471acc0e1e315b7d9905459a6304" + }, + { + "url": "https://git.kernel.org/stable/c/9b5b7708ec2be21dd7ef8ca0e3abe4ae9f3b083b" + }, + { + "url": "https://git.kernel.org/stable/c/69d1fe14a680042ec913f22196b58e2c8ff1b007" + }, + { + "url": "https://git.kernel.org/stable/c/a347bc8e6251eaee4b619da28020641eb5b0dd77" + }, + { + "url": "https://git.kernel.org/stable/c/940d41caa71f0d3a52df2fde5fada524a993e331" + }, + { + "url": "https://git.kernel.org/stable/c/e684b1674fd1ca4361812a491242ae871d6b2859" + }, + { + "url": "https://git.kernel.org/stable/c/8b891153b2e4dc0ca9d9dab8f619d49c740813df" + }, + { + "url": "https://git.kernel.org/stable/c/2485bcfe05ee3cf9ca8923a94fa2e456924c79c8" + }, + { + "url": "https://git.kernel.org/linus/24225011d81b471acc0e1e315b7d9905459a6304(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35898" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-420", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35898" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()\n\nnft_unregister_flowtable_type() within nf_flow_inet_module_exit() can\nconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().\nAnd thhere is not any protection when iterate over nf_tables_flowtables\nlist in __nft_flowtable_type_get(). Therefore, there is pertential\ndata-race of nf_tables_flowtables list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_flowtables list\nin __nft_flowtable_type_get(), and use rcu_read_lock() in the caller\nnft_flowtable_type_get() to protect the entire type query process.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35898", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35898" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/012df10717da02367aaf92c65f9c89db206c15f4" + }, + { + "url": "https://git.kernel.org/stable/c/9e0f0430389be7696396c62f037be4bf72cf93e3" + }, + { + "url": "https://git.kernel.org/stable/c/670548c8db44d76e40e1dfc06812bca36a61e9ae" + }, + { + "url": "https://git.kernel.org/stable/c/558b00a30e05753a62ecc7e05e939ca8f0241148" + }, + { + "url": "https://git.kernel.org/stable/c/4c167af9f6b5ae4a5dbc243d5983c295ccc2e43c" + }, + { + "url": "https://git.kernel.org/linus/9e0f0430389be7696396c62f037be4bf72cf93e3(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27403" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-421", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27403" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_flow_offload: reset dst in route object after setting up flow\n\ndst is transferred to the flow object, route object does not own it\nanymore. Reset dst in route object, otherwise if flow_offload_add()\nfails, error path releases dst twice, leading to a refcount underflow.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27403", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27403" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d35b62c224e70797f8a1c37fe9bc4b3e294b7560" + }, + { + "url": "https://git.kernel.org/stable/c/ef7eed7e11d23337310ecc2c014ecaeea52719c5" + }, + { + "url": "https://git.kernel.org/stable/c/8b1e273c6afcf00d3c40a54ada7d6aac1b503b97" + }, + { + "url": "https://git.kernel.org/stable/c/2c02c5059c78a52d170bdee4a369b470de6deb37" + }, + { + "url": "https://git.kernel.org/stable/c/ee413f30ec4fe94a0bdf32c8f042cb06fa913234" + }, + { + "url": "https://git.kernel.org/stable/c/6ebfad33161afacb3e1e59ed1c2feefef70f9f97" + }, + { + "url": "https://git.kernel.org/stable/c/68e84120319d4fc298fcdb14cf0bea6a0f64ffbd" + }, + { + "url": "https://git.kernel.org/stable/c/84c510411e321caff3c07e6cd0f917f06633cfc0" + }, + { + "url": "https://git.kernel.org/linus/6ebfad33161afacb3e1e59ed1c2feefef70f9f97(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26862" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-422", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26862" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npacket: annotate data-races around ignore_outgoing\n\nignore_outgoing is read locklessly from dev_queue_xmit_nit()\nand packet_getsockopt()\n\nAdd appropriate READ_ONCE()/WRITE_ONCE() annotations.\n\nsyzbot reported:\n\nBUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt\n\nwrite to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0:\n packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003\n do_sock_setsockopt net/socket.c:2311 [inline]\n __sys_setsockopt+0x1d8/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340\n do_syscall_64+0xd3/0x1d0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nread to 0xffff888107804542 of 1 bytes by task 27 on cpu 1:\n dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248\n xmit_one net/core/dev.c:3527 [inline]\n dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547\n __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335\n dev_queue_xmit include/linux/netdevice.h:3091 [inline]\n batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108\n batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127\n batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline]\n batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]\n batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700\n process_one_work kernel/workqueue.c:3254 [inline]\n process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335\n worker_thread+0x526/0x730 kernel/workqueue.c:3416\n kthread+0x1d1/0x210 kernel/kthread.c:388\n ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243\n\nvalue changed: 0x00 -> 0x01\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024\nWorkqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26862", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26862" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/18685451fc4e546fc0e718580d32df3c0e5c8272" + }, + { + "url": "https://git.kernel.org/stable/c/7d0567842b78390dd9b60f00f1d8f838d540e325" + }, + { + "url": "https://git.kernel.org/stable/c/e09cbe017311508c21e0739e97198a8388b98981" + }, + { + "url": "https://git.kernel.org/stable/c/f4877225313d474659ee53150ccc3d553a978727" + }, + { + "url": "https://git.kernel.org/linus/18685451fc4e546fc0e718580d32df3c0e5c8272(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26921" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-423", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26921" + } + } + ], + "created": "2024-04-18T10:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninet: inet_defrag: prevent sk release while still in use\n\nip_local_out() and other functions can pass skb->sk as function argument.\n\nIf the skb is a fragment and reassembly happens before such function call\nreturns, the sk must not be released.\n\nThis affects skb fragments reassembled via netfilter or similar\nmodules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline.\n\nEric Dumazet made an initial analysis of this bug. Quoting Eric:\n Calling ip_defrag() in output path is also implying skb_orphan(),\n which is buggy because output path relies on sk not disappearing.\n\n A relevant old patch about the issue was :\n 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\")\n\n [..]\n\n net/ipv4/ip_output.c depends on skb->sk being set, and probably to an\n inet socket, not an arbitrary one.\n\n If we orphan the packet in ipvlan, then downstream things like FQ\n packet scheduler will not work properly.\n\n We need to change ip_defrag() to only use skb_orphan() when really\n needed, ie whenever frag_list is going to be used.\n\nEric suggested to stash sk in fragment queue and made an initial patch.\nHowever there is a problem with this:\n\nIf skb is refragmented again right after, ip_do_fragment() will copy\nhead->sk to the new fragments, and sets up destructor to sock_wfree.\nIOW, we have no choice but to fix up sk_wmem accouting to reflect the\nfully reassembled skb, else wmem will underflow.\n\nThis change moves the orphan down into the core, to last possible moment.\nAs ip_defrag_offset is aliased with sk_buff->sk member, we must move the\noffset into the FRAG_CB, else skb->sk gets clobbered.\n\nThis allows to delay the orphaning long enough to learn if the skb has\nto be queued or if the skb is completing the reasm queue.\n\nIn the former case, things work as before, skb is orphaned. This is\nsafe because skb gets queued/stolen and won't continue past reasm engine.\n\nIn the latter case, we will steal the skb->sk reference, reattach it to\nthe head skb, and fix up wmem accouting when inet_frag inflates truesize.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26921", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26921" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-18T13:04:28Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32465" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-424", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32465" + } + } + ], + "created": "2024-05-14T20:15:14Z", + "description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-32465", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32465" + }, + "cwes": [ + 22 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-15T16:40:19Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/03b5a9b2b526862b21bcc31976e393a6e63785d1" + }, + { + "url": "https://git.kernel.org/stable/c/8240c7308c941db4d9a0a91b54eca843c616a655" + }, + { + "url": "https://git.kernel.org/stable/c/c71ea3534ec0936fc57e6fb271c7cc6a2f68c295" + }, + { + "url": "https://git.kernel.org/stable/c/7da0f91681c4902bc5c210356fdd963b04d5d1d4" + }, + { + "url": "https://git.kernel.org/stable/c/7a25bfd12733a8f38f8ca47c581f876c3d481ac0" + }, + { + "url": "https://git.kernel.org/stable/c/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36008" + }, + { + "url": "https://git.kernel.org/linus/58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-425", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36008" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: check for NULL idev in ip_route_use_hint()\n\nsyzbot was able to trigger a NULL deref in fib_validate_source()\nin an old tree [1].\n\nIt appears the bug exists in latest trees.\n\nAll calls to __in_dev_get_rcu() must be checked for a NULL result.\n\n[1]\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nCPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425\nCode: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf\nRSP: 0018:ffffc900015fee40 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0\nRDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0\nRBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000\nR10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000\nFS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231\n ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327\n ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline]\n ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638\n ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673\n __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline]\n __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620\n __netif_receive_skb_list net/core/dev.c:5672 [inline]\n netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764\n netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816\n xdp_recv_frames net/bpf/test_run.c:257 [inline]\n xdp_test_run_batch net/bpf/test_run.c:335 [inline]\n bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363\n bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376\n bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736\n __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115\n __do_sys_bpf kernel/bpf/syscall.c:5201 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5199 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36008", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36008" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d4e19f7ff644c5b79e8271df8ac2e549b436a5b" + }, + { + "url": "https://git.kernel.org/stable/c/2996c7e97ea7cf4c1838a1b1dbc0885934113783" + }, + { + "url": "https://git.kernel.org/stable/c/25675159040bffc7992d5163f3f33ba7d0142f21" + }, + { + "url": "https://git.kernel.org/stable/c/5b8f473c4de95c056c1c767b1ad48c191544f6a5" + }, + { + "url": "https://git.kernel.org/stable/c/6bb22ac1d11d7d20f91e7fd2e657a9e5f6db65e0" + }, + { + "url": "https://git.kernel.org/stable/c/2209fc6e3d7727d787dc6ef9baa1e9eae6b1295b" + }, + { + "url": "https://git.kernel.org/stable/c/94a600226b6d0ef065ee84024b450b566c5a87d6" + }, + { + "url": "https://git.kernel.org/stable/c/977fe773dcc7098d8eaf4ee6382cb51e13e784cb" + }, + { + "url": "https://git.kernel.org/linus/977fe773dcc7098d8eaf4ee6382cb51e13e784cb(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26917" + } + ], + "bom-ref": "vuln-426", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26917" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: Revert \"scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock\"\n\nThis reverts commit 1a1975551943f681772720f639ff42fbaa746212.\n\nThis commit causes interrupts to be lost for FCoE devices, since it changed\nsping locks from \"bh\" to \"irqsave\".\n\nInstead, a work queue should be used, and will be addressed in a separate\ncommit.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26917", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26917" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9759ff196e7d248bcf8386a7451d6ff8537a7d9c" + }, + { + "url": "https://git.kernel.org/stable/c/fa5c055800a7fd49a36bbb52593aca4ea986a366" + }, + { + "url": "https://git.kernel.org/stable/c/e50f83061ac250f90710757a3e51b70a200835e2" + }, + { + "url": "https://git.kernel.org/stable/c/116562e804ffc9dc600adab6326dde31d72262c7" + }, + { + "url": "https://git.kernel.org/stable/c/e7d4cff57c3c43fdd72342c78d4138f509c7416e" + }, + { + "url": "https://git.kernel.org/stable/c/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc" + }, + { + "url": "https://git.kernel.org/stable/c/5f4ad4d0b0943296287313db60b3f84df4aad683" + }, + { + "url": "https://git.kernel.org/stable/c/3d47eb405781cc5127deca9a14e24b27696087a1" + }, + { + "url": "https://git.kernel.org/linus/6e7132ed3c07bd8a6ce3db4bb307ef2852b322dc(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35805" + } + ], + "bom-ref": "vuln-427", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35805" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm snapshot: fix lockup in dm_exception_table_exit\n\nThere was reported lockup when we exit a snapshot with many exceptions.\nFix this by adding \"cond_resched\" to the loop that frees the exceptions.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35805", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35805" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c62697e4086de988b31124fb8c79c244ea05f2b" + }, + { + "url": "https://git.kernel.org/stable/c/ca2eb375db76fd50f31afdd67d6ca4f833254957" + }, + { + "url": "https://git.kernel.org/stable/c/2a3cfb9a24a28da9cc13d2c525a76548865e182c" + }, + { + "url": "https://git.kernel.org/stable/c/e040f1fbe9abae91b12b074cfc3bbb5367b79811" + }, + { + "url": "https://git.kernel.org/linus/2a3cfb9a24a28da9cc13d2c525a76548865e182c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27041" + } + ], + "bom-ref": "vuln-428", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27041" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix NULL checks for adev->dm.dc in amdgpu_dm_fini()\n\nSince 'adev->dm.dc' in amdgpu_dm_fini() might turn out to be NULL\nbefore the call to dc_enable_dmub_notifications(), check\nbeforehand to ensure there will not be a possible NULL-ptr-deref\nthere.\n\nAlso, since commit 1e88eb1b2c25 (\"drm/amd/display: Drop\nCONFIG_DRM_AMD_DC_HDCP\") there are two separate checks for NULL in\n'adev->dm.dc' before dc_deinit_callbacks() and dc_dmub_srv_destroy().\nClean up by combining them all under one 'if'.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27041", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27041" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e6b90468da4dae2281a6e381107f411efb48b0ef" + }, + { + "url": "https://git.kernel.org/stable/c/0f022d32c3eca477fbf79a205243a6123ed0fe11" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27010" + }, + { + "url": "https://git.kernel.org/linus/0f022d32c3eca477fbf79a205243a6123ed0fe11(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-429", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27010" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Fix mirred deadlock on device recursion\n\nWhen the mirred action is used on a classful egress qdisc and a packet is\nmirrored or redirected to self we hit a qdisc lock deadlock.\nSee trace below.\n\n[..... other info removed for brevity....]\n[ 82.890906]\n[ 82.890906] ============================================\n[ 82.890906] WARNING: possible recursive locking detected\n[ 82.890906] 6.8.0-05205-g77fadd89fe2d-dirty #213 Tainted: G W\n[ 82.890906] --------------------------------------------\n[ 82.890906] ping/418 is trying to acquire lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] but task is already holding lock:\n[ 82.890906] ffff888006994110 (&sch->q.lock){+.-.}-{3:3}, at:\n__dev_queue_xmit+0x1778/0x3550\n[ 82.890906]\n[ 82.890906] other info that might help us debug this:\n[ 82.890906] Possible unsafe locking scenario:\n[ 82.890906]\n[ 82.890906] CPU0\n[ 82.890906] ----\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906] lock(&sch->q.lock);\n[ 82.890906]\n[ 82.890906] *** DEADLOCK ***\n[ 82.890906]\n[..... other info removed for brevity....]\n\nExample setup (eth0->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nAnother example(eth0->eth1->eth0) to recreate\ntc qdisc add dev eth0 root handle 1: htb default 30\ntc filter add dev eth0 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth1\n\ntc qdisc add dev eth1 root handle 1: htb default 30\ntc filter add dev eth1 handle 1: protocol ip prio 2 matchall \\\n action mirred egress redirect dev eth0\n\nWe fix this by adding an owner field (CPU id) to struct Qdisc set after\nroot qdisc is entered. When the softirq enters it a second time, if the\nqdisc owner is the same CPU, the packet is dropped to break the loop.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27010", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27010" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/33f649f1b1cea39ed360e6c12bba4fac83118e6e" + }, + { + "url": "https://git.kernel.org/stable/c/541e79265ea7e339a7c4a462feafe9f8f996e04b" + }, + { + "url": "https://git.kernel.org/stable/c/10c6b90e975358c17856a578419dc449887899c2" + }, + { + "url": "https://git.kernel.org/stable/c/bae67893578d608e35691dcdfa90c4957debf1d3" + }, + { + "url": "https://git.kernel.org/stable/c/b49b022f7dfce85eb77d0d987008fde5c01d7857" + }, + { + "url": "https://git.kernel.org/stable/c/58168005337eabef345a872be3f87d0215ff3b30" + }, + { + "url": "https://git.kernel.org/linus/bae67893578d608e35691dcdfa90c4957debf1d3(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26833" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-430", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26833" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix memory leak in dm_sw_fini()\n\nAfter destroying dmub_srv, the memory associated with it is\nnot freed, causing a memory leak:\n\nunreferenced object 0xffff896302b45800 (size 1024):\n comm \"(udev-worker)\", pid 222, jiffies 4294894636\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace (crc 6265fd77):\n [] kmalloc_trace+0x29d/0x340\n [] dm_dmub_sw_init+0xb4/0x450 [amdgpu]\n [] dm_sw_init+0x15/0x2b0 [amdgpu]\n [] amdgpu_device_init+0x1417/0x24e0 [amdgpu]\n [] amdgpu_driver_load_kms+0x15/0x190 [amdgpu]\n [] amdgpu_pci_probe+0x187/0x4e0 [amdgpu]\n [] local_pci_probe+0x3e/0x90\n [] pci_device_probe+0xc3/0x230\n [] really_probe+0xe2/0x480\n [] __driver_probe_device+0x78/0x160\n [] driver_probe_device+0x1f/0x90\n [] __driver_attach+0xce/0x1c0\n [] bus_for_each_dev+0x70/0xc0\n [] bus_add_driver+0x112/0x210\n [] driver_register+0x55/0x100\n [] do_one_initcall+0x41/0x300\n\nFix this by freeing dmub_srv after destroying it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26833", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26833" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2cfff21732132e363b4cc275d63ea98f1af726c1" + }, + { + "url": "https://git.kernel.org/stable/c/e0e50401cc3921c9eaf1b0e667db174519ea939f" + }, + { + "url": "https://git.kernel.org/stable/c/f9a96a7ad1e8d25dc6662bc7552e0752de74a20d" + }, + { + "url": "https://git.kernel.org/stable/c/7e8360ac8774e19b0b25f44fff84a105bb2417e4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35861" + }, + { + "url": "https://git.kernel.org/linus/e0e50401cc3921c9eaf1b0e667db174519ea939f(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-431", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35861" + } + } + ], + "created": "2024-05-19T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35861", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35861" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8" + }, + { + "url": "https://git.kernel.org/stable/c/62029bc9ff2c17a4e3a2478d83418ec575413808" + }, + { + "url": "https://git.kernel.org/stable/c/d15023fb407337028a654237d8968fefdcf87c2f" + }, + { + "url": "https://git.kernel.org/stable/c/93eb31e7c3399e326259f2caa17be1e821f5a412" + }, + { + "url": "https://git.kernel.org/stable/c/36b57c7d2f8b7de224980f1a284432846ad71ca0" + }, + { + "url": "https://git.kernel.org/stable/c/2df2dd27066cdba8041e46a64362325626bdfb2e" + }, + { + "url": "https://git.kernel.org/stable/c/b5808d40093403334d939e2c3c417144d12a6f33" + }, + { + "url": "https://git.kernel.org/stable/c/5062d1f4f07facbdade0f402d9a04a788f52e26d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35955" + }, + { + "url": "https://git.kernel.org/linus/325f3fb551f8cd672dbbfc4cf58b14f9ee3fc9e8(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-432", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35955" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nkprobes: Fix possible use-after-free issue on kprobe registration\n\nWhen unloading a module, its state is changing MODULE_STATE_LIVE ->\n MODULE_STATE_GOING -> MODULE_STATE_UNFORMED. Each change will take\na time. `is_module_text_address()` and `__module_text_address()`\nworks with MODULE_STATE_LIVE and MODULE_STATE_GOING.\nIf we use `is_module_text_address()` and `__module_text_address()`\nseparately, there is a chance that the first one is succeeded but the\nnext one is failed because module->state becomes MODULE_STATE_UNFORMED\nbetween those operations.\n\nIn `check_kprobe_address_safe()`, if the second `__module_text_address()`\nis failed, that is ignored because it expected a kernel_text address.\nBut it may have failed simply because module->state has been changed\nto MODULE_STATE_UNFORMED. In this case, arm_kprobe() will try to modify\nnon-exist module text address (use-after-free).\n\nTo fix this problem, we should not use separated `is_module_text_address()`\nand `__module_text_address()`, but use only `__module_text_address()`\nonce and do `try_module_get(module)` which is only available with\nMODULE_STATE_LIVE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35955", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35955" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + } + ], + "bom-ref": "vuln-433", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-332" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/063715c33b4c37587aeca2c83cf08ead0c542995" + }, + { + "url": "https://git.kernel.org/stable/c/177d574be4b58f832354ab1ef5a297aa0c9aa2df" + }, + { + "url": "https://git.kernel.org/stable/c/930e826962d9f01dcd2220176134427358d112f2" + }, + { + "url": "https://git.kernel.org/stable/c/99eb2159680af8786104dac80528acd5acd45980" + }, + { + "url": "https://git.kernel.org/stable/c/d38d31bbbb9dc0d4d71a45431eafba03d0bc150d" + }, + { + "url": "https://git.kernel.org/stable/c/f78c1375339a291cba492a70eaf12ec501d28a8e" + }, + { + "url": "https://git.kernel.org/stable/c/a2add961a5ed25cfd6a74f9ffb9e7ab6d6ded838" + }, + { + "url": "https://git.kernel.org/stable/c/0cfbb26ee5e7b3d6483a73883f9f6157bca22ec9" + }, + { + "url": "https://git.kernel.org/linus/f78c1375339a291cba492a70eaf12ec501d28a8e(6.8-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27410" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-434", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27410" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: reject iftype change with mesh ID change\n\nIt's currently possible to change the mesh ID when the\ninterface isn't yet in mesh mode, at the same time as\nchanging it into mesh mode. This leads to an overwrite\nof data in the wdev->u union for the interface type it\ncurrently has, causing cfg80211_change_iface() to do\nwrong things when switching.\n\nWe could probably allow setting an interface to mesh\nwhile setting the mesh ID at the same time by doing a\ndifferent order of operations here, but realistically\nthere's no userspace that's going to do this, so just\ndisallow changes in iftype when setting mesh ID.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27410", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27410" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f32d2a745b02123258026e105a008f474f896d6a" + }, + { + "url": "https://git.kernel.org/stable/c/8cf9cc602cfb40085967c0d140e32691c8b71cf3" + }, + { + "url": "https://git.kernel.org/stable/c/687061cfaa2ac3095170e136dd9c29a4974f41d4" + }, + { + "url": "https://git.kernel.org/stable/c/993bf0f4c393b3667830918f9247438a8f6fdb5b" + }, + { + "url": "https://git.kernel.org/stable/c/8b40eb2e716b503f7a4e1090815a17b1341b2150" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26774" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/993bf0f4c393b3667830918f9247438a8f6fdb5b(6.8-rc3)" + } + ], + "bom-ref": "vuln-435", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26774" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt\n\nDetermine if bb_fragments is 0 instead of determining bb_free to eliminate\nthe risk of dividing by zero when the block bitmap is corrupted.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26774", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26774" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/54225988889931467a9b55fdbef534079b665519" + }, + { + "url": "https://git.kernel.org/stable/c/813e2ab753a8f8c243a39ede20c2e0adc15f3887" + }, + { + "url": "https://git.kernel.org/stable/c/a429a912d6c779807f4d72a6cc0a1efaaa3613e1" + }, + { + "url": "https://git.kernel.org/stable/c/a02687044e124f8ccb427cd3632124a4e1a7d7c1" + }, + { + "url": "https://git.kernel.org/stable/c/311eeaa7b9e26aba5b3d57b09859f07d8e9fc049" + }, + { + "url": "https://git.kernel.org/stable/c/4c89642ca47fb620914780c7c51d8d1248201121" + }, + { + "url": "https://git.kernel.org/stable/c/e118e7ea24d1392878ef85926627c6bc640c4388" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35854" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/54225988889931467a9b55fdbef534079b665519(6.9-rc6)" + } + ], + "bom-ref": "vuln-436", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35854" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash\n\nThe rehash delayed work migrates filters from one region to another\naccording to the number of available credits.\n\nThe migrated from region is destroyed at the end of the work if the\nnumber of credits is non-negative as the assumption is that this is\nindicative of migration being complete. This assumption is incorrect as\na non-negative number of credits can also be the result of a failed\nmigration.\n\nThe destruction of a region that still has filters referencing it can\nresult in a use-after-free [1].\n\nFix by not destroying the region if migration failed.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\nRead of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858\n\nCPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G W 6.9.0-rc2-custom-00782-gf2275c2157d8 #5\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230\n mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70\n mlxsw_sp_acl_atcam_entry_del+0x81/0x210\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 174:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 7:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_region_destroy+0x272/0x310\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35854", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35854" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ec78418801ef7b0c22cd6a30145ec480dd48db39" + }, + { + "url": "https://git.kernel.org/stable/c/2e2c07104b4904aed1389a59b25799b95a85b5b9" + }, + { + "url": "https://git.kernel.org/stable/c/22850c9950a4e43a67299755d11498f3292d02ff" + }, + { + "url": "https://git.kernel.org/stable/c/1dde8ef4b7a749ae1bc73617c91775631d167557" + }, + { + "url": "https://git.kernel.org/stable/c/13c5a9fb07105557a1fa9efdb4f23d7ef30b7274" + }, + { + "url": "https://git.kernel.org/stable/c/79d72c68c58784a3e1cd2378669d51bfd0cb7498" + }, + { + "url": "https://git.kernel.org/stable/c/80d852299987a8037be145a94f41874228f1a773" + }, + { + "url": "https://git.kernel.org/linus/79d72c68c58784a3e1cd2378669d51bfd0cb7498(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26688" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-437", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26688" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super\n\nWhen configuring a hugetlb filesystem via the fsconfig() syscall, there is\na possible NULL dereference in hugetlbfs_fill_super() caused by assigning\nNULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize\nis non valid.\n\nE.g: Taking the following steps:\n\n fd = fsopen(\"hugetlbfs\", FSOPEN_CLOEXEC);\n fsconfig(fd, FSCONFIG_SET_STRING, \"pagesize\", \"1024\", 0);\n fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);\n\nGiven that the requested \"pagesize\" is invalid, ctxt->hstate will be replaced\nwith NULL, losing its previous value, and we will print an error:\n\n ...\n ...\n case Opt_pagesize:\n ps = memparse(param->string, &rest);\n ctx->hstate = h;\n if (!ctx->hstate) {\n pr_err(\"Unsupported page size %lu MB\\n\", ps / SZ_1M);\n return -EINVAL;\n }\n return 0;\n ...\n ...\n\nThis is a problem because later on, we will dereference ctxt->hstate in\nhugetlbfs_fill_super()\n\n ...\n ...\n sb->s_blocksize = huge_page_size(ctx->hstate);\n ...\n ...\n\nCausing below Oops.\n\nFix this by replacing cxt->hstate value only when then pagesize is known\nto be valid.\n\n kernel: hugetlbfs: Unsupported page size 0 MB\n kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028\n kernel: #PF: supervisor read access in kernel mode\n kernel: #PF: error_code(0x0000) - not-present page\n kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0\n kernel: Oops: 0000 [#1] PREEMPT SMP PTI\n kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f\n kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017\n kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0\n kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28\n kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246\n kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004\n kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000\n kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004\n kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000\n kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400\n kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000\n kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0\n kernel: Call Trace:\n kernel: \n kernel: ? __die_body+0x1a/0x60\n kernel: ? page_fault_oops+0x16f/0x4a0\n kernel: ? search_bpf_extables+0x65/0x70\n kernel: ? fixup_exception+0x22/0x310\n kernel: ? exc_page_fault+0x69/0x150\n kernel: ? asm_exc_page_fault+0x22/0x30\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: ? hugetlbfs_fill_super+0xb4/0x1a0\n kernel: ? hugetlbfs_fill_super+0x28/0x1a0\n kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10\n kernel: vfs_get_super+0x40/0xa0\n kernel: ? __pfx_bpf_lsm_capable+0x10/0x10\n kernel: vfs_get_tree+0x25/0xd0\n kernel: vfs_cmd_create+0x64/0xe0\n kernel: __x64_sys_fsconfig+0x395/0x410\n kernel: do_syscall_64+0x80/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? syscall_exit_to_user_mode+0x82/0x240\n kernel: ? do_syscall_64+0x8d/0x160\n kernel: ? exc_page_fault+0x69/0x150\n kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76\n kernel: RIP: 0033:0x7ffbc0cb87c9\n kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48\n kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af\n kernel: RAX: fffffffffff\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26688", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26688" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199" + }, + { + "url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724" + }, + { + "url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4" + }, + { + "url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26590" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-438", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26590" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + } + } + ], + "created": "2024-02-22T17:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26590", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T17:54:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3ede8e94de6b834b48b0643385e66363e7a04be9" + }, + { + "url": "https://git.kernel.org/stable/c/9f599ba3b9cc4bdb8ec1e3f0feddd41bf9d296d6" + }, + { + "url": "https://git.kernel.org/stable/c/34b567868777e9fd39ec5333969728a7f0cf179c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26902" + }, + { + "url": "https://git.kernel.org/linus/34b567868777e9fd39ec5333969728a7f0cf179c(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-439", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26902" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISCV: Fix panic on pmu overflow handler\n\n(1 << idx) of int is not desired when setting bits in unsigned long\noverflowed_ctrs, use BIT() instead. This panic happens when running\n'perf record -e branches' on sophgo sg2042.\n\n[ 273.311852] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n[ 273.320851] Oops [#1]\n[ 273.323179] Modules linked in:\n[ 273.326303] CPU: 0 PID: 1475 Comm: perf Not tainted 6.6.0-rc3+ #9\n[ 273.332521] Hardware name: Sophgo Mango (DT)\n[ 273.336878] epc : riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.342291] ra : pmu_sbi_ovf_handler+0x2e0/0x34e\n[ 273.347091] epc : ffffffff80aecd98 ra : ffffffff80aee056 sp : fffffff6e36928b0\n[ 273.354454] gp : ffffffff821f82d0 tp : ffffffd90c353200 t0 : 0000002ade4f9978\n[ 273.361815] t1 : 0000000000504d55 t2 : ffffffff8016cd8c s0 : fffffff6e3692a70\n[ 273.369180] s1 : 0000000000000020 a0 : 0000000000000000 a1 : 00001a8e81800000\n[ 273.376540] a2 : 0000003c00070198 a3 : 0000003c00db75a4 a4 : 0000000000000015\n[ 273.383901] a5 : ffffffd7ff8804b0 a6 : 0000000000000015 a7 : 000000000000002a\n[ 273.391327] s2 : 000000000000ffff s3 : 0000000000000000 s4 : ffffffd7ff8803b0\n[ 273.398773] s5 : 0000000000504d55 s6 : ffffffd905069800 s7 : ffffffff821fe210\n[ 273.406139] s8 : 000000007fffffff s9 : ffffffd7ff8803b0 s10: ffffffd903f29098\n[ 273.413660] s11: 0000000080000000 t3 : 0000000000000003 t4 : ffffffff8017a0ca\n[ 273.421022] t5 : ffffffff8023cfc2 t6 : ffffffd9040780e8\n[ 273.426437] status: 0000000200000100 badaddr: 0000000000000098 cause: 000000000000000d\n[ 273.434512] [] riscv_pmu_ctr_get_width_mask+0x8/0x62\n[ 273.441169] [] handle_percpu_devid_irq+0x98/0x1ee\n[ 273.447562] [] generic_handle_domain_irq+0x28/0x36\n[ 273.454151] [] riscv_intc_irq+0x36/0x4e\n[ 273.459659] [] handle_riscv_irq+0x4a/0x74\n[ 273.465442] [] do_irq+0x62/0x92\n[ 273.470360] Code: 0420 60a2 6402 5529 0141 8082 0013 0000 0013 0000 (6d5c) b783\n[ 273.477921] ---[ end trace 0000000000000000 ]---\n[ 273.482630] Kernel panic - not syncing: Fatal exception in interrupt", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26902", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26902" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:40:05Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e" + }, + { + "url": "https://git.kernel.org/stable/c/84a352b7eba1142a95441380058985ff19f25ec9" + }, + { + "url": "https://git.kernel.org/stable/c/b4bc99d04c689b5652665394ae8d3e02fb754153" + }, + { + "url": "https://git.kernel.org/stable/c/601a89ea24d05089debfa2dc896ea9f5937ac7a6" + }, + { + "url": "https://git.kernel.org/stable/c/698a95ade1a00e6494482046902b986dfffd1caf" + }, + { + "url": "https://git.kernel.org/linus/b46f4eaa4f0ec38909fb0072eea3aeddb32f954e(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35970" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-440", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35970" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Clear stale u->oob_skb.\n\nsyzkaller started to report deadlock of unix_gc_lock after commit\n4090fa373f0e (\"af_unix: Replace garbage collection algorithm.\"), but\nit just uncovers the bug that has been there since commit 314001f0bf92\n(\"af_unix: Add OOB support\").\n\nThe repro basically does the following.\n\n from socket import *\n from array import array\n\n c1, c2 = socketpair(AF_UNIX, SOCK_STREAM)\n c1.sendmsg([b'a'], [(SOL_SOCKET, SCM_RIGHTS, array(\"i\", [c2.fileno()]))], MSG_OOB)\n c2.recv(1) # blocked as no normal data in recv queue\n\n c2.close() # done async and unblock recv()\n c1.close() # done async and trigger GC\n\nA socket sends its file descriptor to itself as OOB data and tries to\nreceive normal data, but finally recv() fails due to async close().\n\nThe problem here is wrong handling of OOB skb in manage_oob(). When\nrecvmsg() is called without MSG_OOB, manage_oob() is called to check\nif the peeked skb is OOB skb. In such a case, manage_oob() pops it\nout of the receive queue but does not clear unix_sock(sk)->oob_skb.\nThis is wrong in terms of uAPI.\n\nLet's say we send \"hello\" with MSG_OOB, and \"world\" without MSG_OOB.\nThe 'o' is handled as OOB data. When recv() is called twice without\nMSG_OOB, the OOB data should be lost.\n\n >>> from socket import *\n >>> c1, c2 = socketpair(AF_UNIX, SOCK_STREAM, 0)\n >>> c1.send(b'hello', MSG_OOB) # 'o' is OOB data\n 5\n >>> c1.send(b'world')\n 5\n >>> c2.recv(5) # OOB data is not received\n b'hell'\n >>> c2.recv(5) # OOB date is skipped\n b'world'\n >>> c2.recv(5, MSG_OOB) # This should return an error\n b'o'\n\nIn the same situation, TCP actually returns -EINVAL for the last\nrecv().\n\nAlso, if we do not clear unix_sk(sk)->oob_skb, unix_poll() always set\nEPOLLPRI even though the data has passed through by previous recv().\n\nTo avoid these issues, we must clear unix_sk(sk)->oob_skb when dequeuing\nit from recv queue.\n\nThe reason why the old GC did not trigger the deadlock is because the\nold GC relied on the receive queue to detect the loop.\n\nWhen it is triggered, the socket with OOB data is marked as GC candidate\nbecause file refcount == inflight count (1). However, after traversing\nall inflight sockets, the socket still has a positive inflight count (1),\nthus the socket is excluded from candidates. Then, the old GC lose the\nchance to garbage-collect the socket.\n\nWith the old GC, the repro continues to create true garbage that will\nnever be freed nor detected by kmemleak as it's linked to the global\ninflight list. That's why we couldn't even notice the issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35970", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35970" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c7bd4d561e9dc6f5b7df9e184974915f6701a89" + }, + { + "url": "https://git.kernel.org/stable/c/ac2630fd3c90ffec34a0bfc4d413668538b0e8f2" + }, + { + "url": "https://git.kernel.org/stable/c/5108a2dc2db5630fb6cd58b8be80a0c134bc310a" + }, + { + "url": "https://git.kernel.org/stable/c/4f973e211b3b1c6d36f7c6a19239d258856749f9" + }, + { + "url": "https://git.kernel.org/stable/c/342258fb46d66c1b4c7e2c3717ac01e10c03cf18" + }, + { + "url": "https://git.kernel.org/stable/c/ed790bd0903ed3352ebf7f650d910f49b7319b34" + }, + { + "url": "https://git.kernel.org/stable/c/615e3adc2042b7be4ad122a043fc9135e6342c90" + }, + { + "url": "https://git.kernel.org/stable/c/4c8922ae8eb8dcc1e4b7d1059d97a8334288d825" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/4f973e211b3b1c6d36f7c6a19239d258856749f9(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52587" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-441", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52587" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `priv->lock` while iterating the `priv->multicast_list` in\n`ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to\nremove the items while in the middle of iteration. If the mcast is removed\nwhile the lock was dropped, the for loop spins forever resulting in a hard\nlockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel):\n\n Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below)\n -----------------------------------+-----------------------------------\n ipoib_mcast_join_task(work) | ipoib_ib_dev_flush_light(work)\n spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...)\n list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev)\n &priv->multicast_list, list) |\n ipoib_mcast_join(dev, mcast) |\n spin_unlock_irq(&priv->lock) |\n | spin_lock_irqsave(&priv->lock, flags)\n | list_for_each_entry_safe(mcast, tmcast,\n | &priv->multicast_list, list)\n | list_del(&mcast->list);\n | list_add_tail(&mcast->list, &remove_list)\n | spin_unlock_irqrestore(&priv->lock, flags)\n spin_lock_irq(&priv->lock) |\n | ipoib_mcast_remove_list(&remove_list)\n (Here, `mcast` is no longer on the | list_for_each_entry_safe(mcast, tmcast,\n `priv->multicast_list` and we keep | remove_list, list)\n spinning on the `remove_list` of | >>> wait_for_completion(&mcast->done)\n the other thread which is blocked |\n and the list is still valid on |\n it's stack.)\n\nFix this by keeping the lock held and changing to GFP_ATOMIC to prevent\neventual sleeps.\nUnfortunately we could not reproduce the lockup and confirm this fix but\nbased on the code review I think this fix should address such lockups.\n\ncrash> bc 31\nPID: 747 TASK: ff1c6a1a007e8000 CPU: 31 COMMAND: \"kworker/u72:2\"\n--\n [exception RIP: ipoib_mcast_join_task+0x1b1]\n RIP: ffffffffc0944ac1 RSP: ff646f199a8c7e00 RFLAGS: 00000002\n RAX: 0000000000000000 RBX: ff1c6a1a04dc82f8 RCX: 0000000000000000\n work (&priv->mcast_task{,.work})\n RDX: ff1c6a192d60ac68 RSI: 0000000000000286 RDI: ff1c6a1a04dc8000\n &mcast->list\n RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000\n R10: ff646f199a8c7e00 R11: ff1c6a191a7d9800 R12: ff1c6a192d60ac00\n mcast\n R13: ff1c6a1d82200000 R14: ff1c6a1a04dc8000 R15: ff1c6a1a04dc82d8\n dev priv (&priv->lock) &priv->multicast_list (aka head)\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n--- ---\n #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib]\n #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967\n\ncrash> rx ff646f199a8c7e68\nff646f199a8c7e68: ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work\n\ncrash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000\n(empty)\n\ncrash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000\n mcast_task.work.func = 0xffffffffc0944910 ,\n mcast_mutex.owner.counter = 0xff1c69998efec000\n\ncrash> b 8\nPID: 8 TASK: ff1c69998efec000 CPU: 33 COMMAND: \"kworker/u72:0\"\n--\n #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646\n #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib]\n #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib]\n #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib]\n #7 [ff\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52587", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52587" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216702" + }, + { + "url": "https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz@163.com/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-47233" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6776-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6775-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-442", + "ratings": [ + { + "severity": "medium", + "score": 4.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-47233" + } + } + ], + "created": "2023-11-03T21:15:17Z", + "description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-47233", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/200cb50b9e154434470c8969d32474d38475acc2" + }, + { + "url": "https://git.kernel.org/stable/c/63719f490e6a89896e9a463d2b45e8203eab23ae" + }, + { + "url": "https://git.kernel.org/stable/c/e7870cf13d20f56bfc19f9c3e89707c69cf104ef" + }, + { + "url": "https://git.kernel.org/linus/e7870cf13d20f56bfc19f9c3e89707c69cf104ef(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26677" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-443", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26677" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix delayed ACKs to not set the reference serial number\n\nFix the construction of delayed ACKs to not set the reference serial number\nas they can't be used as an RTT reference.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26677", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26677" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e534fd15e5c2ca15821c897352cf0e8a3e30dca" + }, + { + "url": "https://git.kernel.org/stable/c/136cfaca22567a03bbb3bf53a43d8cb5748b80ec" + }, + { + "url": "https://git.kernel.org/stable/c/f8cbd1791900b5d96466eede8e9439a5b9ca4de7" + }, + { + "url": "https://git.kernel.org/stable/c/5013bd54d283eda5262c9ae3bcc966d01daf8576" + }, + { + "url": "https://git.kernel.org/stable/c/ba6b8b02a3314e62571a540efa96560888c5f03e" + }, + { + "url": "https://git.kernel.org/stable/c/f0ecdfa679189d26aedfe24212d4e69e42c2c861" + }, + { + "url": "https://git.kernel.org/stable/c/3963f16cc7643b461271989b712329520374ad2a" + }, + { + "url": "https://git.kernel.org/stable/c/a576308800be28f2eaa099e7caad093b97d66e77" + }, + { + "url": "https://git.kernel.org/linus/136cfaca22567a03bbb3bf53a43d8cb5748b80ec(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26754" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-444", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26754" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()\n\nThe gtp_net_ops pernet operations structure for the subsystem must be\nregistered before registering the generic netlink family.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\ngeneral protection fault, probably for non-canonical address\n0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN NOPTI\nKASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\nCPU: 1 PID: 5826 Comm: gtp Not tainted 6.8.0-rc3-std-def-alt1 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\nRIP: 0010:gtp_genl_dump_pdp+0x1be/0x800 [gtp]\nCode: c6 89 c6 e8 64 e9 86 df 58 45 85 f6 0f 85 4e 04 00 00 e8 c5 ee 86\n df 48 8b 54 24 18 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>\n 3c 02 00 0f 85 de 05 00 00 48 8b 44 24 18 4c 8b 30 4c 39 f0 74\nRSP: 0018:ffff888014107220 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000\nRDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000\nR13: ffff88800fcda588 R14: 0000000000000001 R15: 0000000000000000\nFS: 00007f1be4eb05c0(0000) GS:ffff88806ce80000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1be4e766cf CR3: 000000000c33e000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n \n ? show_regs+0x90/0xa0\n ? die_addr+0x50/0xd0\n ? exc_general_protection+0x148/0x220\n ? asm_exc_general_protection+0x22/0x30\n ? gtp_genl_dump_pdp+0x1be/0x800 [gtp]\n ? __alloc_skb+0x1dd/0x350\n ? __pfx___alloc_skb+0x10/0x10\n genl_dumpit+0x11d/0x230\n netlink_dump+0x5b9/0xce0\n ? lockdep_hardirqs_on_prepare+0x253/0x430\n ? __pfx_netlink_dump+0x10/0x10\n ? kasan_save_track+0x10/0x40\n ? __kasan_kmalloc+0x9b/0xa0\n ? genl_start+0x675/0x970\n __netlink_dump_start+0x6fc/0x9f0\n genl_family_rcv_msg_dumpit+0x1bb/0x2d0\n ? __pfx_genl_family_rcv_msg_dumpit+0x10/0x10\n ? genl_op_from_small+0x2a/0x440\n ? cap_capable+0x1d0/0x240\n ? __pfx_genl_start+0x10/0x10\n ? __pfx_genl_dumpit+0x10/0x10\n ? __pfx_genl_done+0x10/0x10\n ? security_capable+0x9d/0xe0", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26754", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26754" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b7a2f0955ffceffadfe098b40b50307431f45438" + }, + { + "url": "https://git.kernel.org/stable/c/139dfcc4d723ab13469881200c7d80f49d776060" + }, + { + "url": "https://git.kernel.org/stable/c/3b3491ad0f80d913e7d255941d4470f4a4d9bfda" + }, + { + "url": "https://git.kernel.org/stable/c/fe9a7082684eb059b925c535682e68c34d487d43" + }, + { + "url": "https://git.kernel.org/stable/c/bf0bc84a20e6109ab07d5dc072067bd01eb931ec" + }, + { + "url": "https://git.kernel.org/stable/c/561d5e1998d58b54ce2bbbb3e843b669aa0b3db5" + }, + { + "url": "https://git.kernel.org/stable/c/26389925d6c2126fb777821a0a983adca7ee6351" + }, + { + "url": "https://git.kernel.org/stable/c/2a4a666c45107206605b7b5bc20545f8aabc4fa2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27437" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-445", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27437" + } + } + ], + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Disable auto-enable of exclusive INTx IRQ\n\nCurrently for devices requiring masking at the irqchip for INTx, ie.\ndevices without DisINTx support, the IRQ is enabled in request_irq()\nand subsequently disabled as necessary to align with the masked status\nflag. This presents a window where the interrupt could fire between\nthese events, resulting in the IRQ incrementing the disable depth twice.\nThis would be unrecoverable for a user since the masked flag prevents\nnested enables through vfio.\n\nInstead, invert the logic using IRQF_NO_AUTOEN such that exclusive INTx\nis never auto-enabled, then unmask as required.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27437", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27437" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/107052a8cfeff3a97326277192b4f052e4860a8a" + }, + { + "url": "https://git.kernel.org/stable/c/d20b64f156de5d10410963fe238d82a4e7e97a2f" + }, + { + "url": "https://git.kernel.org/stable/c/c073c8cede5abd3836e83d70d72606d11d0759d4" + }, + { + "url": "https://git.kernel.org/stable/c/ed514ecf4f29c80a2f09ae3c877059b401efe893" + }, + { + "url": "https://git.kernel.org/stable/c/7a4cf27d1f0538f779bf31b8c99eda394e277119" + }, + { + "url": "https://git.kernel.org/stable/c/fb07104a02e87c06c39914d13ed67fd8f839ca82" + }, + { + "url": "https://git.kernel.org/stable/c/8fad9c5bb00d3a9508d18bbfe832e33a47377730" + }, + { + "url": "https://git.kernel.org/stable/c/fa8b472952ef46eb632825051078c21ce0cafe55" + }, + { + "url": "https://git.kernel.org/stable/c/d6b4895197ab5a47cb81c6852d49320b05052960" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27075" + }, + { + "url": "https://git.kernel.org/linus/7a4cf27d1f0538f779bf31b8c99eda394e277119(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-446", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27075" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-frontends: avoid stack overflow warnings with clang\n\nA previous patch worked around a KASAN issue in stv0367, now a similar\nproblem showed up with clang:\n\ndrivers/media/dvb-frontends/stv0367.c:1222:12: error: stack frame size (3624) exceeds limit (2048) in 'stv0367ter_set_frontend' [-Werror,-Wframe-larger-than]\n 1214 | static int stv0367ter_set_frontend(struct dvb_frontend *fe)\n\nRework the stv0367_writereg() function to be simpler and mark both\nregister access functions as noinline_for_stack so the temporary\ni2c_msg structures do not get duplicated on the stack when KASAN_STACK\nis enabled.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27075", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27075" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76af689a45aa44714b46d1a7de4ffdf851ded896" + }, + { + "url": "https://git.kernel.org/stable/c/51a6c2af9d20203ddeeaf73314ba8854b38d01bd" + }, + { + "url": "https://git.kernel.org/stable/c/a637fabac554270a851033f5ab402ecb90bc479c" + }, + { + "url": "https://git.kernel.org/stable/c/a677ebd8ca2f2632ccdecbad7b87641274e15aac" + }, + { + "url": "https://git.kernel.org/stable/c/88b7f1143b15b29cccb8392b4f38e75b7bb3e300" + }, + { + "url": "https://git.kernel.org/linus/a677ebd8ca2f2632ccdecbad7b87641274e15aac(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26811" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-447", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26811" + } + } + ], + "created": "2024-04-08T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate payload size in ipc response\n\nIf installing malicious ksmbd-tools, ksmbd.mountd can return invalid ipc\nresponse to ksmbd kernel server. ksmbd should validate payload size of\nipc response from ksmbd.mountd to avoid memory overrun or\nslab-out-of-bounds. This patch validate 3 ipc response that has payload.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26811", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26811" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-28T12:15:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6616d3c4f8284a7b3ef978c916566bd240cea1c7" + }, + { + "url": "https://git.kernel.org/stable/c/d8e36ff40cf9dadb135f3a97341c02c9a7afcc43" + }, + { + "url": "https://git.kernel.org/stable/c/85e985a4f46e462a37f1875cb74ed380e7c0c2e0" + }, + { + "url": "https://git.kernel.org/stable/c/7a3a70dd08e4b7dffc2f86f2c68fc3812804b9d0" + }, + { + "url": "https://git.kernel.org/linus/85e985a4f46e462a37f1875cb74ed380e7c0c2e0(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26714" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-448", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26714" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: qcom: sc8180x: Mark CO0 BCM keepalive\n\nThe CO0 BCM needs to be up at all times, otherwise some hardware (like\nthe UFS controller) loses its connection to the rest of the SoC,\nresulting in a hang of the platform, accompanied by a spectacular\nlogspam.\n\nMark it as keepalive to prevent such cases.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26714", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26714" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/be76ad74a43f90f340f9f479e6b04f02125f6aef" + }, + { + "url": "https://git.kernel.org/stable/c/486a4176bc783df798bce2903824801af8d2c3ae" + }, + { + "url": "https://git.kernel.org/stable/c/dc9ceb90c4b42c6e5c6757df1d6257110433788e" + }, + { + "url": "https://git.kernel.org/stable/c/b37259448bbc70af1d0e52a9dd5559a9c29c9621" + }, + { + "url": "https://git.kernel.org/stable/c/207557e393a135c1b6fe1df7cc0741d2c1789fff" + }, + { + "url": "https://git.kernel.org/stable/c/7219a692ffc00089015ada33b85b334d1a4b6e8e" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26829" + }, + { + "url": "https://git.kernel.org/linus/dc9ceb90c4b42c6e5c6757df1d6257110433788e(6.8-rc5)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-449", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26829" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ir_toy: fix a memleak in irtoy_tx\n\nWhen irtoy_command fails, buf should be freed since it is allocated by\nirtoy_tx, or there is a memleak.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26829", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26829" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e2a03787f4f0abc0072350654ab0ef3324d9db3" + }, + { + "url": "https://git.kernel.org/stable/c/47d8ac011fe1c9251070e1bd64cb10b48193ec51" + }, + { + "url": "https://git.kernel.org/stable/c/507cc232ffe53a352847893f8177d276c3b532a9" + }, + { + "url": "https://git.kernel.org/stable/c/dbdf7bec5c920200077d693193f989cb1513f009" + }, + { + "url": "https://git.kernel.org/stable/c/a36ae0ec2353015f0f6762e59f4c2dbc0c906423" + }, + { + "url": "https://git.kernel.org/stable/c/b75722be422c276b699200de90527d01c602ea7c" + }, + { + "url": "https://git.kernel.org/stable/c/343c5372d5e17b306db5f8f3c895539b06e3177f" + }, + { + "url": "https://git.kernel.org/stable/c/e76c2678228f6aec74b305ae30c9374cc2f28a51" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26923" + }, + { + "url": "https://git.kernel.org/linus/47d8ac011fe1c9251070e1bd64cb10b48193ec51(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-450", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26923" + } + } + ], + "created": "2024-04-25T06:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix garbage collector racing against connect()\n\nGarbage collector does not take into account the risk of embryo getting\nenqueued during the garbage collection. If such embryo has a peer that\ncarries SCM_RIGHTS, two consecutive passes of scan_children() may see a\ndifferent set of children. Leading to an incorrectly elevated inflight\ncount, and then a dangling pointer within the gc_inflight_list.\n\nsockets are AF_UNIX/SOCK_STREAM\nS is an unconnected socket\nL is a listening in-flight socket bound to addr, not in fdtable\nV's fd will be passed via sendmsg(), gets inflight count bumped\n\nconnect(S, addr)\tsendmsg(S, [V]); close(V)\t__unix_gc()\n----------------\t-------------------------\t-----------\n\nNS = unix_create1()\nskb1 = sock_wmalloc(NS)\nL = unix_find_other(addr)\nunix_state_lock(L)\nunix_peer(S) = NS\n\t\t\t// V count=1 inflight=0\n\n \t\t\tNS = unix_peer(S)\n \t\t\tskb2 = sock_alloc()\n\t\t\tskb_queue_tail(NS, skb2[V])\n\n\t\t\t// V became in-flight\n\t\t\t// V count=2 inflight=1\n\n\t\t\tclose(V)\n\n\t\t\t// V count=1 inflight=1\n\t\t\t// GC candidate condition met\n\n\t\t\t\t\t\tfor u in gc_inflight_list:\n\t\t\t\t\t\t if (total_refs == inflight_refs)\n\t\t\t\t\t\t add u to gc_candidates\n\n\t\t\t\t\t\t// gc_candidates={L, V}\n\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t scan_children(u, dec_inflight)\n\n\t\t\t\t\t\t// embryo (skb1) was not\n\t\t\t\t\t\t// reachable from L yet, so V's\n\t\t\t\t\t\t// inflight remains unchanged\n__skb_queue_tail(L, skb1)\nunix_state_unlock(L)\n\t\t\t\t\t\tfor u in gc_candidates:\n\t\t\t\t\t\t if (u.inflight)\n\t\t\t\t\t\t scan_children(u, inc_inflight_move_tail)\n\n\t\t\t\t\t\t// V count=1 inflight=2 (!)\n\nIf there is a GC-candidate listening socket, lock/unlock its state. This\nmakes GC wait until the end of any ongoing connect() to that socket. After\nflipping the lock, a possibly SCM-laden embryo is already enqueued. And if\nthere is another embryo coming, it can not possibly carry SCM_RIGHTS. At\nthis point, unix_inflight() can not happen because unix_gc_lock is already\ntaken. Inflight graph remains unaffected.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26923", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26923" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f46c8a75263f97bda13c739ba1c90aced0d3b071" + }, + { + "url": "https://git.kernel.org/stable/c/aa28eecb43cac6e20ef14dfc50b8892c1fbcda5b" + }, + { + "url": "https://git.kernel.org/stable/c/145febd85c3bcc5c74d87ef9a598fc7d9122d532" + }, + { + "url": "https://git.kernel.org/stable/c/ffd29dc45bc0355393859049f6becddc3ed08f74" + }, + { + "url": "https://git.kernel.org/stable/c/d482d61025e303a2bef3733a011b6b740215cfa1" + }, + { + "url": "https://git.kernel.org/stable/c/21e45a7b08d7cd98d6a53c5fc5111879f2d96611" + }, + { + "url": "https://git.kernel.org/stable/c/f6781add1c311c17eff43e14c786004bbacf901e" + }, + { + "url": "https://git.kernel.org/stable/c/ac3ed969a40357b0542d20f096a6d43acdfa6cc7" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/f46c8a75263f97bda13c739ba1c90aced0d3b071(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52607" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-451", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52607" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm: Fix null-pointer dereference in pgtable_cache_add\n\nkasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52607", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52607" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282" + }, + { + "url": "https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9" + }, + { + "url": "https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b" + }, + { + "url": "https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f" + }, + { + "url": "https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee" + }, + { + "url": "https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383" + }, + { + "url": "https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26804" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-452", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26804" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb->data points past skb->head allocated area.\nThis is because neigh layer does:\n __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned. IOW, we skb->data gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb->head and skb->data distance is\nmore than 64k and skb->network_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev->needed_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel. The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0->needed_headroom based on the future\noutput device, rt.dev->needed_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0->needed_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0->needed_headroom gets inflated because previous packets' ipip0 step\nincremented rt->dev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0->needed_headroom grows until\npost-expand-head reallocations result in a skb->head/data distance of\nmore than 64k.\n\nOnce that happens, skb->network_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb->data point to a memory location outside\nskb->head area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26804", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26804" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/01511ac7be8e45f80e637f6bf61af2d3d2dee9db" + }, + { + "url": "https://git.kernel.org/stable/c/7938e9ce39d6779d2f85d822cc930f73420e54a6" + }, + { + "url": "https://git.kernel.org/stable/c/ca976c6a592f789700200069ef9052493c0b73d8" + }, + { + "url": "https://git.kernel.org/stable/c/8c4889a9ea861d7be37463c10846eb75e1b49c9d" + }, + { + "url": "https://git.kernel.org/stable/c/58a946ab43501f2eba058d24d96af0ad1122475b" + }, + { + "url": "https://git.kernel.org/stable/c/0801c893fd48cdba66a3c8f44c3fe43cc67d3b85" + }, + { + "url": "https://git.kernel.org/linus/7938e9ce39d6779d2f85d822cc930f73420e54a6(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27037" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-453", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27037" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: zynq: Prevent null pointer dereference caused by kmalloc failure\n\nThe kmalloc() in zynq_clk_setup() will return null if the\nphysical memory has run out. As a result, if we use snprintf()\nto write data to the null address, the null pointer dereference\nbug will happen.\n\nThis patch uses a stack variable to replace the kmalloc().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27037", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27037" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/930775060ca348b8665f60eef14b204172d14f31" + }, + { + "url": "https://git.kernel.org/stable/c/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02" + }, + { + "url": "https://git.kernel.org/stable/c/fba7ee7187581b5bc222003e73e2592b398bb06d" + }, + { + "url": "https://git.kernel.org/stable/c/725351c036452b7db5771a7bed783564bc4b99cc" + }, + { + "url": "https://git.kernel.org/stable/c/2149f8a56e2ed345c7a4d022a79f6b8fc53ae926" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35803" + }, + { + "url": "https://git.kernel.org/linus/cefcd4fe2e3aaf792c14c9e56dab89e3d7a65d02(6.9-rc1)" + } + ], + "bom-ref": "vuln-454", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35803" + } + } + ], + "created": "2024-05-17T14:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/efistub: Call mixed mode boot services on the firmware's stack\n\nNormally, the EFI stub calls into the EFI boot services using the stack\nthat was live when the stub was entered. According to the UEFI spec,\nthis stack needs to be at least 128k in size - this might seem large but\nall asynchronous processing and event handling in EFI runs from the same\nstack and so quite a lot of space may be used in practice.\n\nIn mixed mode, the situation is a bit different: the bootloader calls\nthe 32-bit EFI stub entry point, which calls the decompressor's 32-bit\nentry point, where the boot stack is set up, using a fixed allocation\nof 16k. This stack is still in use when the EFI stub is started in\n64-bit mode, and so all calls back into the EFI firmware will be using\nthe decompressor's limited boot stack.\n\nDue to the placement of the boot stack right after the boot heap, any\nstack overruns have gone unnoticed. However, commit\n\n 5c4feadb0011983b (\"x86/decompressor: Move global symbol references to C code\")\n\nmoved the definition of the boot heap into C code, and now the boot\nstack is placed right at the base of BSS, where any overruns will\ncorrupt the end of the .data section.\n\nWhile it would be possible to work around this by increasing the size of\nthe boot stack, doing so would affect all x86 systems, and mixed mode\nsystems are a tiny (and shrinking) fraction of the x86 installed base.\n\nSo instead, record the firmware stack pointer value when entering from\nthe 32-bit firmware, and switch to this stack every time a EFI boot\nservice call is made.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35803", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35803" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/55d3fe7b2b7bc354e7cbc1f7b8f98a29ccd5a366" + }, + { + "url": "https://git.kernel.org/stable/c/5e45dc4408857305f4685abfd7a528a1e58b51b5" + }, + { + "url": "https://git.kernel.org/stable/c/a097fc199ab5f4b5392c5144034c0d2148b55a14" + }, + { + "url": "https://git.kernel.org/stable/c/d313eb8b77557a6d5855f42d2234bd592c7b50dd" + }, + { + "url": "https://git.kernel.org/stable/c/f356eb2fb567e0931143ac1769ac802d3b3e2077" + }, + { + "url": "https://git.kernel.org/stable/c/729ad2ac2a2cdc9f4a4bdfd40bfd276e6bc33924" + }, + { + "url": "https://git.kernel.org/stable/c/7bb2c7103d8c13b06a57bf997b8cdbe93cd7283c" + }, + { + "url": "https://git.kernel.org/stable/c/f190a4aa03cbd518bd9c62a66e1233984f5fd2ec" + }, + { + "url": "https://git.kernel.org/linus/d313eb8b77557a6d5855f42d2234bd592c7b50dd(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35893" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-455", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35893" + } + } + ], + "created": "2024-05-19T09:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_skbmod: prevent kernel-infoleak\n\nsyzbot found that tcf_skbmod_dump() was copying four bytes\nfrom kernel stack to user space [1].\n\nThe issue here is that 'struct tc_skbmod' has a four bytes hole.\n\nWe need to clear the structure before filling fields.\n\n[1]\nBUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x366/0x2520 lib/iov_iter.c:185\n copy_to_iter include/linux/uio.h:196 [inline]\n simple_copy_to_iter net/core/datagram.c:532 [inline]\n __skb_datagram_iter+0x185/0x1000 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:4050 [inline]\n netlink_recvmsg+0x432/0x1610 net/netlink/af_netlink.c:1962\n sock_recvmsg_nosec net/socket.c:1046 [inline]\n sock_recvmsg+0x2c4/0x340 net/socket.c:1068\n __sys_recvfrom+0x35a/0x5f0 net/socket.c:2242\n __do_sys_recvfrom net/socket.c:2260 [inline]\n __se_sys_recvfrom net/socket.c:2256 [inline]\n __x64_sys_recvfrom+0x126/0x1d0 net/socket.c:2256\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n pskb_expand_head+0x30f/0x19d0 net/core/skbuff.c:2253\n netlink_trim+0x2c2/0x330 net/netlink/af_netlink.c:1317\n netlink_unicast+0x9f/0x1260 net/netlink/af_netlink.c:1351\n nlmsg_unicast include/net/netlink.h:1144 [inline]\n nlmsg_notify+0x21d/0x2f0 net/netlink/af_netlink.c:2610\n rtnetlink_send+0x73/0x90 net/core/rtnetlink.c:741\n rtnetlink_maybe_send include/linux/rtnetlink.h:17 [inline]\n tcf_add_notify net/sched/act_api.c:2048 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x146e/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2559\n rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6613\n netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]\n netlink_unicast+0xf4c/0x1260 net/netlink/af_netlink.c:1361\n netlink_sendmsg+0x10df/0x11f0 net/netlink/af_netlink.c:1905\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x30f/0x380 net/socket.c:745\n ____sys_sendmsg+0x877/0xb60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2674\n do_syscall_64+0xd5/0x1f0\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nUninit was stored to memory at:\n __nla_put lib/nlattr.c:1041 [inline]\n nla_put+0x1c6/0x230 lib/nlattr.c:1099\n tcf_skbmod_dump+0x23f/0xc20 net/sched/act_skbmod.c:256\n tcf_action_dump_old net/sched/act_api.c:1191 [inline]\n tcf_action_dump_1+0x85e/0x970 net/sched/act_api.c:1227\n tcf_action_dump+0x1fd/0x460 net/sched/act_api.c:1251\n tca_get_fill+0x519/0x7a0 net/sched/act_api.c:1628\n tcf_add_notify_msg net/sched/act_api.c:2023 [inline]\n tcf_add_notify net/sched/act_api.c:2042 [inline]\n tcf_action_add net/sched/act_api.c:2071 [inline]\n tc_ctl_action+0x1365/0x19d0 net/sched/act_api.c:2119\n rtnetlink_rcv_msg+0x1737/0x1900 net/core/rtnetlink.c:6595\n netlink_rcv_skb+0x375/0x650 net/netlink/af_netli\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35893", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35893" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c4a89f4690478969729c7ba5f69d53d8516aa12" + }, + { + "url": "https://git.kernel.org/stable/c/9e8742cdfc4b0e65266bb4a901a19462bda9285e" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35964" + }, + { + "url": "https://git.kernel.org/linus/9e8742cdfc4b0e65266bb4a901a19462bda9285e(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-456", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35964" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: ISO: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35964", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35964" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00003.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-28746" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035885" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28746" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035920" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035854" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035930" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035853" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035845" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035856" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035933" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035855" + }, + { + "url": "https://support.microsoft.com/help/5035920" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035888" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035858" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066108" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035857" + }, + { + "url": "https://support.microsoft.com/help/5035845" + }, + { + "url": "https://support.microsoft.com/help/5035933" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035849" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035959" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5035919" + } + ], + "bom-ref": "vuln-457", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28746" + } + } + ], + "created": "2024-03-14T17:15:50Z", + "description": "Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-28746", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28746" + }, + "cwes": [ + 1342 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T16:15:14Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T18:48:20Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2a84744a037b8a511d6a9055f3defddc28ff4a4d" + }, + { + "url": "https://git.kernel.org/stable/c/3e82f7383e0b82a835e6b6b06a348b2bc4e2c2ee" + }, + { + "url": "https://git.kernel.org/stable/c/16e87fe23d4af6df920406494ced5c0f4354567b" + }, + { + "url": "https://git.kernel.org/stable/c/9acfd8b083a0ffbd387566800d89f55058a68af2" + }, + { + "url": "https://git.kernel.org/stable/c/5e81773757a95fc298e96cfd6d4700f07b6192a2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26943" + }, + { + "url": "https://git.kernel.org/linus/16e87fe23d4af6df920406494ced5c0f4354567b(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-458", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26943" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dmem: handle kcalloc() allocation failure\n\nThe kcalloc() in nouveau_dmem_evict_chunk() will return null if\nthe physical memory has run out. As a result, if we dereference\nsrc_pfns, dst_pfns or dma_addrs, the null pointer dereference bugs\nwill happen.\n\nMoreover, the GPU is going away. If the kcalloc() fails, we could not\nevict all pages mapping a chunk. So this patch adds a __GFP_NOFAIL\nflag in kcalloc().\n\nFinally, as there is no need to have physically contiguous memory,\nthis patch switches kcalloc() to kvcalloc() in order to avoid\nfailing allocations.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26943", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26943" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e3ef461af35a8c74f2f4ce6616491ddb355a208f" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2627" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2628" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25742" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-459", + "created": "2024-05-17T22:15:07Z", + "description": "In the Linux kernel before 6.9, an untrusted hypervisor can inject virtual interrupt 29 (#VC) at any point in time and can trigger its handler. This affects AMD SEV-SNP and AMD SEV-ES.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-25742", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25742" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-20T13:00:34Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T00:41:59Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1fc9af813b25e146d3607669247d0f970f5a87c3" + }, + { + "url": "https://git.kernel.org/stable/c/31806711e8a4b75e09b1c43652f2a6420e6e1002" + }, + { + "url": "https://git.kernel.org/stable/c/e18070c622c63f0cab170348e320454728c277aa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35951" + }, + { + "url": "https://git.kernel.org/linus/1fc9af813b25e146d3607669247d0f970f5a87c3(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-460", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35951" + } + } + ], + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()\n\nSubject: [PATCH] drm/panfrost: Fix the error path in\n panfrost_mmu_map_fault_addr()\n\nIf some the pages or sgt allocation failed, we shouldn't release the\npages ref we got earlier, otherwise we will end up with unbalanced\nget/put_pages() calls. We should instead leave everything in place\nand let the BO release function deal with extra cleanup when the object\nis destroyed, or let the fault handler try again next time it's called.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35951", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35951" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fd307f2d91d40fa7bc55df3e2cd1253fabf8a2d6" + }, + { + "url": "https://git.kernel.org/stable/c/9472d07cd095cbd3294ac54c42f304a38fbe9bfe" + }, + { + "url": "https://git.kernel.org/stable/c/9c5258196182c25b55c33167cd72fdd9bbf08985" + }, + { + "url": "https://git.kernel.org/stable/c/167d4b47a9bdcb01541dfa29e9f3cbb8edd3dfd2" + }, + { + "url": "https://git.kernel.org/stable/c/40a344b2ddc06c1a2caa7208a43911f39c662778" + }, + { + "url": "https://git.kernel.org/stable/c/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae" + }, + { + "url": "https://git.kernel.org/stable/c/4a7c465a5dcd657d59d25bf4815e19ac05c13061" + }, + { + "url": "https://git.kernel.org/stable/c/f2dd75e57285f49e34af1a5b6cd8945c08243776" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35886" + }, + { + "url": "https://git.kernel.org/linus/d21d40605bca7bd5fc23ef03d4c1ca1f48bc2cae(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-461", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35886" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\nsyzkaller reported infinite recursive calls of fib6_dump_done() during\nnetlink socket destruction. [1]\n\nFrom the log, syzkaller sent an AF_UNSPEC RTM_GETROUTE message, and then\nthe response was generated. The following recvmmsg() resumed the dump\nfor IPv6, but the first call of inet6_dump_fib() failed at kzalloc() due\nto the fault injection. [0]\n\n 12:01:34 executing program 3:\n r0 = socket$nl_route(0x10, 0x3, 0x0)\n sendmsg$nl_route(r0, ... snip ...)\n recvmmsg(r0, ... snip ...) (fail_nth: 8)\n\nHere, fib6_dump_done() was set to nlk_sk(sk)->cb.done, and the next call\nof inet6_dump_fib() set it to nlk_sk(sk)->cb.args[3]. syzkaller stopped\nreceiving the response halfway through, and finally netlink_sock_destruct()\ncalled nlk_sk(sk)->cb.done().\n\nfib6_dump_done() calls fib6_dump_end() and nlk_sk(sk)->cb.done() if it\nis still not NULL. fib6_dump_end() rewrites nlk_sk(sk)->cb.done() by\nnlk_sk(sk)->cb.args[3], but it has the same function, not NULL, calling\nitself recursively and hitting the stack guard page.\n\nTo avoid the issue, let's set the destructor after kzalloc().\n\n[0]:\nFAULT_INJECTION: forcing a failure.\nname failslab, interval 1, probability 0, space 0, times 0\nCPU: 1 PID: 432110 Comm: syz-executor.3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl (lib/dump_stack.c:117)\n should_fail_ex (lib/fault-inject.c:52 lib/fault-inject.c:153)\n should_failslab (mm/slub.c:3733)\n kmalloc_trace (mm/slub.c:3748 mm/slub.c:3827 mm/slub.c:3992)\n inet6_dump_fib (./include/linux/slab.h:628 ./include/linux/slab.h:749 net/ipv6/ip6_fib.c:662)\n rtnl_dump_all (net/core/rtnetlink.c:4029)\n netlink_dump (net/netlink/af_netlink.c:2269)\n netlink_recvmsg (net/netlink/af_netlink.c:1988)\n ____sys_recvmsg (net/socket.c:1046 net/socket.c:2801)\n ___sys_recvmsg (net/socket.c:2846)\n do_recvmmsg (net/socket.c:2943)\n __x64_sys_recvmmsg (net/socket.c:3041 net/socket.c:3034 net/socket.c:3034)\n\n[1]:\nBUG: TASK stack guard page was hit at 00000000f2fa9af1 (stack is 00000000b7912430..000000009a436beb)\nstack guard page: 0000 [#1] PREEMPT SMP KASAN\nCPU: 1 PID: 223719 Comm: kworker/1:3 Not tainted 6.8.0-12821-g537c2e91d354-dirty #11\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\nWorkqueue: events netlink_sock_destruct_work\nRIP: 0010:fib6_dump_done (net/ipv6/ip6_fib.c:570)\nCode: 3c 24 e8 f3 e9 51 fd e9 28 fd ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 41 57 41 56 41 55 41 54 55 48 89 fd <53> 48 8d 5d 60 e8 b6 4d 07 fd 48 89 da 48 b8 00 00 00 00 00 fc ff\nRSP: 0018:ffffc9000d980000 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffffff84405990 RCX: ffffffff844059d3\nRDX: ffff8881028e0000 RSI: ffffffff84405ac2 RDI: ffff88810c02f358\nRBP: ffff88810c02f358 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000224 R12: 0000000000000000\nR13: ffff888007c82c78 R14: ffff888007c82c68 R15: ffff888007c82c68\nFS: 0000000000000000(0000) GS:ffff88811b100000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: ffffc9000d97fff8 CR3: 0000000102309002 CR4: 0000000000770ef0\nPKRU: 55555554\nCall Trace:\n <#DF>\n \n \n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n ...\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n fib6_dump_done (net/ipv6/ip6_fib.c:572 (discriminator 1))\n netlink_sock_destruct (net/netlink/af_netlink.c:401)\n __sk_destruct (net/core/sock.c:2177 (discriminator 2))\n sk_destruct (net/core/sock.c:2224)\n __sk_free (net/core/sock.c:2235)\n sk_free (net/core/sock.c:2246)\n process_one_work (kernel/workqueue.c:3259)\n worker_thread (kernel/workqueue.c:3329 kernel/workqueue.\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35886", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35886" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76fad1174a0cae6fc857b9f88b261a2e4f07d587" + }, + { + "url": "https://git.kernel.org/stable/c/eb39bb548bf974acad7bd6780fe11f9e6652d696" + }, + { + "url": "https://git.kernel.org/stable/c/281280276b70c822f55ce15b661f6d1d3228aaa9" + }, + { + "url": "https://git.kernel.org/stable/c/5ffab99e070b9f8ae0cf60c3c3602b84eee818dd" + }, + { + "url": "https://git.kernel.org/stable/c/54b79d8786964e2f840e8a2ec4a9f9a50f3d4954" + }, + { + "url": "https://git.kernel.org/stable/c/85720b69aef177318f4a18efbcc4302228a340e5" + }, + { + "url": "https://git.kernel.org/stable/c/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f" + }, + { + "url": "https://git.kernel.org/stable/c/88c18fd06608b3adee547102505d715f21075c9d" + }, + { + "url": "https://git.kernel.org/linus/bcbc84af1183c8cf3d1ca9b78540c2185cd85e7f(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26779" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-462", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26779" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix race condition on enabling fast-xmit\n\nfast-xmit must only be enabled after the sta has been uploaded to the driver,\notherwise it could end up passing the not-yet-uploaded sta via drv_tx calls\nto the driver, leading to potential crashes because of uninitialized drv_priv\ndata.\nAdd a missing sta->uploaded check and re-check fast xmit after inserting a sta.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26779", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26779" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dab75b433ed2480d57ae4f8f725186a46223e42" + }, + { + "url": "https://git.kernel.org/stable/c/3a6a32b31a111f6e66526fb2d3cb13a876465076" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35881" + }, + { + "url": "https://git.kernel.org/linus/3a6a32b31a111f6e66526fb2d3cb13a876465076(6.9-rc1)" + } + ], + "bom-ref": "vuln-463", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35881" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd/display: Send DTBCLK disable message on first commit\"\n\nThis reverts commit f341055b10bd8be55c3c995dff5f770b236b8ca9.\n\nSystem hang observed, this commit is thought to be the\nregression point.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35881", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35881" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/888e3524be87f3df9fa3c083484e4b62b3e3bb59" + }, + { + "url": "https://git.kernel.org/stable/c/6f70f0b412458c622a12d4292782c8e92e210c2f" + }, + { + "url": "https://git.kernel.org/stable/c/0cd331dfd6023640c9669d0592bc0fd491205f87" + }, + { + "url": "https://git.kernel.org/stable/c/c1701ea85ef0ec7be6a1b36c7da69f572ed2fd12" + }, + { + "url": "https://git.kernel.org/stable/c/24ec8f0da93b8a9fba11600be8a90f0d73fb46f1" + }, + { + "url": "https://git.kernel.org/stable/c/3d3a5b31b43515b5752ff282702ca546ec3e48b6" + }, + { + "url": "https://git.kernel.org/stable/c/19d7314f2fb9515bdaac9829d4d8eb34edd1fe95" + }, + { + "url": "https://git.kernel.org/stable/c/3871aa01e1a779d866fa9dfdd5a836f342f4eb87" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/3871aa01e1a779d866fa9dfdd5a836f342f4eb87(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26663" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-464", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26663" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Check the bearer type before calling tipc_udp_nl_bearer_add()\n\nsyzbot reported the following general protection fault [1]:\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087]\n...\nRIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291\n...\nCall Trace:\n \n tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646\n tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089\n genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972\n genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]\n genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067\n netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544\n genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367\n netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0xd5/0x180 net/socket.c:745\n ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584\n ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638\n __sys_sendmsg+0x117/0x1e0 net/socket.c:2667\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nThe cause of this issue is that when tipc_nl_bearer_add() is called with\nthe TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called\neven if the bearer is not UDP.\n\ntipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that\nthe media_ptr field of the tipc_bearer has an udp_bearer type object, so\nthe function goes crazy for non-UDP bearers.\n\nThis patch fixes the issue by checking the bearer type before calling\ntipc_udp_nl_bearer_add() in tipc_nl_bearer_add().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26663", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26663" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba" + }, + { + "url": "https://git.kernel.org/stable/c/f396b4df27cfe01a99f4b41f584c49e56477be3a" + }, + { + "url": "https://git.kernel.org/stable/c/d24fe6d5a1cfdddb7a9ef56736ec501c4d0a5fd3" + }, + { + "url": "https://git.kernel.org/linus/bbcc1c83f343e580c3aa1f2a8593343bf7b55bba(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27408" + } + ], + "bom-ref": "vuln-465", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27408" + } + } + ], + "created": "2024-05-17T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: dw-edma: eDMA: Add sync read before starting the DMA transfer in remote setup\n\nThe Linked list element and pointer are not stored in the same memory as\nthe eDMA controller register. If the doorbell register is toggled before\nthe full write of the linked list a race condition error will occur.\nIn remote setup we can only use a readl to the memory to assure the full\nwrite has occurred.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27408", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27408" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2214e2bb5489145aba944874d0ee1652a0a63dc8" + }, + { + "url": "https://git.kernel.org/stable/c/53f2cb491b500897a619ff6abd72f565933760f0" + }, + { + "url": "https://git.kernel.org/stable/c/944900fe2736c07288efe2d9394db4d3ca23f2c9" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-466", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix NULL deref on tls_sw_splice_eof() with empty record\n\nsyzkaller discovered that if tls_sw_splice_eof() is executed as part of\nsendfile() when the plaintext/ciphertext sk_msg are empty, the send path\ngets confused because the empty ciphertext buffer does not have enough\nspace for the encryption overhead. This causes tls_push_record() to go on\nthe `split = true` path (which is only supposed to be used when interacting\nwith an attached BPF program), and then get further confused and hit the\ntls_merge_open_record() path, which then assumes that there must be at\nleast one populated buffer element, leading to a NULL deref.\n\nIt is possible to have empty plaintext/ciphertext buffers if we previously\nbailed from tls_sw_sendmsg_locked() via the tls_trim_both_msgs() path.\ntls_sw_push_pending_record() already handles this case correctly; let's do\nthe same check in tls_sw_splice_eof().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52767", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52767" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24e51d6eb578b82ff292927f14b9f5ec05a46beb" + }, + { + "url": "https://git.kernel.org/stable/c/d0b07f712bf61e1a3cf23c87c663791c42e50837" + }, + { + "url": "https://git.kernel.org/stable/c/7393c681f9aa05ffe2385e8716989565eed2fe06" + }, + { + "url": "https://git.kernel.org/stable/c/1597cd1a88cfcdc4bf8b1b44cd458fed9a5a5d63" + }, + { + "url": "https://git.kernel.org/stable/c/55ca0c7eae8499bb96f4e5d9b26af95e89c4e6a0" + }, + { + "url": "https://git.kernel.org/stable/c/656b8cc123d7635dd399d9f02594f27aa797ac3c" + }, + { + "url": "https://git.kernel.org/stable/c/af37aed04997e644f7e1b52b696b62dcae3cc016" + }, + { + "url": "https://git.kernel.org/stable/c/910363473e4bf97da3c350e08d915546dd6cc30b" + }, + { + "url": "https://git.kernel.org/linus/d0b07f712bf61e1a3cf23c87c663791c42e50837(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27073" + } + ], + "bom-ref": "vuln-467", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27073" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ttpci: fix two memleaks in budget_av_attach\n\nWhen saa7146_register_device and saa7146_vv_init fails, budget_av_attach\nshould free the resources it allocates, like the error-handling of\nttpci_budget_init does. Besides, there are two fixme comment refers to\nsuch deallocations.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27073", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27073" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0c33d11153949310d76631d8f4a4736519eacd3a" + }, + { + "url": "https://git.kernel.org/stable/c/e6721ea845fcb93a764a92bd40f1afc0d6c69751" + }, + { + "url": "https://git.kernel.org/stable/c/fcbd99b3c73309107e3be71f20dff9414df64f91" + }, + { + "url": "https://git.kernel.org/stable/c/315eb3c2df7e4cb18e3eacfa18a53a46f2bf0ef7" + }, + { + "url": "https://git.kernel.org/stable/c/e6768c6737f4c02cba193a3339f0cc2907f0b86a" + }, + { + "url": "https://git.kernel.org/stable/c/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://git.kernel.org/stable/c/8b0564704255c6b3c6a7188e86939f754e1577c0" + }, + { + "url": "https://git.kernel.org/stable/c/cbac7de1d9901521e78cdc34e15451df3611f2ad" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3TH6JK7ZZMSXSVHOJKIMSSOC6EQM4WV/" + }, + { + "url": "https://git.kernel.org/linus/3b0daecfeac0103aba8b293df07a0cbaf8b43f29" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26817" + } + ], + "bom-ref": "vuln-468", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26817" + } + } + ], + "created": "2024-04-13T12:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\namdkfd: use calloc instead of kzalloc to avoid integer overflow\n\nThis uses calloc instead of doing the multiplication which might\noverflow.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26817", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26817" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/790fa2c04dfb9f095ec372bf17909424d6e864b3" + }, + { + "url": "https://git.kernel.org/stable/c/e04d15c8bb3e111dd69f98894acd92d63e87aac3" + }, + { + "url": "https://git.kernel.org/stable/c/b9b683844b01d171a72b9c0419a2d760d946ee12" + }, + { + "url": "https://git.kernel.org/stable/c/7405a0d4442792988e9ae834e7d84f9d163731a4" + }, + { + "url": "https://git.kernel.org/stable/c/291cda0b805fc0d6e90d201710311630c8667159" + }, + { + "url": "https://git.kernel.org/stable/c/7f11dd3d165b178e738fe73dfeea513e383bedb5" + }, + { + "url": "https://git.kernel.org/stable/c/d43988a23c32588ccd0c74219637afb96cd78661" + }, + { + "url": "https://git.kernel.org/stable/c/b49fe84c6cefcc1c2336d793b53442e716c95073" + }, + { + "url": "https://git.kernel.org/stable/c/f31c1cc37411f5f7bcb266133f9a7e1b4bdf2975" + }, + { + "url": "https://git.kernel.org/linus/b9b683844b01d171a72b9c0419a2d760d946ee12(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27074" + } + ], + "bom-ref": "vuln-469", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27074" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: go7007: fix a memleak in go7007_load_encoder\n\nIn go7007_load_encoder, bounce(i.e. go->boot_fw), is allocated without\na deallocation thereafter. After the following call chain:\n\nsaa7134_go7007_init\n |-> go7007_boot_encoder\n |-> go7007_load_encoder\n |-> kfree(go)\n\ngo is freed and thus bounce is leaked.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27074", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27074" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7" + }, + { + "url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0" + }, + { + "url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9" + }, + { + "url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003" + }, + { + "url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb" + }, + { + "url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8" + }, + { + "url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://git.kernel.org/linus/60c0c230c6f046da536d3df8b39a20b9a9fd6af0(6.8-rc4)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26581" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-470", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26581" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" + } + } + ], + "created": "2024-02-20T13:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26581", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-19T17:41:29Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/54a03e4ac1a41edf8a5087bd59f8241b0de96d3d" + }, + { + "url": "https://git.kernel.org/stable/c/68644bf5ec6baaff40fc39b3529c874bfda709bd" + }, + { + "url": "https://git.kernel.org/stable/c/2e845867b4e279eff0a19ade253390470e07e8a1" + }, + { + "url": "https://git.kernel.org/stable/c/a41c8efe659caed0e21422876bbb6b73c15b5244" + }, + { + "url": "https://git.kernel.org/stable/c/d47e6c1932cee02954ea588c9f09fd5ecefeadfc" + }, + { + "url": "https://git.kernel.org/stable/c/8c28598a2c29201d2ba7fc37539a7d41c264fb10" + }, + { + "url": "https://git.kernel.org/stable/c/6d5a9d4a7bcbb7534ce45a18a52e7bd23e69d8ac" + }, + { + "url": "https://git.kernel.org/stable/c/81137162bfaa7278785b24c1fd2e9e74f082e8e4" + }, + { + "url": "https://git.kernel.org/stable/c/2edce8e9a99dd5e4404259d52e754fdc97fb42c2" + }, + { + "url": "https://git.kernel.org/linus/81137162bfaa7278785b24c1fd2e9e74f082e8e4(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26889" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-471", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26889" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_core: Fix possible buffer overflow\n\nstruct hci_dev_info has a fixed size name[8] field so in the event that\nhdev->name is bigger than that strcpy would attempt to write past its\nsize, so this fixes this problem by switching to use strscpy.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26889", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26889" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZON4TLXG7TG4A2XZG563JMVTGQW4SF3A/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EIUICU6CVJUIB6BPJ7P5QTPQR5VOBHFK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H63LGAQXPEVJOES73U4XK65I6DASOAAG/" + }, + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://www.kb.cert.org/vuls/id/488902" + }, + { + "url": "https://xenbits.xen.org/xsa/advisory-453.html" + }, + { + "url": "https://ibm.github.io/system-security-research-updates/2024/03/12/ghostrace" + }, + { + "url": "https://kb.cert.org/vuls/id/488902" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7016.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2525.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2193" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-472", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2193" + } + } + ], + "created": "2024-03-15T18:15:08Z", + "description": "A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-2193", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2193" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T17:15:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:26:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217271" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3397" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2023-043.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1883.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2340.html" + }, + { + "url": "https://lore.kernel.org/lkml/20230515095956.17898-1-zyytlz.wz@163.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3397" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2023-056.html" + } + ], + "bom-ref": "vuln-473", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3397" + } + }, + { + "severity": "medium", + "score": 6.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + } + } + ], + "created": "2023-11-01T20:15:08Z", + "description": "A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-3397", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3397" + }, + "cwes": [ + 416, + 362 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-11-09T15:09:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:17:16Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1d76bd2a0034d0d08045c1c6adf2235d88982952" + }, + { + "url": "https://git.kernel.org/stable/c/743edc8547a92b6192aa1f1b6bb78233fa21dc9b" + }, + { + "url": "https://git.kernel.org/stable/c/751d352858108314efd33dddd5a9a2b6bf7d6916" + }, + { + "url": "https://git.kernel.org/stable/c/0b88631855026b55cad901ac28d081e0f358e596" + }, + { + "url": "https://git.kernel.org/stable/c/17e9e0bbae652b9b2049e51699e93dfa60b2988d" + }, + { + "url": "https://git.kernel.org/stable/c/039992b6d2df097c65f480dcf269de3d2656f573" + }, + { + "url": "https://git.kernel.org/stable/c/e890456051fe8c57944b911defb3e6de91315861" + }, + { + "url": "https://git.kernel.org/linus/743edc8547a92b6192aa1f1b6bb78233fa21dc9b(6.9-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36007" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-474", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36007" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix warning during rehash\n\nAs previously explained, the rehash delayed work migrates filters from\none region to another. This is done by iterating over all chunks (all\nthe filters with the same priority) in the region and in each chunk\niterating over all the filters.\n\nWhen the work runs out of credits it stores the current chunk and entry\nas markers in the per-work context so that it would know where to resume\nthe migration from the next time the work is scheduled.\n\nUpon error, the chunk marker is reset to NULL, but without resetting the\nentry markers despite being relative to it. This can result in migration\nbeing resumed from an entry that does not belong to the chunk being\nmigrated. In turn, this will eventually lead to a chunk being iterated\nover as if it is an entry. Because of how the two structures happen to\nbe defined, this does not lead to KASAN splats, but to warnings such as\n[1].\n\nFix by creating a helper that resets all the markers and call it from\nall the places the currently only reset the chunk marker. For good\nmeasures also call it when starting a completely new rehash. Add a\nwarning to avoid future cases.\n\n[1]\nWARNING: CPU: 7 PID: 1076 at drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.c:407 mlxsw_afk_encode+0x242/0x2f0\nModules linked in:\nCPU: 7 PID: 1076 Comm: kworker/7:24 Tainted: G W 6.9.0-rc3-custom-00880-g29e61d91b77b #29\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work\nRIP: 0010:mlxsw_afk_encode+0x242/0x2f0\n[...]\nCall Trace:\n \n mlxsw_sp_acl_atcam_entry_add+0xd9/0x3c0\n mlxsw_sp_acl_tcam_entry_create+0x5e/0xa0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x109/0x290\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x6c/0x470\n process_one_work+0x151/0x370\n worker_thread+0x2cb/0x3e0\n kthread+0xd0/0x100\n ret_from_fork+0x34/0x50\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36007", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36007" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b0b268eeb087e324ef3ea71f8e6cabd07630517f" + }, + { + "url": "https://git.kernel.org/stable/c/6ec3514a7d35ad9cfab600187612c29f669069d2" + }, + { + "url": "https://git.kernel.org/stable/c/d1718530e3f640b7d5f0050e725216eab57a85d8" + }, + { + "url": "https://git.kernel.org/stable/c/f15370e315976198f338b41611f37ce82af6cf54" + }, + { + "url": "https://git.kernel.org/stable/c/3a63ae0348d990e137cca04eced5b08379969ea9" + }, + { + "url": "https://git.kernel.org/stable/c/59f33af9796160f851641d960bd93937f282c696" + }, + { + "url": "https://git.kernel.org/stable/c/ac882d6b21bffecb57bcc4486701239eef5aa67b" + }, + { + "url": "https://git.kernel.org/stable/c/a3b8ae7e9297dd453f2977b011c5bc75eb20e71b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27001" + }, + { + "url": "https://git.kernel.org/linus/d1718530e3f640b7d5f0050e725216eab57a85d8(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-475", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27001" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\nWhile vmk80xx does have endpoint checking implemented, some things\ncan fall through the cracks. Depending on the hardware model,\nURBs can have either bulk or interrupt type, and current version\nof vmk80xx_find_usb_endpoints() function does not take that fully\ninto account. While this warning does not seem to be too harmful,\nat the very least it will crash systems with 'panic_on_warn' set on\nthem.\n\nFix the issue found by Syzkaller [1] by somewhat simplifying the\nendpoint checking process with usb_find_common_endpoints() and\nensuring that only expected endpoint types are present.\n\nThis patch has not been tested on real hardware.\n\n[1] Syzkaller report:\nusb 1-1: BOGUS urb xfer, pipe 1 != type 3\nWARNING: CPU: 0 PID: 781 at drivers/usb/core/urb.c:504 usb_submit_urb+0xc4e/0x18c0 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \n usb_start_wait_urb+0x113/0x520 drivers/usb/core/message.c:59\n vmk80xx_reset_device drivers/comedi/drivers/vmk80xx.c:227 [inline]\n vmk80xx_auto_attach+0xa1c/0x1a40 drivers/comedi/drivers/vmk80xx.c:818\n comedi_auto_config+0x238/0x380 drivers/comedi/drivers.c:1067\n usb_probe_interface+0x5cd/0xb00 drivers/usb/core/driver.c:399\n...\n\nSimilar issue also found by Syzkaller:", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27001", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27001" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/82ae47c5c3a6b27fdc0f9e83c1499cb439c56140" + }, + { + "url": "https://git.kernel.org/stable/c/b74aa9ce13d02b7fd37c5325b99854f91b9b4276" + }, + { + "url": "https://git.kernel.org/stable/c/4fe505c63aa3273135a57597fda761e9aecc7668" + }, + { + "url": "https://git.kernel.org/stable/c/1279f9d9dec2d7462823a18c29ad61359e0a007d" + }, + { + "url": "https://git.kernel.org/stable/c/e0e09186d8821ad59806115d347ea32efa43ca4b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26676" + }, + { + "url": "https://git.kernel.org/linus/1279f9d9dec2d7462823a18c29ad61359e0a007d(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-476", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26676" + } + } + ], + "created": "2024-04-02T07:15:44Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.\n\nsyzbot reported a warning [0] in __unix_gc() with a repro, which\ncreates a socketpair and sends one socket's fd to itself using the\npeer.\n\n socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0\n sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=\"\\360\", iov_len=1}],\n msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET,\n cmsg_type=SCM_RIGHTS, cmsg_data=[3]}],\n msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1\n\nThis forms a self-cyclic reference that GC should finally untangle\nbut does not due to lack of MSG_OOB handling, resulting in memory\nleak.\n\nRecently, commit 11498715f266 (\"af_unix: Remove io_uring code for\nGC.\") removed io_uring's dead code in GC and revealed the problem.\n\nThe code was executed at the final stage of GC and unconditionally\nmoved all GC candidates from gc_candidates to gc_inflight_list.\nThat papered over the reported problem by always making the following\nWARN_ON_ONCE(!list_empty(&gc_candidates)) false.\n\nThe problem has been there since commit 2aab4b969002 (\"af_unix: fix\nstruct pid leaks in OOB support\") added full scm support for MSG_OOB\nwhile fixing another bug.\n\nTo fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb\nif the socket still exists in gc_candidates after purging collected skb.\n\nThen, we need to set NULL to oob_skb before calling kfree_skb() because\nit calls last fput() and triggers unix_release_sock(), where we call\nduplicate kfree_skb(u->oob_skb) if not NULL.\n\nNote that the leaked socket remained being linked to a global list, so\nkmemleak also could not detect it. We need to check /proc/net/protocol\nto notice the unfreed socket.\n\n[0]:\nWARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nModules linked in:\nCPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: events_unbound __unix_gc\nRIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345\nCode: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8\nRSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e\nRDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30\nRBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66\nR10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000\nR13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001\nFS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n process_one_work+0x889/0x15e0 kernel/workqueue.c:2633\n process_scheduled_works kernel/workqueue.c:2706 [inline]\n worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787\n kthread+0x2c6/0x3b0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26676", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26676" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/198270de9d8eb3b5d5f030825ea303ef95285d24" + }, + { + "url": "https://git.kernel.org/stable/c/15eb996d7d13cb72a16389231945ada8f0fef2c3" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8a51517ce15edbdcea4fc74c4c127ddaa1bd6" + }, + { + "url": "https://git.kernel.org/stable/c/3aa58cb51318e329d203857f7a191678e60bb714" + }, + { + "url": "https://git.kernel.org/stable/c/25ab4d72eb7cbfa0f3d97a139a9b2bfcaa72dd59" + }, + { + "url": "https://git.kernel.org/stable/c/ae6769ba51417c1c86fb645812d5bff455eee802" + }, + { + "url": "https://git.kernel.org/stable/c/1c75fe450b5200c78f4a102a0eb8e15d8f1ccda8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35833" + }, + { + "url": "https://git.kernel.org/linus/3aa58cb51318e329d203857f7a191678e60bb714(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-477", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35833" + } + } + ], + "created": "2024-05-17T14:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA\n\nThis dma_alloc_coherent() is undone neither in the remove function, nor in\nthe error handling path of fsl_qdma_probe().\n\nSwitch to the managed version to fix both issues.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35833", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35833" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/76c2f4d426a5358fced5d5990744d46f10a4ccea" + }, + { + "url": "https://git.kernel.org/stable/c/0dc727a4e05400205358a22c3d01ccad2c8e1fe4" + }, + { + "url": "https://git.kernel.org/stable/c/2ef607ea103616aec0289f1b65d103d499fa903a" + }, + { + "url": "https://git.kernel.org/stable/c/936a02b5a9630c5beb0353c3085cc49d86c57034" + }, + { + "url": "https://git.kernel.org/stable/c/81cf85ae4f2dd5fa3e43021782aa72c4c85558e8" + }, + { + "url": "https://git.kernel.org/stable/c/46dad3c1e57897ab9228332f03e1c14798d2d3b9" + }, + { + "url": "https://git.kernel.org/linus/46dad3c1e57897ab9228332f03e1c14798d2d3b9(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26988" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-478", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26988" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninit/main.c: Fix potential static_command_line memory overflow\n\nWe allocate memory of size 'xlen + strlen(boot_command_line) + 1' for\nstatic_command_line, but the strings copied into static_command_line are\nextra_command_line and command_line, rather than extra_command_line and\nboot_command_line.\n\nWhen strlen(command_line) > strlen(boot_command_line), static_command_line\nwill overflow.\n\nThis patch just recovers strlen(command_line) which was miss-consolidated\nwith strlen(boot_command_line) in the commit f5c7310ac73e (\"init/main: add\nchecks for the return value of memblock_alloc*()\")", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26988", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26988" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9683cb6c2c6c0f45537bf0b8868b5d38fcb63fc7" + }, + { + "url": "https://git.kernel.org/stable/c/df257c435e51651c43b86326d112ddadda76350e" + }, + { + "url": "https://git.kernel.org/stable/c/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139" + }, + { + "url": "https://git.kernel.org/stable/c/4d37f12707ee965d338028732575f0b85f6d9e4f" + }, + { + "url": "https://git.kernel.org/stable/c/2531f907d3e40a6173090f10670ae76d117ab27b" + }, + { + "url": "https://git.kernel.org/stable/c/3443e57654f90c9a843ab6a6040c10709fd033aa" + }, + { + "url": "https://git.kernel.org/stable/c/640dbf688ba955e83e03de84fbdda8e570b7cce4" + }, + { + "url": "https://git.kernel.org/stable/c/fcf32a5bfcb8a57ac0ce717fcfa4d688c91f1005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27065" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139(6.9-rc1)" + } + ], + "bom-ref": "vuln-479", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27065" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not compare internal table flags on updates\n\nRestore skipping transaction if table update does not modify flags.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27065", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27065" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d219724d4b0ddb8ec7dfeaed5989f23edabaf591" + }, + { + "url": "https://git.kernel.org/stable/c/4d99d267da3415db2124029cb5a6d2d955ca43f9" + }, + { + "url": "https://git.kernel.org/stable/c/e888c4461e109f7b93c3522afcbbaa5a8fdf29d2" + }, + { + "url": "https://git.kernel.org/stable/c/5f0e4aede01cb01fa633171f0533affd25328c3a" + }, + { + "url": "https://git.kernel.org/stable/c/bea9573c795acec5614d4ac2dcc7b3b684cea5bf" + }, + { + "url": "https://git.kernel.org/stable/c/96481624fb5a6319079fb5059e46dbce43a90186" + }, + { + "url": "https://git.kernel.org/stable/c/da10f6b7918abd5b4bc5c9cb66f0fc6763ac48f3" + }, + { + "url": "https://git.kernel.org/stable/c/f0dd27314c7afe34794c2aa19dd6f2d30eb23bc7" + }, + { + "url": "https://git.kernel.org/stable/c/8e243ac649c10922a6b4855170eaefe4c5b3faab" + }, + { + "url": "https://git.kernel.org/linus/5f0e4aede01cb01fa633171f0533affd25328c3a(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35828" + } + ], + "bom-ref": "vuln-480", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35828" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()\n\nIn the for statement of lbs_allocate_cmd_buffer(), if the allocation of\ncmdarray[i].cmdbuf fails, both cmdarray and cmdarray[i].cmdbuf needs to\nbe freed. Otherwise, there will be memleaks in lbs_allocate_cmd_buffer().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35828", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35828" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/224453de8505aede1890f007be973925a3edf6a1" + }, + { + "url": "https://git.kernel.org/stable/c/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288" + }, + { + "url": "https://git.kernel.org/stable/c/070398d32c5f3ab0e890374904ad94551c76aec4" + }, + { + "url": "https://git.kernel.org/stable/c/bc3c2e58d73b28b9a8789fca84778ee165a72d13" + }, + { + "url": "https://git.kernel.org/stable/c/8c54acf33e5adaad6374bf3ec1e3aff0591cc8e1" + }, + { + "url": "https://git.kernel.org/stable/c/a9ca4e80d23474f90841251f4ac0d941fa337a01" + }, + { + "url": "https://git.kernel.org/stable/c/512ee6d6041e007ef5bf200c6e388e172a2c5b24" + }, + { + "url": "https://git.kernel.org/stable/c/84dce0f6a4cc5b7bfd7242ef9290db8ac1dd77ff" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26778" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/04e5eac8f3ab2ff52fa191c187a46d4fdbc1e288(6.8-rc2)" + } + ], + "bom-ref": "vuln-481", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26778" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: savage: Error out if pixclock equals zero\n\nThe userspace program could pass any values to the driver through\nioctl() interface. If the driver doesn't check the value of pixclock,\nit may cause divide-by-zero error.\n\nAlthough pixclock is checked in savagefb_decode_var(), but it is not\nchecked properly in savagefb_probe(). Fix this by checking whether\npixclock is zero in the function savagefb_check_var() before\ninfo->var.pixclock is used as the divisor.\n\nThis is similar to CVE-2022-3061 in i740fb which was fixed by\ncommit 15cf0b8.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26778", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26778" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/851cc19bdb02556fb13629b3e4fef6f2bdb038fe" + }, + { + "url": "https://git.kernel.org/stable/c/be9e2752d823eca1d5af67014a1844a9176ff566" + }, + { + "url": "https://git.kernel.org/stable/c/83fe1bbd9e259ad109827ccfbfc2488e0dea8e94" + }, + { + "url": "https://git.kernel.org/stable/c/9de184d4e557d550fb0b7b833b676bda4f269e4f" + }, + { + "url": "https://git.kernel.org/stable/c/e117c6e2d1617520f5f7d7f6f6b395f01d8b5a27" + }, + { + "url": "https://git.kernel.org/stable/c/1040ef5ed95d6fd2628bad387d78a61633e09429" + }, + { + "url": "https://git.kernel.org/stable/c/b6b31b4c67ea6bd9222e5b73b330554c57f2f90d" + }, + { + "url": "https://git.kernel.org/stable/c/dd92b159c506804ac57adf3742d9728298bb1255" + }, + { + "url": "https://git.kernel.org/stable/c/fc3ac2fcd0a7fad63eba1b359490a4b81720d0f9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26969" + }, + { + "url": "https://git.kernel.org/linus/1040ef5ed95d6fd2628bad387d78a61633e09429(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-482", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26969" + } + } + ], + "created": "2024-05-01T06:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: gcc-ipq8074: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26969", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26969" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0430bfcd46657d9116a26cd377f112cbc40826a4" + }, + { + "url": "https://git.kernel.org/stable/c/14ef61594a5a286ae0d493b8acbf9eac46fd04c4" + }, + { + "url": "https://git.kernel.org/stable/c/486218c11e8d1c8f515a3bdd70d62203609d4b6b" + }, + { + "url": "https://git.kernel.org/stable/c/7104ba0f1958adb250319e68a15eff89ec4fd36d" + }, + { + "url": "https://git.kernel.org/stable/c/396e17af6761b3cc9e6e4ca94b4de7f642bfece1" + }, + { + "url": "https://git.kernel.org/stable/c/be3b82e4871ba00e9b5d0ede92d396d579d7b3b3" + }, + { + "url": "https://git.kernel.org/stable/c/8cc889b9dea0579726be9520fcc766077890b462" + }, + { + "url": "https://git.kernel.org/stable/c/8398d8d735ee93a04fb9e9f490e8cacd737e3bf5" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d(6.8-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-483", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26600" + } + } + ], + "created": "2024-02-26T16:27:59Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T18:29:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e601ae81910ce6a3797876e190a2d8ef6cf828bc" + }, + { + "url": "https://git.kernel.org/stable/c/083686474e7c97b0f8b66df37fcb64e432e8b771" + }, + { + "url": "https://git.kernel.org/stable/c/d4d813c0a14d6bf52d810a55db06a2e7e3d98eaa" + }, + { + "url": "https://git.kernel.org/stable/c/2df70149e73e79783bcbc7db4fa51ecef0e2022c" + }, + { + "url": "https://git.kernel.org/stable/c/fbca8bae1ba79d443a58781b45e92a73a24ac8f8" + }, + { + "url": "https://git.kernel.org/stable/c/cefe18e9ec84f8fe3e198ccebb815cc996eb9797" + }, + { + "url": "https://git.kernel.org/stable/c/7394abc8926adee6a817bab10797e0adc898af77" + }, + { + "url": "https://git.kernel.org/stable/c/d7acc4a569f5f4513120c85ea2b9f04909b7490f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27412" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2df70149e73e79783bcbc7db4fa51ecef0e2022c(6.8-rc7)" + } + ], + "bom-ref": "vuln-484", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27412" + } + } + ], + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: bq27xxx-i2c: Do not free non existing IRQ\n\nThe bq27xxx i2c-client may not have an IRQ, in which case\nclient->irq will be 0. bq27xxx_battery_i2c_probe() already has\nan if (client->irq) check wrapping the request_threaded_irq().\n\nBut bq27xxx_battery_i2c_remove() unconditionally calls\nfree_irq(client->irq) leading to:\n\n[ 190.310742] ------------[ cut here ]------------\n[ 190.310843] Trying to free already-free IRQ 0\n[ 190.310861] WARNING: CPU: 2 PID: 1304 at kernel/irq/manage.c:1893 free_irq+0x1b8/0x310\n\nFollowed by a backtrace when unbinding the driver. Add\nan if (client->irq) to bq27xxx_battery_i2c_remove() mirroring\nprobe() to fix this.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27412", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27412" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5099871b370335809c0fd1abad74d9c7c205d43f" + }, + { + "url": "https://git.kernel.org/stable/c/16b1025eaa8fc223ab4273ece20d1c3a4211a95d" + }, + { + "url": "https://git.kernel.org/stable/c/65977bed167a92e87085e757fffa5798f7314c9f" + }, + { + "url": "https://git.kernel.org/stable/c/c593d26fb5d577ef31b6e49a31e08ae3ebc1bc1e" + }, + { + "url": "https://git.kernel.org/stable/c/1f12e4b3284d6c863f272eb2de0d4248ed211cf4" + }, + { + "url": "https://git.kernel.org/stable/c/9319b647902cbd5cc884ac08a8a6d54ce111fc78" + }, + { + "url": "https://git.kernel.org/stable/c/ec18ec230301583395576915d274b407743d8f6c" + }, + { + "url": "https://git.kernel.org/stable/c/81e7d2530d458548b90a5c5e76b77ad5e5d1c0df" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26720" + }, + { + "url": "https://git.kernel.org/linus/9319b647902cbd5cc884ac08a8a6d54ce111fc78(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-485", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26720" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again\n\n(struct dirty_throttle_control *)->thresh is an unsigned long, but is\npassed as the u32 divisor argument to div_u64(). On architectures where\nunsigned long is 64 bytes, the argument will be implicitly truncated.\n\nUse div64_u64() instead of div_u64() so that the value used in the \"is\nthis a safe division\" check is the same as the divisor.\n\nAlso, remove redundant cast of the numerator to u64, as that should happen\nimplicitly.\n\nThis would be difficult to exploit in memcg domain, given the ratio-based\narithmetic domain_drity_limits() uses, but is much easier in global\nwriteback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. \nvm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26720", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26720" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/22207fd5c80177b860279653d017474b2812af5e" + }, + { + "url": "https://git.kernel.org/stable/c/af054a5fb24a144f99895afce9519d709891894c" + }, + { + "url": "https://git.kernel.org/stable/c/22f665ecfd1225afa1309ace623157d12bb9bb0c" + }, + { + "url": "https://git.kernel.org/stable/c/e87e08c94c9541b4e18c4c13f2f605935f512605" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26656" + }, + { + "url": "https://git.kernel.org/linus/22207fd5c80177b860279653d017474b2812af5e(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-486", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26656" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free bug\n\nThe bug can be triggered by sending a single amdgpu_gem_userptr_ioctl\nto the AMDGPU DRM driver on any ASICs with an invalid address and size.\nThe bug was reported by Joonkyo Jung .\nFor example the following code:\n\nstatic void Syzkaller1(int fd)\n{\n\tstruct drm_amdgpu_gem_userptr arg;\n\tint ret;\n\n\targ.addr = 0xffffffffffff0000;\n\targ.size = 0x80000000; /*2 Gb*/\n\targ.flags = 0x7;\n\tret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);\n}\n\nDue to the address and size are not valid there is a failure in\namdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->\ncheck_shl_overflow, but we even the amdgpu_hmm_register failure we still call\namdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.\nThe following stack is below when the issue is reproduced when Kazan is enabled:\n\n[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020\n[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340\n[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80\n[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246\n[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b\n[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260\n[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25\n[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00\n[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260\n[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000\n[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0\n[ +0.000010] Call Trace:\n[ +0.000006] \n[ +0.000007] ? show_regs+0x6a/0x80\n[ +0.000018] ? __warn+0xa5/0x1b0\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000018] ? report_bug+0x24a/0x290\n[ +0.000022] ? handle_bug+0x46/0x90\n[ +0.000015] ? exc_invalid_op+0x19/0x50\n[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20\n[ +0.000017] ? kasan_save_stack+0x26/0x50\n[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340\n[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340\n[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10\n[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0\n[ +0.000018] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? __kasan_check_read+0x11/0x20\n[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]\n[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]\n[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]\n[ +0.004291] ? do_syscall_64+0x5f/0xe0\n[ +0.000023] ? srso_return_thunk+0x5/0x5f\n[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]\n[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]\n[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004270] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20\n[ +0.000015] ? srso_return_thunk+0x5/0x5f\n[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0\n[ +0.000020] ? srso_return_thunk+0x5/0x5f\n[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20\n[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]\n[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]\n[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]\n[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]\n[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26656", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26656" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T14:15:17Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb7b01ca778170654e1c76950024270ba74b121f" + }, + { + "url": "https://git.kernel.org/stable/c/014bcf41d946b36a8f0b8e9b5d9529efbb822f49" + }, + { + "url": "https://git.kernel.org/stable/c/6c1f36d92c0a8799569055012665d2bb066fb964" + }, + { + "url": "https://git.kernel.org/stable/c/284fb1003d5da111019b9e0bf99b084fd71ac133" + }, + { + "url": "https://git.kernel.org/stable/c/f42ba916689f5c7b1642092266d2f53cf527aaaa" + }, + { + "url": "https://git.kernel.org/stable/c/871fd7b10b56d280990b7e754f43d888382ca325" + }, + { + "url": "https://git.kernel.org/stable/c/9968c701cba7eda42e5f0052b040349d6222ae34" + }, + { + "url": "https://git.kernel.org/stable/c/3a67d4ab9e730361d183086dfb0ddd8c61f01636" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27059" + }, + { + "url": "https://git.kernel.org/linus/014bcf41d946b36a8f0b8e9b5d9529efbb822f49(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-487", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27059" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: usb-storage: Prevent divide-by-0 error in isd200_ata_command\n\nThe isd200 sub-driver in usb-storage uses the HEADS and SECTORS values\nin the ATA ID information to calculate cylinder and head values when\ncreating a CDB for READ or WRITE commands. The calculation involves\ndivision and modulus operations, which will cause a crash if either of\nthese values is 0. While this never happens with a genuine device, it\ncould happen with a flawed or subversive emulation, as reported by the\nsyzbot fuzzer.\n\nProtect against this possibility by refusing to bind to the device if\neither the ATA_ID_HEADS or ATA_ID_SECTORS value in the device's ID\ninformation is 0. This requires isd200_Initialization() to return a\nnegative error code when initialization fails; currently it always\nreturns 0 (even when there is an error).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27059", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27059" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3@huawei.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25740" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-488", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25740" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-25740", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25740" + }, + "cwes": [ + 401 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-26T21:11:27Z" + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25741" + }, + { + "url": "https://lore.kernel.org/all/CALGdzurBnMztPW1Q8mujfYaopVQ8MkSUXUvnAqJcLGu5ROSU4Q@mail.gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-489", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-25741" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-25741", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25741" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-12T14:20:03Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4c65507121ea8e0b47fae6d2049c8688390d46b6" + }, + { + "url": "https://git.kernel.org/stable/c/d0d04efa2e367921654b5106cc5c05e3757c2b42" + }, + { + "url": "https://git.kernel.org/stable/c/de1bf25b6d771abdb52d43546cf57ad775fb68a1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27005" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/de1bf25b6d771abdb52d43546cf57ad775fb68a1(6.9-rc5)" + } + ], + "bom-ref": "vuln-490", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27005" + } + } + ], + "created": "2024-05-01T06:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's being manipulated\n\nThe icc_lock mutex was split into separate icc_lock and icc_bw_lock\nmutexes in [1] to avoid lockdep splats. However, this didn't adequately\nprotect access to icc_node::req_list.\n\nThe icc_set_bw() function will eventually iterate over req_list while\nonly holding icc_bw_lock, but req_list can be modified while only\nholding icc_lock. This causes races between icc_set_bw(), of_icc_get(),\nand icc_put().\n\nExample A:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n icc_put(path_b)\n mutex_lock(&icc_lock);\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_del(...\n \n\nExample B:\n\n CPU0 CPU1\n ---- ----\n icc_set_bw(path_a)\n mutex_lock(&icc_bw_lock);\n path_b = of_icc_get()\n of_icc_get_by_index()\n mutex_lock(&icc_lock);\n path_find()\n path_init()\n aggregate_requests()\n hlist_for_each_entry(r, ...\n hlist_add_head(...\n \n\nFix this by ensuring icc_bw_lock is always held before manipulating\nicc_node::req_list. The additional places icc_bw_lock is held don't\nperform any memory allocations, so we should still be safe from the\noriginal lockdep splats that motivated the separate locks.\n\n[1] commit af42269c3523 (\"interconnect: Fix locking for runpm vs reclaim\")", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27005", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27005" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6673d9f1c2cd984390550dbdf7d5ae07b20abbf8" + }, + { + "url": "https://git.kernel.org/stable/c/b609c783c535493aa3fca22c7e40a120370b1ca5" + }, + { + "url": "https://git.kernel.org/stable/c/624902eab7abcb8731b333ec73f206d38d839cd8" + }, + { + "url": "https://git.kernel.org/stable/c/6f95120f898b40d13fd441225ef511307853c9c2" + }, + { + "url": "https://git.kernel.org/stable/c/b6c620dc43ccb4e802894e54b651cf81495e9598" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26826" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/b6c620dc43ccb4e802894e54b651cf81495e9598(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-491", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26826" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: fix data re-injection from stale subflow\n\nWhen the MPTCP PM detects that a subflow is stale, all the packet\nscheduler must re-inject all the mptcp-level unacked data. To avoid\nacquiring unneeded locks, it first try to check if any unacked data\nis present at all in the RTX queue, but such check is currently\nbroken, as it uses TCP-specific helper on an MPTCP socket.\n\nFunnily enough fuzzers and static checkers are happy, as the accessed\nmemory still belongs to the mptcp_sock struct, and even from a\nfunctional perspective the recovery completed successfully, as\nthe short-cut test always failed.\n\nA recent unrelated TCP change - commit d5fed5addb2b (\"tcp: reorganize\ntcp_sock fast path variables\") - exposed the issue, as the tcp field\nreorganization makes the mptcp code always skip the re-inection.\n\nFix the issue dropping the bogus call: we are on a slow path, the early\noptimization proved once again to be evil.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26826", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26826" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a6fa75b5096c0f9826a4fabe22d907b0a5bb1016" + }, + { + "url": "https://git.kernel.org/stable/c/a83fdaeaea3677b83a53f72ace2d73a19bcd6d93" + }, + { + "url": "https://git.kernel.org/stable/c/3b08cfc65f07b1132c1979d73f014ae6e04de55d" + }, + { + "url": "https://git.kernel.org/stable/c/d817f0d34d927f2deb17dadbfe212c9a6a32ac3e" + }, + { + "url": "https://git.kernel.org/stable/c/64f00b4df0597590b199b62a37a165473bf658a6" + }, + { + "url": "https://git.kernel.org/stable/c/6787d916c2cf9850c97a0a3f73e08c43e7d973b1" + }, + { + "url": "https://git.kernel.org/stable/c/33ec04cadb77605b71d9298311919303d390c4d5" + }, + { + "url": "https://git.kernel.org/stable/c/8435f0961bf3dc65e204094349bd9aeaac1f8868" + }, + { + "url": "https://git.kernel.org/stable/c/92c81fbb3ed2e0dfc33a4183a67135e1ab566ace" + }, + { + "url": "https://git.kernel.org/linus/6787d916c2cf9850c97a0a3f73e08c43e7d973b1(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26884" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-492", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26884" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix hashtab overflow check on 32-bit arches\n\nThe hashtab code relies on roundup_pow_of_two() to compute the number of\nhash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code. So apply the same\nfix to hashtab, by moving the overflow check to before the roundup.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26884", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26884" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T20:03:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb55ba8aa7fb7aad54f40fbf4d8dcdfdba0bebf6" + }, + { + "url": "https://git.kernel.org/stable/c/76cb2aa3421fee4fde706dec41b1344bc0a9ad67" + }, + { + "url": "https://git.kernel.org/stable/c/6ab4fd508fad942f1f1ba940492f2735e078e980" + }, + { + "url": "https://git.kernel.org/stable/c/a9c15d6e8aee074fae66c04d114f20b84274fcca" + }, + { + "url": "https://git.kernel.org/stable/c/196b87e5c00ce021e164a5de0f0d04f4116a9160" + }, + { + "url": "https://git.kernel.org/stable/c/7f2649c94264d00df6b6ac27161e9f4372a3450e" + }, + { + "url": "https://git.kernel.org/stable/c/e016e358461b89b231626fcf78c5c38e35c44fd3" + }, + { + "url": "https://git.kernel.org/stable/c/b493ad718b1f0357394d2cdecbf00a44a36fa085" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52583" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://git.kernel.org/linus/b493ad718b1f0357394d2cdecbf00a44a36fa085(6.8-rc1)" + } + ], + "bom-ref": "vuln-493", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52583" + } + } + ], + "created": "2024-03-06T07:15:06Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix deadlock or deadcode of misusing dget()\n\nThe lock order is incorrect between denty and its parent, we should\nalways make sure that the parent get the lock first.\n\nBut since this deadcode is never used and the parent dir will always\nbe set from the callers, let's just remove it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52583", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52583" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/43547d8699439a67b78d6bb39015113f7aa360fd" + }, + { + "url": "https://git.kernel.org/stable/c/5ac337138272d26d6d3d4f71bc5b1a87adf8b24d" + }, + { + "url": "https://git.kernel.org/stable/c/0a30016e892bccabea30af218782c4b6ce0970af" + }, + { + "url": "https://git.kernel.org/stable/c/4ccad39009e7bd8a03d60a97c87b0327ae812880" + }, + { + "url": "https://git.kernel.org/stable/c/85f34d352f4b79afd63dd13634b23dafe6b570f9" + }, + { + "url": "https://git.kernel.org/stable/c/1f60795dcafc97c45984240d442cdc151f825977" + }, + { + "url": "https://git.kernel.org/stable/c/f3315a6edaec12b461031eab8c98c78111a41f95" + }, + { + "url": "https://git.kernel.org/stable/c/7782e5e7047cae6b9255ee727c99fc73d77cf773" + }, + { + "url": "https://git.kernel.org/linus/43547d8699439a67b78d6bb39015113f7aa360fd(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27424" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-494", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27424" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_busy_delay\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27424", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27424" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/35e351780fa9d8240dd6f7e4f245f9ea37e96c19" + }, + { + "url": "https://git.kernel.org/stable/c/cec11fa2eb512ebe3a459c185f4aca1d44059bbf" + }, + { + "url": "https://git.kernel.org/stable/c/abdb88dd272bbeb93efe01d8e0b7b17e24af3a34" + }, + { + "url": "https://git.kernel.org/stable/c/0c42f7e039aba3de6d7dbf92da708e2b2ecba557" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27022" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/35e351780fa9d8240dd6f7e4f245f9ea37e96c19(6.9-rc5)" + } + ], + "bom-ref": "vuln-495", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27022" + } + } + ], + "created": "2024-05-01T06:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfork: defer linking file vma until vma is fully initialized\n\nThorvald reported a WARNING [1]. And the root cause is below race:\n\n CPU 1\t\t\t\t\tCPU 2\n fork\t\t\t\t\thugetlbfs_fallocate\n dup_mmap\t\t\t\t hugetlbfs_punch_hole\n i_mmap_lock_write(mapping);\n vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree.\n i_mmap_unlock_write(mapping);\n hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t i_mmap_lock_write(mapping);\n \t\t\t\t\t hugetlb_vmdelete_list\n\t\t\t\t\t vma_interval_tree_foreach\n\t\t\t\t\t hugetlb_vma_trylock_write -- Vma_lock is cleared.\n tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem!\n\t\t\t\t\t hugetlb_vma_unlock_write -- Vma_lock is assigned!!!\n\t\t\t\t\t i_mmap_unlock_write(mapping);\n\nhugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside\ni_mmap_rwsem lock while vma lock can be used in the same time. Fix this\nby deferring linking file vma until vma is fully initialized. Those vmas\nshould be initialized first before they can be used.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27022", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27022" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:13Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d618d19b29c2943527e3a43da0a35aea91062fc" + }, + { + "url": "https://git.kernel.org/stable/c/de940cede3c41624e2de27f805b490999f419df9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52590" + }, + { + "url": "https://git.kernel.org/linus/9d618d19b29c2943527e3a43da0a35aea91062fc(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-496", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52590" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change ocfs2 rename code to avoid touching renamed directory if\nits parent does not change as without locking that can corrupt the\nfilesystem.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52590", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52590" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/340682ed1932b8e3bd0bfc6c31a0c6354eb57cc6" + }, + { + "url": "https://git.kernel.org/stable/c/4cdf9006fc095af71da80e9b5f48a32e991b9ed3" + }, + { + "url": "https://git.kernel.org/stable/c/db6e5e16f1ee9e3b01d2f71c7f0ba945f4bf0f4e" + }, + { + "url": "https://git.kernel.org/stable/c/a43e0fc5e9134a46515de2f2f8d4100b74e50de3" + }, + { + "url": "https://git.kernel.org/stable/c/cb9e802e49c24eeb3af35e9e8c04d526f35f112a" + }, + { + "url": "https://git.kernel.org/linus/a43e0fc5e9134a46515de2f2f8d4100b74e50de3(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27389" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-497", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27389" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npstore: inode: Only d_invalidate() is needed\n\nUnloading a modular pstore backend with records in pstorefs would\ntrigger the dput() double-drop warning:\n\n WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410\n\nUsing the combo of d_drop()/dput() (as mentioned in\nDocumentation/filesystems/vfs.rst) isn't the right approach here, and\nleads to the reference counting problem seen above. Use d_invalidate()\nand update the code to not bother checking for error codes that can\nnever happen.\n\n---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27389", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27389" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/86e9b47e8a75c74b1bd83a479979b425c5dc8bd9" + }, + { + "url": "https://git.kernel.org/stable/c/b19fe5eea619d54eea59bb8a37c0f8d00ef0e912" + }, + { + "url": "https://git.kernel.org/stable/c/22d3053ef05f0b5045e45bd91e7473846261d65e" + }, + { + "url": "https://git.kernel.org/stable/c/ffdca0a62abaf8c41d8d9ea132000fd808de329b" + }, + { + "url": "https://git.kernel.org/stable/c/b79e040910101b020931ba0c9a6b77e81ab7f645" + }, + { + "url": "https://git.kernel.org/stable/c/68a69bb2ecafaacdb998a87783068fb51736f43b" + }, + { + "url": "https://git.kernel.org/stable/c/006936ecb4edfc3102464044f75858c714e34d28" + }, + { + "url": "https://git.kernel.org/stable/c/ec2049fb2b8be3e108fe2ef1f1040f91e72c9990" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35933" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b79e040910101b020931ba0c9a6b77e81ab7f645(6.9-rc1)" + } + ], + "bom-ref": "vuln-498", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35933" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: btintel: Fix null ptr deref in btintel_read_version\n\nIf hci_cmd_sync_complete() is triggered and skb is NULL, then\nhdev->req_skb is NULL, which will cause this issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35933", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35933" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/31f815cb436082e72d34ed2e8a182140a73ebdf4" + }, + { + "url": "https://git.kernel.org/stable/c/f7e71a7cf399f53ff9fc314ca3836dc913b05bd6" + }, + { + "url": "https://git.kernel.org/stable/c/813f5213f2c612dc800054859aaa396ec8ad7069" + }, + { + "url": "https://git.kernel.org/stable/c/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457" + }, + { + "url": "https://git.kernel.org/stable/c/022b19ebc31cce369c407617041a3db810db23b3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26989" + }, + { + "url": "https://git.kernel.org/linus/50449ca66cc5a8cbc64749cf4b9f3d3fc5f4b457(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-499", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26989" + } + } + ], + "created": "2024-05-01T06:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: hibernate: Fix level3 translation fault in swsusp_save()\n\nOn arm64 machines, swsusp_save() faults if it attempts to access\nMEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI\nwhen booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n:\n\n Unable to handle kernel paging request at virtual address ffffff8000000000\n Mem abort info:\n ESR = 0x0000000096000007\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x07: level 3 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000\n [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000\n Internal error: Oops: 0000000096000007 [#1] SMP\n Internal error: Oops: 0000000096000007 [#1] SMP\n Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm\n CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76\n Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0\n Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021\n pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : swsusp_save+0x280/0x538\n lr : swsusp_save+0x280/0x538\n sp : ffffffa034a3fa40\n x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000\n x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000\n x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2\n x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000\n x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666\n x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea\n x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0\n x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001\n x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027\n x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e\n Call trace:\n swsusp_save+0x280/0x538\n swsusp_arch_suspend+0x148/0x190\n hibernation_snapshot+0x240/0x39c\n hibernate+0xc4/0x378\n state_store+0xf0/0x10c\n kobj_attr_store+0x14/0x24\n\nThe reason is swsusp_save() -> copy_data_pages() -> page_is_saveable()\n-> kernel_page_present() assuming that a page is always present when\ncan_set_direct_map() is false (all of rodata_full,\ndebug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false),\nirrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions\nshould not be saved during hibernation.\n\nThis problem was introduced by changes to the pfn_valid() logic in\ncommit a7d9f306ba70 (\"arm64: drop pfn_valid_within() and simplify\npfn_valid()\").\n\nSimilar to other architectures, drop the !can_set_direct_map() check in\nkernel_page_present() so that page_is_savable() skips such pages.\n\n[catalin.marinas@arm.com: rework commit message]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26989", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26989" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b8cfb7c819dd39965136a66fe3a7fde688d976fc" + }, + { + "url": "https://git.kernel.org/stable/c/3a71ec74e5e3478d202a1874f085ca3ef40be49b" + }, + { + "url": "https://git.kernel.org/stable/c/12f00a367b2b62756e0396f14b54c2c15524e1c3" + }, + { + "url": "https://git.kernel.org/stable/c/dadbb5d29d6c5f571a50272fce8c1505a9559487" + }, + { + "url": "https://git.kernel.org/stable/c/a1f57a0127b89a6b6620514564aa7eaec16d9af3" + }, + { + "url": "https://git.kernel.org/linus/b8cfb7c819dd39965136a66fe3a7fde688d976fc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26896" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-500", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26896" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix memory leak when starting AP\n\nKmemleak reported this error:\n\n unreferenced object 0xd73d1180 (size 184):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.245s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 1e 00 01 00 00 00 00 00 ................\n backtrace:\n [<5ca11420>] kmem_cache_alloc+0x20c/0x5ac\n [<127bdd74>] __alloc_skb+0x144/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n [<69954f45>] __sys_sendmsg+0x64/0xa8\n unreferenced object 0xce087000 (size 1024):\n comm \"wpa_supplicant\", pid 1559, jiffies 13006305 (age 964.246s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 10 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............\n backtrace:\n [<9a993714>] __kmalloc_track_caller+0x230/0x600\n [] kmalloc_reserve.constprop.0+0x30/0x74\n [] __alloc_skb+0xa0/0x170\n [] __netdev_alloc_skb+0x50/0x180\n [<0f9fa1d5>] __ieee80211_beacon_get+0x290/0x4d4 [mac80211]\n [<7accd02d>] ieee80211_beacon_get_tim+0x54/0x18c [mac80211]\n [<41e25cc3>] wfx_start_ap+0xc8/0x234 [wfx]\n [<93a70356>] ieee80211_start_ap+0x404/0x6b4 [mac80211]\n [] nl80211_start_ap+0x76c/0x9e0 [cfg80211]\n [<47bd8b68>] genl_rcv_msg+0x198/0x378\n [<453ef796>] netlink_rcv_skb+0xd0/0x130\n [<6b7c977a>] genl_rcv+0x34/0x44\n [<66b2d04d>] netlink_unicast+0x1b4/0x258\n [] netlink_sendmsg+0x1e8/0x428\n [] ____sys_sendmsg+0x1e0/0x274\n [] ___sys_sendmsg+0x80/0xb4\n\nHowever, since the kernel is build optimized, it seems the stack is not\naccurate. It appears the issue is related to wfx_set_mfp_ap(). The issue\nis obvious in this function: memory allocated by ieee80211_beacon_get()\nis never released. Fixing this leak makes kmemleak happy.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26896", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26896" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52429" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2475.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://git.kernel.org/linus/bd504bcfec41a503b32054da5472904b404341a4(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6726-2" + } + ], + "bom-ref": "vuln-501", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52429" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" + } + } + ], + "created": "2024-02-12T03:15:32Z", + "description": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52429", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-26T21:15:57Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/48a8ccccffbae10c91d31fc872db5c31aba07518" + }, + { + "url": "https://git.kernel.org/stable/c/e0526ec5360a48ad3ab2e26e802b0532302a7e11" + }, + { + "url": "https://git.kernel.org/stable/c/22a77c0f5b8233237731df3288d067af51a2fd7b" + }, + { + "url": "https://git.kernel.org/stable/c/0e8875de9dad12805ff66e92cd5edea6a421f1cd" + }, + { + "url": "https://git.kernel.org/stable/c/9ec807e7b6f5fcf9499f3baa69f254bb239a847f" + }, + { + "url": "https://git.kernel.org/stable/c/7656372ae190e54e8c8cf1039725a5ea59fdf84a" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26698" + }, + { + "url": "https://git.kernel.org/linus/e0526ec5360a48ad3ab2e26e802b0532302a7e11(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-502", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26698" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe and netvsc_remove\n\nIn commit ac5047671758 (\"hv_netvsc: Disable NAPI before closing the\nVMBus channel\"), napi_disable was getting called for all channels,\nincluding all subchannels without confirming if they are enabled or not.\n\nThis caused hv_netvsc getting hung at napi_disable, when netvsc_probe()\nhas finished running but nvdev->subchan_work has not started yet.\nnetvsc_subchan_work() -> rndis_set_subchannel() has not created the\nsub-channels and because of that netvsc_sc_open() is not running.\nnetvsc_remove() calls cancel_work_sync(&nvdev->subchan_work), for which\nnetvsc_subchan_work did not run.\n\nnetif_napi_add() sets the bit NAPI_STATE_SCHED because it ensures NAPI\ncannot be scheduled. Then netvsc_sc_open() -> napi_enable will clear the\nNAPIF_STATE_SCHED bit, so it can be scheduled. napi_disable() does the\nopposite.\n\nNow during netvsc_device_remove(), when napi_disable is called for those\nsubchannels, napi_disable gets stuck on infinite msleep.\n\nThis fix addresses this problem by ensuring that napi_disable() is not\ngetting called for non-enabled NAPI struct.\nBut netif_napi_del() is still necessary for these non-enabled NAPI struct\nfor cleanup purpose.\n\nCall trace:\n[ 654.559417] task:modprobe state:D stack: 0 pid: 2321 ppid: 1091 flags:0x00004002\n[ 654.568030] Call Trace:\n[ 654.571221] \n[ 654.573790] __schedule+0x2d6/0x960\n[ 654.577733] schedule+0x69/0xf0\n[ 654.581214] schedule_timeout+0x87/0x140\n[ 654.585463] ? __bpf_trace_tick_stop+0x20/0x20\n[ 654.590291] msleep+0x2d/0x40\n[ 654.593625] napi_disable+0x2b/0x80\n[ 654.597437] netvsc_device_remove+0x8a/0x1f0 [hv_netvsc]\n[ 654.603935] rndis_filter_device_remove+0x194/0x1c0 [hv_netvsc]\n[ 654.611101] ? do_wait_intr+0xb0/0xb0\n[ 654.615753] netvsc_remove+0x7c/0x120 [hv_netvsc]\n[ 654.621675] vmbus_remove+0x27/0x40 [hv_vmbus]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26698", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26698" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d1ffa4ae2d591fdd40471074e79954ec45f147f7" + }, + { + "url": "https://git.kernel.org/stable/c/36c2a2863bc3896243eb724dc3fd4cf9aea633f2" + }, + { + "url": "https://git.kernel.org/stable/c/7411055db5ce64f836aaffd422396af0075fdc99" + }, + { + "url": "https://git.kernel.org/stable/c/576164bd01bd795f8b09fb194b493103506b33c9" + }, + { + "url": "https://git.kernel.org/stable/c/0d23b34c68c46cd225b55868bc8a269e3134816d" + }, + { + "url": "https://git.kernel.org/stable/c/87299cdaae757f3f41212146cfb5b3af416b8385" + }, + { + "url": "https://git.kernel.org/stable/c/bebd9e0ff90034875c5dfe4bd514fd7055fc7a89" + }, + { + "url": "https://git.kernel.org/stable/c/1f9212cdbd005bc55f2b7422e7b560d9c02bd1da" + }, + { + "url": "https://git.kernel.org/linus/7411055db5ce64f836aaffd422396af0075fdc99(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35936" + } + ], + "bom-ref": "vuln-503", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35936" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()\n\nThe unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,\nas it could be caused only by two impossible conditions:\n\n- at first the search key is set up to look for a chunk tree item, with\n offset -1, this is an inexact search and the key->offset will contain\n the correct offset upon a successful search, a valid chunk tree item\n cannot have an offset -1\n\n- after first successful search, the found_key corresponds to a chunk\n item, the offset is decremented by 1 before the next loop, it's\n impossible to find a chunk item there due to alignment and size\n constraints", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35936", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35936" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53" + }, + { + "url": "https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0" + }, + { + "url": "https://git.kernel.org/linus/4f32504a2f85a7b40fe149436881381f48e9c0c0(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26672" + } + ], + "bom-ref": "vuln-504", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26672" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'\n\nFixes the below:\n\ndrivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)\n\n357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,\n\t\t\t\t enum amdgpu_mca_error_type type,\n358 int idx, struct mca_bank_entry *entry)\n359 {\n360 const struct amdgpu_mca_smu_funcs *mca_funcs =\n\t\t\t\t\t\tadev->mca.mca_funcs;\n361 int count;\n362\n363 switch (type) {\n364 case AMDGPU_MCA_ERROR_TYPE_UE:\n365 count = mca_funcs->max_ue_count;\n\nmca_funcs is dereferenced here.\n\n366 break;\n367 case AMDGPU_MCA_ERROR_TYPE_CE:\n368 count = mca_funcs->max_ce_count;\n\nmca_funcs is dereferenced here.\n\n369 break;\n370 default:\n371 return -EINVAL;\n372 }\n373\n374 if (idx >= count)\n375 return -EINVAL;\n376\n377 if (mca_funcs && mca_funcs->mca_get_mca_entry)\n\t ^^^^^^^^^\n\nChecked too late!", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26672", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26672" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/176256ff8abff29335ecff905a09fb49e8dcf513" + }, + { + "url": "https://git.kernel.org/stable/c/792595bab4925aa06532a14dd256db523eb4fa5e" + }, + { + "url": "https://git.kernel.org/stable/c/1d8c67e94e9e977603473a543d4f322cf2c4aa01" + }, + { + "url": "https://git.kernel.org/stable/c/7200170e88e3ec54d9e9c63f07514c3cead11481" + }, + { + "url": "https://git.kernel.org/stable/c/36a49290d7e6d554020057a409747a092b1d3b56" + }, + { + "url": "https://git.kernel.org/stable/c/8d5838a473e8e6d812257c69745f5920e4924a60" + }, + { + "url": "https://git.kernel.org/stable/c/57d05dbbcd0b3dc0c252103b43012eef5d6430d1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26702" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/792595bab4925aa06532a14dd256db523eb4fa5e(6.8-rc5)" + } + ], + "bom-ref": "vuln-505", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26702" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC\n\nRecently, we encounter kernel crash in function rm3100_common_probe\ncaused by out of bound access of array rm3100_samp_rates (because of\nunderlying hardware failures). Add boundary check to prevent out of\nbound access.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26702", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26702" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09a1907433865b7c8ee6777e507f5126bdd38c0f" + }, + { + "url": "https://git.kernel.org/stable/c/943c14ece95eb1cf98d477462aebcbfdfd714633" + }, + { + "url": "https://git.kernel.org/stable/c/49202a8256fc50517ef06fd5e2084c4febde6369" + }, + { + "url": "https://git.kernel.org/stable/c/9fcadd125044007351905d40c405fadc2d3bb6d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea80e3ed09ab2c2b75724faf5484721753e92c31" + }, + { + "url": "https://git.kernel.org/stable/c/f78807362828ad01db2a9ed005bf79501b620f27" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27432" + }, + { + "url": "https://git.kernel.org/linus/ea80e3ed09ab2c2b75724faf5484721753e92c31(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-506", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27432" + } + } + ], + "created": "2024-05-17T13:15:57Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: mtk_eth_soc: fix PPE hanging issue\n\nA patch to resolve an issue was found in MediaTek's GPL-licensed SDK:\nIn the mtk_ppe_stop() function, the PPE scan mode is not disabled before\ndisabling the PPE. This can potentially lead to a hang during the process\nof disabling the PPE.\n\nWithout this patch, the PPE may experience a hang during the reboot test.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27432", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27432" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/246f80a0b17f8f582b2c0996db02998239057c65" + }, + { + "url": "https://git.kernel.org/stable/c/610dbd8ac271aa36080aac50b928d700ee3fe4de" + }, + { + "url": "https://git.kernel.org/linus/246f80a0b17f8f582b2c0996db02998239057c65(6.6-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52629" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-507", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52629" + } + } + ], + "created": "2024-03-29T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsh: push-switch: Reorder cleanup operations to avoid use-after-free bug\n\nThe original code puts flush_work() before timer_shutdown_sync()\nin switch_drv_remove(). Although we use flush_work() to stop\nthe worker, it could be rescheduled in switch_timer(). As a result,\na use-after-free bug can occur. The details are shown below:\n\n (cpu 0) | (cpu 1)\nswitch_drv_remove() |\n flush_work() |\n ... | switch_timer // timer\n | schedule_work(&psw->work)\n timer_shutdown_sync() |\n ... | switch_work_handler // worker\n kfree(psw) // free |\n | psw->state = 0 // use\n\nThis patch puts timer_shutdown_sync() before flush_work() to\nmitigate the bugs. As a result, the worker and timer will be\nstopped safely before the deallocate operations.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52629", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52629" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-29T12:45:02Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9ae51361da43270f4ba0eb924427a07e87e48777" + }, + { + "url": "https://git.kernel.org/stable/c/c71ed29d15b1a1ed6c464f8c3536996963046285" + }, + { + "url": "https://git.kernel.org/stable/c/59fc3e3d049e39e7d0d271f20dd5fb47c57faf1d" + }, + { + "url": "https://git.kernel.org/stable/c/ec343a55b687a452f5e87f3b52bf9f155864df65" + }, + { + "url": "https://git.kernel.org/stable/c/661779e1fcafe1b74b3f3fe8e980c1e207fea1fd" + }, + { + "url": "https://git.kernel.org/stable/c/d3ada42e534a83b618bbc1e490d23bf0fdae4736" + }, + { + "url": "https://git.kernel.org/stable/c/f19d1f98e60e68b11fc60839105dd02a30ec0d77" + }, + { + "url": "https://git.kernel.org/stable/c/0b27bf4c494d61e5663baa34c3edd7ccebf0ea44" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26805" + } + ], + "bom-ref": "vuln-508", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26805" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: Fix kernel-infoleak-after-free in __skb_datagram_iter\n\nsyzbot reported the following uninit-value access issue [1]:\n\nnetlink_to_full_skb() creates a new `skb` and puts the `skb->data`\npassed as a 1st arg of netlink_to_full_skb() onto new `skb`. The data\nsize is specified as `len` and passed to skb_put_data(). This `len`\nis based on `skb->end` that is not data offset but buffer offset. The\n`skb->end` contains data and tailroom. Since the tailroom is not\ninitialized when the new `skb` created, KMSAN detects uninitialized\nmemory area when copying the data.\n\nThis patch resolved this issue by correct the len from `skb->end` to\n`skb->len`, which is the actual data offset.\n\nBUG: KMSAN: kernel-infoleak-after-free in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in copy_to_user_iter lib/iov_iter.c:24 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_ubuf include/linux/iov_iter.h:29 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in iterate_and_advance include/linux/iov_iter.h:271 [inline]\nBUG: KMSAN: kernel-infoleak-after-free in _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n copy_to_user_iter lib/iov_iter.c:24 [inline]\n iterate_ubuf include/linux/iov_iter.h:29 [inline]\n iterate_and_advance2 include/linux/iov_iter.h:245 [inline]\n iterate_and_advance include/linux/iov_iter.h:271 [inline]\n _copy_to_iter+0x364/0x2520 lib/iov_iter.c:186\n copy_to_iter include/linux/uio.h:197 [inline]\n simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:532\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:420\n skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:546\n skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]\n packet_recvmsg+0xd9c/0x2000 net/packet/af_packet.c:3482\n sock_recvmsg_nosec net/socket.c:1044 [inline]\n sock_recvmsg net/socket.c:1066 [inline]\n sock_read_iter+0x467/0x580 net/socket.c:1136\n call_read_iter include/linux/fs.h:2014 [inline]\n new_sync_read fs/read_write.c:389 [inline]\n vfs_read+0x8f6/0xe00 fs/read_write.c:470\n ksys_read+0x20f/0x4c0 fs/read_write.c:613\n __do_sys_read fs/read_write.c:623 [inline]\n __se_sys_read fs/read_write.c:621 [inline]\n __x64_sys_read+0x93/0xd0 fs/read_write.c:621\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was stored to memory at:\n skb_put_data include/linux/skbuff.h:2622 [inline]\n netlink_to_full_skb net/netlink/af_netlink.c:181 [inline]\n __netlink_deliver_tap_skb net/netlink/af_netlink.c:298 [inline]\n __netlink_deliver_tap+0x5be/0xc90 net/netlink/af_netlink.c:325\n netlink_deliver_tap net/netlink/af_netlink.c:338 [inline]\n netlink_deliver_tap_kernel net/netlink/af_netlink.c:347 [inline]\n netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]\n netlink_unicast+0x10f1/0x1250 net/netlink/af_netlink.c:1368\n netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584\n ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638\n __sys_sendmsg net/socket.c:2667 [inline]\n __do_sys_sendmsg net/socket.c:2676 [inline]\n __se_sys_sendmsg net/socket.c:2674 [inline]\n __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n free_pages_prepare mm/page_alloc.c:1087 [inline]\n free_unref_page_prepare+0xb0/0xa40 mm/page_alloc.c:2347\n free_unref_page_list+0xeb/0x1100 mm/page_alloc.c:2533\n release_pages+0x23d3/0x2410 mm/swap.c:1042\n free_pages_and_swap_cache+0xd9/0xf0 mm/swap_state.c:316\n tlb_batch_pages\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26805", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26805" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1ec17ef59168a1a6f1105f5dc517f783839a5302" + }, + { + "url": "https://git.kernel.org/stable/c/34ca809e055eca5cfe63d9c7efbf80b7c21b4e57" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26944" + }, + { + "url": "https://git.kernel.org/linus/1ec17ef59168a1a6f1105f5dc517f783839a5302(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-509", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26944" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: fix use-after-free in do_zone_finish()\n\nShinichiro reported the following use-after-free triggered by the device\nreplace operation in fstests btrfs/070.\n\n BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0\n ==================================================================\n BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs]\n Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007\n\n CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1\n Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020\n Call Trace:\n \n dump_stack_lvl+0x5b/0x90\n print_report+0xcf/0x670\n ? __virt_addr_valid+0x200/0x3e0\n kasan_report+0xd8/0x110\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n ? do_zone_finish+0x91a/0xb90 [btrfs]\n do_zone_finish+0x91a/0xb90 [btrfs]\n btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs]\n ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs]\n ? btrfs_put_root+0x2d/0x220 [btrfs]\n ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs]\n cleaner_kthread+0x21e/0x380 [btrfs]\n ? __pfx_cleaner_kthread+0x10/0x10 [btrfs]\n kthread+0x2e3/0x3c0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x31/0x70\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1b/0x30\n \n\n Allocated by task 3493983:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0xaa/0xb0\n btrfs_alloc_device+0xb3/0x4e0 [btrfs]\n device_list_add.constprop.0+0x993/0x1630 [btrfs]\n btrfs_scan_one_device+0x219/0x3d0 [btrfs]\n btrfs_control_ioctl+0x26e/0x310 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n Freed by task 3494056:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3f/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x32/0x70\n kfree+0x11b/0x320\n btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs]\n btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs]\n btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs]\n btrfs_ioctl+0xb27/0x57d0 [btrfs]\n __x64_sys_ioctl+0x134/0x1b0\n do_syscall_64+0x99/0x190\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\n The buggy address belongs to the object at ffff8881543c8000\n which belongs to the cache kmalloc-1k of size 1024\n The buggy address is located 96 bytes inside of\n freed 1024-byte region [ffff8881543c8000, ffff8881543c8400)\n\n The buggy address belongs to the physical page:\n page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8\n head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0\n flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff)\n page_type: 0xffffffff()\n raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002\n raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ^\n ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n\nThis UAF happens because we're accessing stale zone information of a\nalready removed btrfs_device in do_zone_finish().\n\nThe sequence of events is as follows:\n\nbtrfs_dev_replace_start\n btrfs_scrub_dev\n btrfs_dev_replace_finishing\n btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced\n btrfs_rm_dev_replace_free_srcdev\n btrfs_free_device <-- device freed\n\ncleaner_kthread\n btrfs_delete_unused_bgs\n btrfs_zone_finish\n do_zone_finish <-- refers the freed device\n\nThe reason for this is that we're using a\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26944", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26944" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-21803" + } + ], + "bom-ref": "vuln-510", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-21803" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + } + } + ], + "created": "2024-01-30T08:15:41Z", + "description": "Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code. This vulnerability is associated with program files https://gitee.Com/anolis/cloud-kernel/blob/devel-5.10/net/bluetooth/af_bluetooth.C.\n\nThis issue affects Linux kernel: from v2.6.12-rc2 before v6.8-rc1.\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-21803", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21803" + }, + "cwes": [ + 416 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-08T01:57:53Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/90029b9c979b60de5cb2b70ade4bbf61d561bc5d" + }, + { + "url": "https://git.kernel.org/stable/c/afd2a82fe300032f63f8be5d6cd6981e75f8bbf2" + }, + { + "url": "https://git.kernel.org/stable/c/3dd8abb0ed0e0a7c66d6d677c86ccb188cc39333" + }, + { + "url": "https://git.kernel.org/stable/c/0c9550b032de48d6a7fa6a4ddc09699d64d9300d" + }, + { + "url": "https://git.kernel.org/stable/c/9c23ef30e840fedc66948299509f6c2777c9cf4f" + }, + { + "url": "https://git.kernel.org/stable/c/0175f2d34c85744f9ad6554f696cf0afb5bd04e4" + }, + { + "url": "https://git.kernel.org/stable/c/dc866b69cc51af9b8509b4731b8ce2a4950cd0ef" + }, + { + "url": "https://git.kernel.org/stable/c/8f94b49a5b5d386c038e355bef6347298aabd211" + }, + { + "url": "https://git.kernel.org/stable/c/5dc319cc3c4f7b74f7dfba349aa26f87efb52458" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27077" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/8f94b49a5b5d386c038e355bef6347298aabd211(6.9-rc1)" + } + ], + "bom-ref": "vuln-511", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27077" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity\n\nThe entity->name (i.e. name) is allocated in v4l2_m2m_register_entity\nbut isn't freed in its following error-handling paths. This patch\nadds such deallocation to prevent memleak of entity->name.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27077", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27077" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/all/20231222161317.6255-1-2045gemini@gmail.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24858" + } + ], + "bom-ref": "vuln-512", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24858" + } + }, + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-24858", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c44542093525699a30c307dae1ea5a1b03b3302f" + }, + { + "url": "https://git.kernel.org/stable/c/82220b1835baaebf4ae2e490f56353a341a09bd2" + }, + { + "url": "https://git.kernel.org/stable/c/995e91c9556c8fc6028b474145a36e947d1eb6b6" + }, + { + "url": "https://git.kernel.org/stable/c/e06cc89475eddc1f3a7a4d471524256152c68166" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26905" + }, + { + "url": "https://git.kernel.org/linus/e06cc89475eddc1f3a7a4d471524256152c68166(6.8-rc7)" + } + ], + "bom-ref": "vuln-513", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26905" + } + } + ], + "created": "2024-04-17T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix data races when accessing the reserved amount of block reserves\n\nAt space_info.c we have several places where we access the ->reserved\nfield of a block reserve without taking the block reserve's spinlock\nfirst, which makes KCSAN warn about a data race since that field is\nalways updated while holding the spinlock.\n\nThe reports from KCSAN are like the following:\n\n [117.193526] BUG: KCSAN: data-race in btrfs_block_rsv_release [btrfs] / need_preemptive_reclaim [btrfs]\n\n [117.195148] read to 0x000000017f587190 of 8 bytes by task 6303 on cpu 3:\n [117.195172] need_preemptive_reclaim+0x222/0x2f0 [btrfs]\n [117.195992] __reserve_bytes+0xbb0/0xdc8 [btrfs]\n [117.196807] btrfs_reserve_metadata_bytes+0x4c/0x120 [btrfs]\n [117.197620] btrfs_block_rsv_add+0x78/0xa8 [btrfs]\n [117.198434] btrfs_delayed_update_inode+0x154/0x368 [btrfs]\n [117.199300] btrfs_update_inode+0x108/0x1c8 [btrfs]\n [117.200122] btrfs_dirty_inode+0xb4/0x140 [btrfs]\n [117.200937] btrfs_update_time+0x8c/0xb0 [btrfs]\n [117.201754] touch_atime+0x16c/0x1e0\n [117.201789] filemap_read+0x674/0x728\n [117.201823] btrfs_file_read_iter+0xf8/0x410 [btrfs]\n [117.202653] vfs_read+0x2b6/0x498\n [117.203454] ksys_read+0xa2/0x150\n [117.203473] __s390x_sys_read+0x68/0x88\n [117.203495] do_syscall+0x1c6/0x210\n [117.203517] __do_syscall+0xc8/0xf0\n [117.203539] system_call+0x70/0x98\n\n [117.203579] write to 0x000000017f587190 of 8 bytes by task 11 on cpu 0:\n [117.203604] btrfs_block_rsv_release+0x2e8/0x578 [btrfs]\n [117.204432] btrfs_delayed_inode_release_metadata+0x7c/0x1d0 [btrfs]\n [117.205259] __btrfs_update_delayed_inode+0x37c/0x5e0 [btrfs]\n [117.206093] btrfs_async_run_delayed_root+0x356/0x498 [btrfs]\n [117.206917] btrfs_work_helper+0x160/0x7a0 [btrfs]\n [117.207738] process_one_work+0x3b6/0x838\n [117.207768] worker_thread+0x75e/0xb10\n [117.207797] kthread+0x21a/0x230\n [117.207830] __ret_from_fork+0x6c/0xb8\n [117.207861] ret_from_fork+0xa/0x30\n\nSo add a helper to get the reserved amount of a block reserve while\nholding the lock. The value may be not be up to date anymore when used by\nneed_preemptive_reclaim() and btrfs_preempt_reclaim_metadata_space(), but\nthat's ok since the worst it can do is cause more reclaim work do be done\nsooner rather than later. Reading the field while holding the lock instead\nof using the data_race() annotation is used in order to prevent load\ntearing.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26905", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26905" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2774f256e7c0219e2b0a0894af1c76bdabc4f974" + }, + { + "url": "https://git.kernel.org/stable/c/d6159bd4c00594249e305bfe02304c67c506264e" + }, + { + "url": "https://git.kernel.org/stable/c/bdd21eed8b72f9e28d6c279f6db258e090c79080" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26783" + } + ], + "bom-ref": "vuln-514", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26783" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index\n\nWith numa balancing on, when a numa system is running where a numa node\ndoesn't have its local memory so it has no managed zones, the following\noops has been observed. It's because wakeup_kswapd() is called with a\nwrong zone index, -1. Fixed it by checking the index before calling\nwakeup_kswapd().\n\n> BUG: unable to handle page fault for address: 00000000000033f3\n> #PF: supervisor read access in kernel mode\n> #PF: error_code(0x0000) - not-present page\n> PGD 0 P4D 0\n> Oops: 0000 [#1] PREEMPT SMP NOPTI\n> CPU: 2 PID: 895 Comm: masim Not tainted 6.6.0-dirty #255\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\n> rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n> RIP: 0010:wakeup_kswapd (./linux/mm/vmscan.c:7812)\n> Code: (omitted)\n> RSP: 0000:ffffc90004257d58 EFLAGS: 00010286\n> RAX: ffffffffffffffff RBX: ffff88883fff0480 RCX: 0000000000000003\n> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88883fff0480\n> RBP: ffffffffffffffff R08: ff0003ffffffffff R09: ffffffffffffffff\n> R10: ffff888106c95540 R11: 0000000055555554 R12: 0000000000000003\n> R13: 0000000000000000 R14: 0000000000000000 R15: ffff88883fff0940\n> FS: 00007fc4b8124740(0000) GS:ffff888827c00000(0000) knlGS:0000000000000000\n> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n> CR2: 00000000000033f3 CR3: 000000026cc08004 CR4: 0000000000770ee0\n> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n> PKRU: 55555554\n> Call Trace:\n> \n> ? __die\n> ? page_fault_oops\n> ? __pte_offset_map_lock\n> ? exc_page_fault\n> ? asm_exc_page_fault\n> ? wakeup_kswapd\n> migrate_misplaced_page\n> __handle_mm_fault\n> handle_mm_fault\n> do_user_addr_fault\n> exc_page_fault\n> asm_exc_page_fault\n> RIP: 0033:0x55b897ba0808\n> Code: (omitted)\n> RSP: 002b:00007ffeefa821a0 EFLAGS: 00010287\n> RAX: 000055b89983acd0 RBX: 00007ffeefa823f8 RCX: 000055b89983acd0\n> RDX: 00007fc2f8122010 RSI: 0000000000020000 RDI: 000055b89983acd0\n> RBP: 00007ffeefa821a0 R08: 0000000000000037 R09: 0000000000000075\n> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n> R13: 00007ffeefa82410 R14: 000055b897ba5dd8 R15: 00007fc4b8340000\n> ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26783", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26783" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/870565f063a58576e8a4529f122cac4325c6b395" + }, + { + "url": "https://git.kernel.org/stable/c/bf808f58681cab64c81cd814551814fd34e540fe" + }, + { + "url": "https://git.kernel.org/stable/c/7bb1a2822aa2c2de4e09bf7c56dd93bd532f1fa7" + }, + { + "url": "https://git.kernel.org/stable/c/fab483438342984f2a315fe13c882a80f0f7e545" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/870565f063a58576e8a4529f122cac4325c6b395(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52589" + } + ], + "bom-ref": "vuln-515", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52589" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rkisp1: Fix IRQ disable race issue\n\nIn rkisp1_isp_stop() and rkisp1_csi_disable() the driver masks the\ninterrupts and then apparently assumes that the interrupt handler won't\nbe running, and proceeds in the stop procedure. This is not the case, as\nthe interrupt handler can already be running, which would lead to the\nISP being disabled while the interrupt handler handling a captured\nframe.\n\nThis brings up two issues: 1) the ISP could be powered off while the\ninterrupt handler is still running and accessing registers, leading to\nboard lockup, and 2) the interrupt handler code and the code that\ndisables the streaming might do things that conflict.\n\nIt is not clear to me if 2) causes a real issue, but 1) can be seen with\na suitable delay (or printk in my case) in the interrupt handler,\nleading to board lockup.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52589", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52589" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9470f5b2503cae994098dea9682aee15b313fa44" + }, + { + "url": "https://git.kernel.org/stable/c/0fc88aeb2e32b76db3fe6a624b8333dbe621b8fd" + }, + { + "url": "https://git.kernel.org/stable/c/ea592baf9e41779fe9a0424c03dd2f324feca3b3" + }, + { + "url": "https://git.kernel.org/stable/c/585a344af6bcac222608a158fc2830ff02712af5" + }, + { + "url": "https://git.kernel.org/stable/c/20980195ec8d2e41653800c45c8c367fa1b1f2b4" + }, + { + "url": "https://git.kernel.org/stable/c/9be71aa12afa91dfe457b3fb4a444c42b1ee036b" + }, + { + "url": "https://git.kernel.org/stable/c/fa765c4b4aed2d64266b694520ecb025c862c5a9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26687" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fa765c4b4aed2d64266b694520ecb025c862c5a9(6.8-rc5)" + } + ], + "bom-ref": "vuln-516", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26687" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen/events: close evtchn after mapping cleanup\n\nshutdown_pirq and startup_pirq are not taking the\nirq_mapping_update_lock because they can't due to lock inversion. Both\nare called with the irq_desc->lock being taking. The lock order,\nhowever, is first irq_mapping_update_lock and then irq_desc->lock.\n\nThis opens multiple races:\n- shutdown_pirq can be interrupted by a function that allocates an event\n channel:\n\n CPU0 CPU1\n shutdown_pirq {\n xen_evtchn_close(e)\n __startup_pirq {\n EVTCHNOP_bind_pirq\n -> returns just freed evtchn e\n set_evtchn_to_irq(e, irq)\n }\n xen_irq_info_cleanup() {\n set_evtchn_to_irq(e, -1)\n }\n }\n\n Assume here event channel e refers here to the same event channel\n number.\n After this race the evtchn_to_irq mapping for e is invalid (-1).\n\n- __startup_pirq races with __unbind_from_irq in a similar way. Because\n __startup_pirq doesn't take irq_mapping_update_lock it can grab the\n evtchn that __unbind_from_irq is currently freeing and cleaning up. In\n this case even though the event channel is allocated, its mapping can\n be unset in evtchn_to_irq.\n\nThe fix is to first cleanup the mappings and then close the event\nchannel. In this way, when an event channel gets allocated it's\npotential previous evtchn_to_irq mappings are guaranteed to be unset already.\nThis is also the reverse order of the allocation where first the event\nchannel is allocated and then the mappings are setup.\n\nOn a 5.10 kernel prior to commit 3fcdaf3d7634 (\"xen/events: modify internal\n[un]bind interfaces\"), we hit a BUG like the following during probing of NVMe\ndevices. The issue is that during nvme_setup_io_queues, pci_free_irq\nis called for every device which results in a call to shutdown_pirq.\nWith many nvme devices it's therefore likely to hit this race during\nboot because there will be multiple calls to shutdown_pirq and\nstartup_pirq are running potentially in parallel.\n\n ------------[ cut here ]------------\n blkfront: xvda: barrier or flush: disabled; persistent grants: enabled; indirect descriptors: enabled; bounce buffer: enabled\n kernel BUG at drivers/xen/events/events_base.c:499!\n invalid opcode: 0000 [#1] SMP PTI\n CPU: 44 PID: 375 Comm: kworker/u257:23 Not tainted 5.10.201-191.748.amzn2.x86_64 #1\n Hardware name: Xen HVM domU, BIOS 4.11.amazon 08/24/2006\n Workqueue: nvme-reset-wq nvme_reset_work\n RIP: 0010:bind_evtchn_to_cpu+0xdf/0xf0\n Code: 5d 41 5e c3 cc cc cc cc 44 89 f7 e8 2b 55 ad ff 49 89 c5 48 85 c0 0f 84 64 ff ff ff 4c 8b 68 30 41 83 fe ff 0f 85 60 ff ff ff <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 0f 1f 44 00 00\n RSP: 0000:ffffc9000d533b08 EFLAGS: 00010046\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006\n RDX: 0000000000000028 RSI: 00000000ffffffff RDI: 00000000ffffffff\n RBP: ffff888107419680 R08: 0000000000000000 R09: ffffffff82d72b00\n R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000001ed\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000002\n FS: 0000000000000000(0000) GS:ffff88bc8b500000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000002610001 CR4: 00000000001706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? show_trace_log_lvl+0x1c1/0x2d9\n ? set_affinity_irq+0xdc/0x1c0\n ? __die_body.cold+0x8/0xd\n ? die+0x2b/0x50\n ? do_trap+0x90/0x110\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? do_error_trap+0x65/0x80\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? exc_invalid_op+0x4e/0x70\n ? bind_evtchn_to_cpu+0xdf/0xf0\n ? asm_exc_invalid_op+0x12/0x20\n ? bind_evtchn_to_cpu+0xdf/0x\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26687", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26687" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ff70e6ff6fc2413caf33410af7462d1f584d927e" + }, + { + "url": "https://git.kernel.org/stable/c/65158edb0a3a8df23197d52cd24287e39eaf95d6" + }, + { + "url": "https://git.kernel.org/stable/c/caa2565a2e13899be31f7b1e069e6465d3e2adb0" + }, + { + "url": "https://git.kernel.org/stable/c/916361685319098f696b798ef1560f69ed96e934" + }, + { + "url": "https://git.kernel.org/stable/c/d855ceb6a5fde668c5431156bc60fae0cc52b764" + }, + { + "url": "https://git.kernel.org/linus/916361685319098f696b798ef1560f69ed96e934(6.8-rc5)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26916" + } + ], + "bom-ref": "vuln-517", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26916" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"drm/amd: flush any delayed gfxoff on suspend entry\"\n\ncommit ab4750332dbe (\"drm/amdgpu/sdma5.2: add begin/end_use ring\ncallbacks\") caused GFXOFF control to be used more heavily and the\ncodepath that was removed from commit 0dee72639533 (\"drm/amd: flush any\ndelayed gfxoff on suspend entry\") now can be exercised at suspend again.\n\nUsers report that by using GNOME to suspend the lockscreen trigger will\ncause SDMA traffic and the system can deadlock.\n\nThis reverts commit 0dee726395333fea833eaaf838bc80962df886c8.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26916", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26916" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T16:51:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5268bb02107b9eedfdcd51db75b407d10043368c" + }, + { + "url": "https://git.kernel.org/stable/c/0281b919e175bb9c3128bd3872ac2903e9436e3f" + }, + { + "url": "https://git.kernel.org/stable/c/addf5e297e6cbf5341f9c07720693ca9ba0057b5" + }, + { + "url": "https://git.kernel.org/stable/c/7d80a9e745fa5b47da3bca001f186c02485c7c33" + }, + { + "url": "https://git.kernel.org/stable/c/8327ed12e8ebc5436bfaa1786c49988894f9c8a6" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26737" + }, + { + "url": "https://git.kernel.org/linus/0281b919e175bb9c3128bd3872ac2903e9436e3f(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-518", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26737" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel\n\nThe following race is possible between bpf_timer_cancel_and_free\nand bpf_timer_cancel. It will lead a UAF on the timer->timer.\n\nbpf_timer_cancel();\n\tspin_lock();\n\tt = timer->time;\n\tspin_unlock();\n\n\t\t\t\t\tbpf_timer_cancel_and_free();\n\t\t\t\t\t\tspin_lock();\n\t\t\t\t\t\tt = timer->timer;\n\t\t\t\t\t\ttimer->timer = NULL;\n\t\t\t\t\t\tspin_unlock();\n\t\t\t\t\t\thrtimer_cancel(&t->timer);\n\t\t\t\t\t\tkfree(t);\n\n\t/* UAF on t */\n\thrtimer_cancel(&t->timer);\n\nIn bpf_timer_cancel_and_free, this patch frees the timer->timer\nafter a rcu grace period. This requires a rcu_head addition\nto the \"struct bpf_hrtimer\". Another kfree(t) happens in bpf_timer_init,\nthis does not need a kfree_rcu because it is still under the\nspin_lock and timer->timer has not been visible by others yet.\n\nIn bpf_timer_cancel, rcu_read_lock() is added because this helper\ncan be used in a non rcu critical section context (e.g. from\na sleepable bpf prog). Other timer->timer usages in helpers.c\nhave been audited, bpf_timer_cancel() is the only place where\ntimer->timer is used outside of the spin_lock.\n\nAnother solution considered is to mark a t->flag in bpf_timer_cancel\nand clear it after hrtimer_cancel() is done. In bpf_timer_cancel_and_free,\nit busy waits for the flag to be cleared before kfree(t). This patch\ngoes with a straight forward solution and frees timer->timer after\na rcu grace period.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26737", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26737" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8e60b99f6b7ccb3badeb512f5eb613ad45904592" + }, + { + "url": "https://git.kernel.org/stable/c/3a1ec89708d2e57e2712f46241282961b1a7a475" + }, + { + "url": "https://git.kernel.org/stable/c/eaa410e05bdf562c90b23cdf2d9327f9c4625e16" + }, + { + "url": "https://git.kernel.org/stable/c/0a0b79ea55de8514e1750884e5fec77f9fdd01ee" + }, + { + "url": "https://git.kernel.org/stable/c/ed8000e1e8e9684ab6c30cf2b526c0cea039929c" + }, + { + "url": "https://git.kernel.org/stable/c/eb6e9dce979c08210ff7249e5e0eceb8991bfcd7" + }, + { + "url": "https://git.kernel.org/stable/c/d29ed08964cec8b9729bc55c7bb23f679d7a18fb" + }, + { + "url": "https://git.kernel.org/stable/c/40cd818fae875c424a8335009db33c7b5a07de3a" + }, + { + "url": "https://git.kernel.org/stable/c/ab896d93fd6a2cd1afeb034c3cc9226cb499209f" + }, + { + "url": "https://git.kernel.org/linus/0a0b79ea55de8514e1750884e5fec77f9fdd01ee(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26875" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-519", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26875" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: pvrusb2: fix uaf in pvr2_context_set_notify\n\n[Syzbot reported]\nBUG: KASAN: slab-use-after-free in pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\nRead of size 4 at addr ffff888113aeb0d8 by task kworker/1:1/26\n\nCPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.8.0-rc1-syzkaller-00046-gf1a27f081c1f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024\nWorkqueue: usb_hub_wq hub_event\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n pvr2_context_set_notify+0x2c4/0x310 drivers/media/usb/pvrusb2/pvrusb2-context.c:35\n pvr2_context_notify drivers/media/usb/pvrusb2/pvrusb2-context.c:95 [inline]\n pvr2_context_disconnect+0x94/0xb0 drivers/media/usb/pvrusb2/pvrusb2-context.c:272\n\nFreed by task 906:\nkasan_save_stack+0x33/0x50 mm/kasan/common.c:47\nkasan_save_track+0x14/0x30 mm/kasan/common.c:68\nkasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\npoison_slab_object mm/kasan/common.c:241 [inline]\n__kasan_slab_free+0x106/0x1b0 mm/kasan/common.c:257\nkasan_slab_free include/linux/kasan.h:184 [inline]\nslab_free_hook mm/slub.c:2121 [inline]\nslab_free mm/slub.c:4299 [inline]\nkfree+0x105/0x340 mm/slub.c:4409\npvr2_context_check drivers/media/usb/pvrusb2/pvrusb2-context.c:137 [inline]\npvr2_context_thread_func+0x69d/0x960 drivers/media/usb/pvrusb2/pvrusb2-context.c:158\n\n[Analyze]\nTask A set disconnect_flag = !0, which resulted in Task B's condition being met\nand releasing mp, leading to this issue.\n\n[Fix]\nPlace the disconnect_flag assignment operation after all code in pvr2_context_disconnect()\nto avoid this issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26875", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26875" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://android.googlesource.com/kernel/common/+/b35a06182451f" + }, + { + "url": "https://source.android.com/security/bulletin/2023-08-01" + }, + { + "url": "https://android.googlesource.com/kernel/common/+/53625a846a7b4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-21264" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6383-1" + }, + { + "url": "https://git.kernel.org/linus/09cce60bddd6461a93a5bf434265a47827d1bc6f" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-349.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6466-1" + }, + { + "url": "https://source.android.com/docs/security/bulletin/2023-08-01" + } + ], + "bom-ref": "vuln-520", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-21264" + } + }, + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + } + } + ], + "created": "2023-08-14T21:15:11Z", + "description": "In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-21264", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21264" + }, + "cwes": [ + 119 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-08-24T15:31:45Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-07T22:43:01Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1bc44a505a229bb1dd4957e11aa594edeea3690e" + }, + { + "url": "https://git.kernel.org/stable/c/c9e44111da221246efb2e623ae1be40a5cf6542c" + }, + { + "url": "https://git.kernel.org/stable/c/79527c21a3ce04cffc35ea54f74ee087e532be57" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-521", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()\n\nlen is extracted from HTT message and could be an unexpected value in\ncase errors happen, so add validation before using to avoid possible\nout-of-bound read in the following message iteration and parsing.\n\nThe same issue also applies to ppdu_info->ppdu_stats.common.num_users,\nso validate it before using too.\n\nThese are found during code review.\n\nCompile test only.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52827", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52827" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/09f617219fe9ccd8d7b65dc3e879b5889f663b5a" + }, + { + "url": "https://git.kernel.org/stable/c/5b4574b663d0a1a0a62d5232429b7db9ae6d0670" + }, + { + "url": "https://git.kernel.org/stable/c/406e8845356d18bdf3d3a23b347faf67706472ec" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-522", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: check num of link levels when update pcie param\n\nIn SR-IOV environment, the value of pcie_table->num_of_link_levels will\nbe 0, and num_of_levels - 1 will cause array index out of bounds", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52812", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52812" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/474d521da890b3e3585335fb80a6044cb2553d99" + }, + { + "url": "https://git.kernel.org/stable/c/677102a930643c31f1b4c512b041407058bdfef8" + }, + { + "url": "https://git.kernel.org/stable/c/3cc5fb824c2125aa3740d905b3e5b378c8a09478" + }, + { + "url": "https://git.kernel.org/stable/c/9579a21e99fe8dab22a253050ddff28d340d74e1" + }, + { + "url": "https://git.kernel.org/stable/c/4529c084a320be78ff2c5e64297ae998c6fdf66b" + }, + { + "url": "https://git.kernel.org/stable/c/a69c8bbb946936ac4eb6a6ae1e849435aa8d947d" + }, + { + "url": "https://git.kernel.org/stable/c/87a39071e0b639f45e05d296cc0538eef44ec0bd" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26788" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-523", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26788" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: init irq after reg initialization\n\nInitialize the qDMA irqs after the registers are configured so that\ninterrupts that may have been pending from a primary kernel don't get\nprocessed by the irq handler before it is ready to and cause panic with\nthe following trace:\n\n Call trace:\n fsl_qdma_queue_handler+0xf8/0x3e8\n __handle_irq_event_percpu+0x78/0x2b0\n handle_irq_event_percpu+0x1c/0x68\n handle_irq_event+0x44/0x78\n handle_fasteoi_irq+0xc8/0x178\n generic_handle_irq+0x24/0x38\n __handle_domain_irq+0x90/0x100\n gic_handle_irq+0x5c/0xb8\n el1_irq+0xb8/0x180\n _raw_spin_unlock_irqrestore+0x14/0x40\n __setup_irq+0x4bc/0x798\n request_threaded_irq+0xd8/0x190\n devm_request_threaded_irq+0x74/0xe8\n fsl_qdma_probe+0x4d4/0xca8\n platform_drv_probe+0x50/0xa0\n really_probe+0xe0/0x3f8\n driver_probe_device+0x64/0x130\n device_driver_attach+0x6c/0x78\n __driver_attach+0xbc/0x158\n bus_for_each_dev+0x5c/0x98\n driver_attach+0x20/0x28\n bus_add_driver+0x158/0x220\n driver_register+0x60/0x110\n __platform_driver_register+0x44/0x50\n fsl_qdma_driver_init+0x18/0x20\n do_one_initcall+0x48/0x258\n kernel_init_freeable+0x1a4/0x23c\n kernel_init+0x10/0xf8\n ret_from_fork+0x10/0x18", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26788", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26788" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22386" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-524", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22386" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + } + } + ], + "created": "2024-02-05T08:15:43Z", + "description": "A race condition was found in the Linux kernel's drm/exynos device driver in exynos_drm_crtc_atomic_disable() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-22386", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22386" + }, + "cwes": [ + 362, + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:05:26Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d42e097607c4d246d99225bf2b195b6167a210c" + }, + { + "url": "https://git.kernel.org/stable/c/bb279ead42263e9fb09480f02a4247b2c287d828" + }, + { + "url": "https://git.kernel.org/stable/c/daba62d9eeddcc5b1081be7d348ca836c83c59d7" + }, + { + "url": "https://git.kernel.org/stable/c/d03092550f526a79cf1ade7f0dfa74906f39eb71" + }, + { + "url": "https://git.kernel.org/stable/c/8e81cd58aee14a470891733181a47d123193ba81" + }, + { + "url": "https://git.kernel.org/stable/c/0c2cf5142bfb634c0ef0a1a69cdf37950747d0be" + }, + { + "url": "https://git.kernel.org/stable/c/226fc408c5fcd23cc4186f05ea3a09a7a9aef2f7" + }, + { + "url": "https://git.kernel.org/stable/c/8a5a7611ccc7b1fba8d933a9f22a2e76859d94dc" + }, + { + "url": "https://git.kernel.org/stable/c/4ae5a97781ce7d6ecc9c7055396535815b64ca4f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26974" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7d42e097607c4d246d99225bf2b195b6167a210c(6.9-rc1)" + } + ], + "bom-ref": "vuln-525", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26974" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - resolve race condition during AER recovery\n\nDuring the PCI AER system's error recovery process, the kernel driver\nmay encounter a race condition with freeing the reset_data structure's\nmemory. If the device restart will take more than 10 seconds the function\nscheduling that restart will exit due to a timeout, and the reset_data\nstructure will be freed. However, this data structure is used for\ncompletion notification after the restart is completed, which leads\nto a UAF bug.\n\nThis results in a KFENCE bug notice.\n\n BUG: KFENCE: use-after-free read in adf_device_reset_worker+0x38/0xa0 [intel_qat]\n Use-after-free read at 0x00000000bc56fddf (in kfence-#142):\n adf_device_reset_worker+0x38/0xa0 [intel_qat]\n process_one_work+0x173/0x340\n\nTo resolve this race condition, the memory associated to the container\nof the work_struct is freed on the worker if the timeout expired,\notherwise on the function that schedules the worker.\nThe timeout detection can be done by checking if the caller is\nstill waiting for completion or not by using completion_done() function.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26974", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26974" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13b520fb62b772e408f9b79c5fe18ad414e90417" + }, + { + "url": "https://git.kernel.org/stable/c/ad39c08186f8a0f221337985036ba86731d6aafe" + }, + { + "url": "https://git.kernel.org/linus/ad39c08186f8a0f221337985036ba86731d6aafe(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26756" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-526", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26756" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Don't register sync_thread for reshape directly\n\nCurrently, if reshape is interrupted, then reassemble the array will\nregister sync_thread directly from pers->run(), in this case\n'MD_RECOVERY_RUNNING' is set directly, however, there is no guarantee\nthat md_do_sync() will be executed, hence stop_sync_thread() will hang\nbecause 'MD_RECOVERY_RUNNING' can't be cleared.\n\nLast patch make sure that md_do_sync() will set MD_RECOVERY_DONE,\nhowever, following hang can still be triggered by dm-raid test\nshell/lvconvert-raid-reshape.sh occasionally:\n\n[root@fedora ~]# cat /proc/1982/stack\n[<0>] stop_sync_thread+0x1ab/0x270 [md_mod]\n[<0>] md_frozen_sync_thread+0x5c/0xa0 [md_mod]\n[<0>] raid_presuspend+0x1e/0x70 [dm_raid]\n[<0>] dm_table_presuspend_targets+0x40/0xb0 [dm_mod]\n[<0>] __dm_destroy+0x2a5/0x310 [dm_mod]\n[<0>] dm_destroy+0x16/0x30 [dm_mod]\n[<0>] dev_remove+0x165/0x290 [dm_mod]\n[<0>] ctl_ioctl+0x4bb/0x7b0 [dm_mod]\n[<0>] dm_ctl_ioctl+0x11/0x20 [dm_mod]\n[<0>] vfs_ioctl+0x21/0x60\n[<0>] __x64_sys_ioctl+0xb9/0xe0\n[<0>] do_syscall_64+0xc6/0x230\n[<0>] entry_SYSCALL_64_after_hwframe+0x6c/0x74\n\nMeanwhile mddev->recovery is:\nMD_RECOVERY_RUNNING |\nMD_RECOVERY_INTR |\nMD_RECOVERY_RESHAPE |\nMD_RECOVERY_FROZEN\n\nFix this problem by remove the code to register sync_thread directly\nfrom raid10 and raid5. And let md_check_recovery() to register\nsync_thread.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26756", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26756" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/907761307469adecb02461a14120e9a1812a5fb1" + }, + { + "url": "https://git.kernel.org/stable/c/c055fc00c07be1f0df7375ab0036cebd1106ed38" + }, + { + "url": "https://git.kernel.org/stable/c/997efea2bf3a4adb96c306b9ad6a91442237bf5b" + }, + { + "url": "https://git.kernel.org/stable/c/2b505d05280739ce31d5708da840f42df827cb85" + }, + { + "url": "https://git.kernel.org/stable/c/9dfc15a10dfd44f8ff7f27488651cb5be6af83c2" + }, + { + "url": "https://git.kernel.org/stable/c/998fd719e6d6468b930ac0c44552ea9ff8b07b80" + }, + { + "url": "https://git.kernel.org/stable/c/b562ebe21ed9adcf42242797dd6cb75beef12bf0" + }, + { + "url": "https://git.kernel.org/stable/c/786854141057751bc08eb26f1b02e97c1631c8f4" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27024" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c055fc00c07be1f0df7375ab0036cebd1106ed38(6.8)" + } + ], + "bom-ref": "vuln-527", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27024" + } + } + ], + "created": "2024-05-01T13:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/rds: fix WARNING in rds_conn_connect_if_down\n\nIf connection isn't established yet, get_mr() will fail, trigger connection after\nget_mr().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27024", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27024" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/099f6a9edbe30b142c1d97fe9a4748601d995675" + }, + { + "url": "https://git.kernel.org/stable/c/ae815e2fdc284ab31651d52460698bd89c0fce22" + }, + { + "url": "https://git.kernel.org/stable/c/3399cc7013e761fee9d6eec795e9b31ab0cbe475" + }, + { + "url": "https://git.kernel.org/stable/c/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6" + }, + { + "url": "https://git.kernel.org/stable/c/31569995fc65007b73a3fff605ec2b3401b435e9" + }, + { + "url": "https://git.kernel.org/stable/c/0aedb319ef3ed39e9e5a7b7726c8264ca627bbd9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52635" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/aed5ed595960c6d301dcd4ed31aeaa7a8054c0c6(6.8-rc1)" + } + ], + "bom-ref": "vuln-528", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52635" + } + } + ], + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM / devfreq: Synchronize devfreq_monitor_[start/stop]\n\nThere is a chance if a frequent switch of the governor\ndone in a loop result in timer list corruption where\ntimer cancel being done from two place one from\ncancel_delayed_work_sync() and followed by expire_timers()\ncan be seen from the traces[1].\n\nwhile true\ndo\n echo \"simple_ondemand\" > /sys/class/devfreq/1d84000.ufshc/governor\n echo \"performance\" > /sys/class/devfreq/1d84000.ufshc/governor\ndone\n\nIt looks to be issue with devfreq driver where\ndevice_monitor_[start/stop] need to synchronized so that\ndelayed work should get corrupted while it is either\nbeing queued or running or being cancelled.\n\nLet's use polling flag and devfreq lock to synchronize the\nqueueing the timer instance twice and work data being\ncorrupted.\n\n[1]\n...\n..\n-0 [003] 9436.209662: timer_cancel timer=0xffffff80444f0428\n-0 [003] 9436.209664: timer_expire_entry timer=0xffffff80444f0428 now=0x10022da1c function=__typeid__ZTSFvP10timer_listE_global_addr baseclk=0x10022da1c\n-0 [003] 9436.209718: timer_expire_exit timer=0xffffff80444f0428\nkworker/u16:6-14217 [003] 9436.209863: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2b now=0x10022da1c flags=182452227\nvendor.xxxyyy.ha-1593 [004] 9436.209888: timer_cancel timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216390: timer_init timer=0xffffff80444f0428\nvendor.xxxyyy.ha-1593 [004] 9436.216392: timer_start timer=0xffffff80444f0428 function=__typeid__ZTSFvP10timer_listE_global_addr expires=0x10022da2c now=0x10022da1d flags=186646532\nvendor.xxxyyy.ha-1593 [005] 9436.220992: timer_cancel timer=0xffffff80444f0428\nxxxyyyTraceManag-7795 [004] 9436.261641: timer_cancel timer=0xffffff80444f0428\n\n[2]\n\n 9436.261653][ C4] Unable to handle kernel paging request at virtual address dead00000000012a\n[ 9436.261664][ C4] Mem abort info:\n[ 9436.261666][ C4] ESR = 0x96000044\n[ 9436.261669][ C4] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 9436.261671][ C4] SET = 0, FnV = 0\n[ 9436.261673][ C4] EA = 0, S1PTW = 0\n[ 9436.261675][ C4] Data abort info:\n[ 9436.261677][ C4] ISV = 0, ISS = 0x00000044\n[ 9436.261680][ C4] CM = 0, WnR = 1\n[ 9436.261682][ C4] [dead00000000012a] address between user and kernel address ranges\n[ 9436.261685][ C4] Internal error: Oops: 96000044 [#1] PREEMPT SMP\n[ 9436.261701][ C4] Skip md ftrace buffer dump for: 0x3a982d0\n...\n\n[ 9436.262138][ C4] CPU: 4 PID: 7795 Comm: TraceManag Tainted: G S W O 5.10.149-android12-9-o-g17f915d29d0c #1\n[ 9436.262141][ C4] Hardware name: Qualcomm Technologies, Inc. (DT)\n[ 9436.262144][ C4] pstate: 22400085 (nzCv daIf +PAN -UAO +TCO BTYPE=--)\n[ 9436.262161][ C4] pc : expire_timers+0x9c/0x438\n[ 9436.262164][ C4] lr : expire_timers+0x2a4/0x438\n[ 9436.262168][ C4] sp : ffffffc010023dd0\n[ 9436.262171][ C4] x29: ffffffc010023df0 x28: ffffffd0636fdc18\n[ 9436.262178][ C4] x27: ffffffd063569dd0 x26: ffffffd063536008\n[ 9436.262182][ C4] x25: 0000000000000001 x24: ffffff88f7c69280\n[ 9436.262185][ C4] x23: 00000000000000e0 x22: dead000000000122\n[ 9436.262188][ C4] x21: 000000010022da29 x20: ffffff8af72b4e80\n[ 9436.262191][ C4] x19: ffffffc010023e50 x18: ffffffc010025038\n[ 9436.262195][ C4] x17: 0000000000000240 x16: 0000000000000201\n[ 9436.262199][ C4] x15: ffffffffffffffff x14: ffffff889f3c3100\n[ 9436.262203][ C4] x13: ffffff889f3c3100 x12: 00000000049f56b8\n[ 9436.262207][ C4] x11: 00000000049f56b8 x10: 00000000ffffffff\n[ 9436.262212][ C4] x9 : ffffffc010023e50 x8 : dead000000000122\n[ 9436.262216][ C4] x7 : ffffffffffffffff x6 : ffffffc0100239d8\n[ 9436.262220][ C4] x5 : 0000000000000000 x4 : 0000000000000101\n[ 9436.262223][ C4] x3 : 0000000000000080 x2 : ffffff8\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52635", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52635" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ddbec99f58571301679addbc022256970ca3eac6" + }, + { + "url": "https://git.kernel.org/stable/c/39cc316fb3bc5e7c9dc5eed314fe510d119c6862" + }, + { + "url": "https://git.kernel.org/stable/c/97d2148ea435dff4b4e71817c9032eb321bcd37e" + }, + { + "url": "https://git.kernel.org/stable/c/889ed056eae7fda85b769a9ab33c093379c45428" + }, + { + "url": "https://git.kernel.org/stable/c/1ed222ca7396938eb1ab2d034f1ba0d8b00a7122" + }, + { + "url": "https://git.kernel.org/stable/c/09e5cdbe2cc88c3c758927644a3eb02fac317209" + }, + { + "url": "https://git.kernel.org/stable/c/e3b2bfb8ff1810a537b2aa55ba906a6743ed120c" + }, + { + "url": "https://git.kernel.org/stable/c/a809bbfd0e503351d3051317288a70a4569a4949" + }, + { + "url": "https://git.kernel.org/stable/c/7fb2d4d6bb1c85f7a23aace0ed6c86a95dea792a" + }, + { + "url": "https://git.kernel.org/linus/ddbec99f58571301679addbc022256970ca3eac6(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26863" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-529", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26863" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhsr: Fix uninit-value access in hsr_get_node()\n\nKMSAN reported the following uninit-value access issue [1]:\n\n=====================================================\nBUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246\n fill_frame_info net/hsr/hsr_forward.c:577 [inline]\n hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615\n hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564\n __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3087 [inline]\n packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n packet_alloc_skb net/packet/af_packet.c:2936 [inline]\n packet_snd net/packet/af_packet.c:3030 [inline]\n packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023\n=====================================================\n\nIf the packet type ID field in the Ethernet header is either ETH_P_PRP or\nETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr()\nreads an invalid value as a sequence number. This causes the above issue.\n\nThis patch fixes the issue by returning NULL if the Ethernet header is not\nfollowed by an HSR tag.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26863", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26863" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b5475ce69f02ecc1b13ea23106e5b89c690429b" + }, + { + "url": "https://git.kernel.org/stable/c/cf03020c56d3ed28c4942280957a007b5e9544f7" + }, + { + "url": "https://git.kernel.org/stable/c/8fefd166fcb368c5fcf48238e3f7c8af829e0a72" + }, + { + "url": "https://git.kernel.org/stable/c/d3da25c5ac84430f89875ca7485a3828150a7e0a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35868" + }, + { + "url": "https://git.kernel.org/linus/d3da25c5ac84430f89875ca7485a3828150a7e0a(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-530", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35868" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_stats_proc_write()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35868" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5c27d85a69fa16a08813ba37ddfb4bbc9a1ed6b5" + }, + { + "url": "https://git.kernel.org/stable/c/6e6065dd25b661420fac19c34282b6c626fcd35e" + }, + { + "url": "https://git.kernel.org/stable/c/d9b5e2b7a8196850383c70d099bfd39e81ab6637" + }, + { + "url": "https://git.kernel.org/stable/c/e8530b170e464017203e3b8c6c49af6e916aece1" + }, + { + "url": "https://git.kernel.org/stable/c/d34a5e57632bb5ff825196ddd9a48ca403626dfa" + }, + { + "url": "https://git.kernel.org/stable/c/e56662160fc24d28cb75ac095cc6415ae1bda43e" + }, + { + "url": "https://git.kernel.org/stable/c/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26736" + }, + { + "url": "https://git.kernel.org/linus/6ea38e2aeb72349cad50e38899b0ba6fbcb2af3d(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-531", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26736" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Increase buffer size in afs_update_volume_status()\n\nThe max length of volume->vid value is 20 characters.\nSo increase idbuf[] size up to 24 to avoid overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.\n\n[DH: Actually, it's 20 + NUL, so increase it to 24 and use snprintf()]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26736", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26736" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/569156e4fa347237f8fa2a7e935d860109c55ac4" + }, + { + "url": "https://git.kernel.org/stable/c/814af6b4e6000e574e74d92197190edf07cc3680" + }, + { + "url": "https://git.kernel.org/stable/c/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26618" + } + ], + "bom-ref": "vuln-532", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26618" + } + } + ], + "created": "2024-03-11T18:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/sme: Always exit sme_alloc() early with existing storage\n\nWhen sme_alloc() is called with existing storage and we are not flushing we\nwill always allocate new storage, both leaking the existing storage and\ncorrupting the state. Fix this by separating the checks for flushing and\nfor existing storage as we do for SVE.\n\nCallers that reallocate (eg, due to changing the vector length) should\ncall sme_free() themselves.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26618", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26618" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-12T12:40:13Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ec92aa2cab6f0048f10d6aa4f025c5885cb1a1b6" + }, + { + "url": "https://git.kernel.org/stable/c/e668b92a3a01429923fd5ca13e99642aab47de69" + }, + { + "url": "https://git.kernel.org/stable/c/abd32d7f5c0294c1b2454c5a3b13b18446bac627" + }, + { + "url": "https://git.kernel.org/stable/c/5366969a19a8a0d2ffb3d27ef6e8905e5e4216f8" + }, + { + "url": "https://git.kernel.org/stable/c/93dd420bc41531c9a31498b9538ca83ba6ec191e" + }, + { + "url": "https://git.kernel.org/stable/c/616d82c3cfa2a2146dd7e3ae47bda7e877ee549e" + }, + { + "url": "https://git.kernel.org/stable/c/9376d059a705c5dfaac566c2d09891242013ae16" + }, + { + "url": "https://git.kernel.org/stable/c/01129059d5141d62fae692f7a336ae3bc712d3eb" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26793" + } + ], + "bom-ref": "vuln-533", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26793" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: fix use-after-free and null-ptr-deref in gtp_newlink()\n\nThe gtp_link_ops operations structure for the subsystem must be\nregistered after registering the gtp_net_ops pernet operations structure.\n\nSyzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:\n\n[ 1010.702740] gtp: GTP module unloaded\n[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI\n[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1\n[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014\n[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00\n[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203\n[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000\n[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282\n[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000\n[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80\n[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400\n[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000\n[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0\n[ 1010.715968] PKRU: 55555554\n[ 1010.715972] Call Trace:\n[ 1010.715985] ? __die_body.cold+0x1a/0x1f\n[ 1010.715995] ? die_addr+0x43/0x70\n[ 1010.716002] ? exc_general_protection+0x199/0x2f0\n[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30\n[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]\n[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]\n[ 1010.716042] __rtnl_newlink+0x1063/0x1700\n[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0\n[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0\n[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0\n[ 1010.716076] ? __kernel_text_address+0x56/0xa0\n[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0\n[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30\n[ 1010.716098] ? arch_stack_walk+0x9e/0xf0\n[ 1010.716106] ? stack_trace_save+0x91/0xd0\n[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170\n[ 1010.716121] ? __lock_acquire+0x15c5/0x5380\n[ 1010.716139] ? mark_held_locks+0x9e/0xe0\n[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0\n[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700\n[ 1010.716160] rtnl_newlink+0x69/0xa0\n[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50\n[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716179] ? lock_acquire+0x1fe/0x560\n[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50\n[ 1010.716196] netlink_rcv_skb+0x14d/0x440\n[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0\n[ 1010.716208] ? netlink_ack+0xab0/0xab0\n[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50\n[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50\n[ 1010.716226] ? __virt_addr_valid+0x30b/0x590\n[ 1010.716233] netlink_unicast+0x54b/0x800\n[ 1010.716240] ? netlink_attachskb+0x870/0x870\n[ 1010.716248] ? __check_object_size+0x2de/0x3b0\n[ 1010.716254] netlink_sendmsg+0x938/0xe40\n[ 1010.716261] ? netlink_unicast+0x800/0x800\n[ 1010.716269] ? __import_iovec+0x292/0x510\n[ 1010.716276] ? netlink_unicast+0x800/0x800\n[ 1010.716284] __sock_sendmsg+0x159/0x190\n[ 1010.716290] ____sys_sendmsg+0x712/0x880\n[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0\n[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270\n[ 1010.716309] ? lock_acquire+0x1fe/0x560\n[ 1010.716315] ? drain_array_locked+0x90/0x90\n[ 1010.716324] ___sys_sendmsg+0xf8/0x170\n[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170\n[ 1010.716337] ? lockdep_init_map\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26793", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26793" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a03ed00787b0ce7a83eebabd0fa95ecc4a5cac84" + }, + { + "url": "https://git.kernel.org/stable/c/0cbefc7b5bdad86b18a263d837450cdc9a56f8d7" + }, + { + "url": "https://git.kernel.org/stable/c/9f3e5df38b4528213449e55b80f0316864f2a1c8" + }, + { + "url": "https://git.kernel.org/stable/c/7ae1b0dc12ec407f12f80b49d22c6ad2308e2202" + }, + { + "url": "https://git.kernel.org/stable/c/ba535bce57e71463a86f8b33a0ea88c26e3a6418" + }, + { + "url": "https://git.kernel.org/stable/c/a860aaebacbc908fa06e2642402058f40bfffe10" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26879" + }, + { + "url": "https://git.kernel.org/linus/ba535bce57e71463a86f8b33a0ea88c26e3a6418(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-534", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26879" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: meson: Add missing clocks to axg_clk_regmaps\n\nSome clocks were missing from axg_clk_regmaps, which caused kernel panic\nduring cat /sys/kernel/debug/clk/clk_summary\n\n[ 57.349402] Unable to handle kernel NULL pointer dereference at virtual address 00000000000001fc\n...\n[ 57.430002] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 57.436900] pc : regmap_read+0x1c/0x88\n[ 57.440608] lr : clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.445611] sp : ffff800082f1b690\n[ 57.448888] x29: ffff800082f1b690 x28: 0000000000000000 x27: ffff800080eb9a70\n[ 57.455961] x26: 0000000000000007 x25: 0000000000000016 x24: 0000000000000000\n[ 57.463033] x23: ffff800080e8b488 x22: 0000000000000015 x21: ffff00000e7e7000\n[ 57.470106] x20: ffff00000400ec00 x19: 0000000000000000 x18: ffffffffffffffff\n[ 57.477178] x17: 0000000000000000 x16: 0000000000000000 x15: ffff0000042a3000\n[ 57.484251] x14: 0000000000000000 x13: ffff0000042a2fec x12: 0000000005f5e100\n[ 57.491323] x11: abcc77118461cefd x10: 0000000000000020 x9 : ffff8000805e4b24\n[ 57.498396] x8 : ffff0000028063c0 x7 : ffff800082f1b710 x6 : ffff800082f1b710\n[ 57.505468] x5 : 00000000ffffffd0 x4 : ffff800082f1b6e0 x3 : 0000000000001000\n[ 57.512541] x2 : ffff800082f1b6e4 x1 : 000000000000012c x0 : 0000000000000000\n[ 57.519615] Call trace:\n[ 57.522030] regmap_read+0x1c/0x88\n[ 57.525393] clk_regmap_gate_is_enabled+0x3c/0xb0\n[ 57.530050] clk_core_is_enabled+0x44/0x120\n[ 57.534190] clk_summary_show_subtree+0x154/0x2f0\n[ 57.538847] clk_summary_show_subtree+0x220/0x2f0\n[ 57.543505] clk_summary_show_subtree+0x220/0x2f0\n[ 57.548162] clk_summary_show_subtree+0x220/0x2f0\n[ 57.552820] clk_summary_show_subtree+0x220/0x2f0\n[ 57.557477] clk_summary_show_subtree+0x220/0x2f0\n[ 57.562135] clk_summary_show_subtree+0x220/0x2f0\n[ 57.566792] clk_summary_show_subtree+0x220/0x2f0\n[ 57.571450] clk_summary_show+0x84/0xb8\n[ 57.575245] seq_read_iter+0x1bc/0x4b8\n[ 57.578954] seq_read+0x8c/0xd0\n[ 57.582059] full_proxy_read+0x68/0xc8\n[ 57.585767] vfs_read+0xb0/0x268\n[ 57.588959] ksys_read+0x70/0x108\n[ 57.592236] __arm64_sys_read+0x24/0x38\n[ 57.596031] invoke_syscall+0x50/0x128\n[ 57.599740] el0_svc_common.constprop.0+0x48/0xf8\n[ 57.604397] do_el0_svc+0x28/0x40\n[ 57.607675] el0_svc+0x34/0xb8\n[ 57.610694] el0t_64_sync_handler+0x13c/0x158\n[ 57.615006] el0t_64_sync+0x190/0x198\n[ 57.618635] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (b941fc00)\n[ 57.624668] ---[ end trace 0000000000000000 ]---\n\n[jbrunet: add missing Fixes tag]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26879", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26879" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5af385f5f4cddf908f663974847a4083b2ff2c79" + }, + { + "url": "https://git.kernel.org/stable/c/ebfe41889b762f1933c6762f6624b9724a25bee0" + }, + { + "url": "https://git.kernel.org/stable/c/66297b2ceda841f809637731d287bda3a93b49d8" + }, + { + "url": "https://git.kernel.org/stable/c/93ba36238db6a74a82feb3dc476e25ea424ad630" + }, + { + "url": "https://git.kernel.org/stable/c/d34a516f2635090d36a306f84573e8de3d7374ce" + }, + { + "url": "https://git.kernel.org/stable/c/9b7c5004d7c5ae062134052a85290869a015814c" + }, + { + "url": "https://git.kernel.org/stable/c/15aa09d6d84629eb5296de30ac0aa19a33512f16" + }, + { + "url": "https://git.kernel.org/linus/5af385f5f4cddf908f663974847a4083b2ff2c79(6.9-rc7)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35983" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-535", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35983" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS\n\nbits_per() rounds up to the next power of two when passed a power of\ntwo. This causes crashes on some machines and configurations.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35983", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35983" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eb4f139888f636614dab3bcce97ff61cefc4b3a7" + }, + { + "url": "https://git.kernel.org/stable/c/c5f9fe2c1e5023fa096189a8bfba6420aa035587" + }, + { + "url": "https://git.kernel.org/stable/c/aa665c3a2aca2ffe31b9645bda278e96dfc3b55c" + }, + { + "url": "https://git.kernel.org/stable/c/14ac934db851642ea8cd1bd4121c788a8899ef69" + }, + { + "url": "https://git.kernel.org/linus/eb4f139888f636614dab3bcce97ff61cefc4b3a7(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35928" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-536", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35928" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init()\n\nThis ensures that the memory mapped by ioremap for adev->rmmio, is\nproperly handled in amdgpu_device_init(). If the function exits early\ndue to an error, the memory is unmapped. If the function completes\nsuccessfully, the memory remains mapped.\n\nReported by smatch:\ndrivers/gpu/drm/amd/amdgpu/amdgpu_device.c:4337 amdgpu_device_init() warn: 'adev->rmmio' from ioremap() not released on lines: 4035,4045,4051,4058,4068,4337", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35928", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35928" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4551b30525cf3d2f026b92401ffe241eb04dfebe" + }, + { + "url": "https://git.kernel.org/stable/c/88e189bd16e5889e44a41b3309558ebab78b9280" + }, + { + "url": "https://git.kernel.org/stable/c/0f6810e39898af2d2cabd9313e4dbc945fb5dfdd" + }, + { + "url": "https://git.kernel.org/linus/4551b30525cf3d2f026b92401ffe241eb04dfebe(6.8-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26768" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-537", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26768" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Change acpi_core_pic[NR_CPUS] to acpi_core_pic[MAX_CORE_PIC]\n\nWith default config, the value of NR_CPUS is 64. When HW platform has\nmore then 64 cpus, system will crash on these platforms. MAX_CORE_PIC\nis the maximum cpu number in MADT table (max physical number) which can\nexceed the supported maximum cpu number (NR_CPUS, max logical number),\nbut kernel should not crash. Kernel should boot cpus with NR_CPUS, let\nthe remainder cpus stay in BIOS.\n\nThe potential crash reason is that the array acpi_core_pic[NR_CPUS] can\nbe overflowed when parsing MADT table, and it is obvious that CORE_PIC\nshould be corresponding to physical core rather than logical core, so it\nis better to define the array as acpi_core_pic[MAX_CORE_PIC].\n\nWith the patch, system can boot up 64 vcpus with qemu parameter -smp 128,\notherwise system will crash with the following message.\n\n[ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000420000004259, era == 90000000037a5f0c, ra == 90000000037a46ec\n[ 0.000000] Oops[#1]:\n[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.8.0-rc2+ #192\n[ 0.000000] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022\n[ 0.000000] pc 90000000037a5f0c ra 90000000037a46ec tp 9000000003c90000 sp 9000000003c93d60\n[ 0.000000] a0 0000000000000019 a1 9000000003d93bc0 a2 0000000000000000 a3 9000000003c93bd8\n[ 0.000000] a4 9000000003c93a74 a5 9000000083c93a67 a6 9000000003c938f0 a7 0000000000000005\n[ 0.000000] t0 0000420000004201 t1 0000000000000000 t2 0000000000000001 t3 0000000000000001\n[ 0.000000] t4 0000000000000003 t5 0000000000000000 t6 0000000000000030 t7 0000000000000063\n[ 0.000000] t8 0000000000000014 u0 ffffffffffffffff s9 0000000000000000 s0 9000000003caee98\n[ 0.000000] s1 90000000041b0480 s2 9000000003c93da0 s3 9000000003c93d98 s4 9000000003c93d90\n[ 0.000000] s5 9000000003caa000 s6 000000000a7fd000 s7 000000000f556b60 s8 000000000e0a4330\n[ 0.000000] ra: 90000000037a46ec platform_init+0x214/0x250\n[ 0.000000] ERA: 90000000037a5f0c efi_runtime_init+0x30/0x94\n[ 0.000000] CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n[ 0.000000] PRMD: 00000000 (PPLV0 -PIE -PWE)\n[ 0.000000] EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n[ 0.000000] ECFG: 00070800 (LIE=11 VS=7)\n[ 0.000000] ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)\n[ 0.000000] BADV: 0000420000004259\n[ 0.000000] PRID: 0014c010 (Loongson-64bit, Loongson-3A5000)\n[ 0.000000] Modules linked in:\n[ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____))\n[ 0.000000] Stack : 9000000003c93a14 9000000003800898 90000000041844f8 90000000037a46ec\n[ 0.000000] 000000000a7fd000 0000000008290000 0000000000000000 0000000000000000\n[ 0.000000] 0000000000000000 0000000000000000 00000000019d8000 000000000f556b60\n[ 0.000000] 000000000a7fd000 000000000f556b08 9000000003ca7700 9000000003800000\n[ 0.000000] 9000000003c93e50 9000000003800898 9000000003800108 90000000037a484c\n[ 0.000000] 000000000e0a4330 000000000f556b60 000000000a7fd000 000000000f556b08\n[ 0.000000] 9000000003ca7700 9000000004184000 0000000000200000 000000000e02b018\n[ 0.000000] 000000000a7fd000 90000000037a0790 9000000003800108 0000000000000000\n[ 0.000000] 0000000000000000 000000000e0a4330 000000000f556b60 000000000a7fd000\n[ 0.000000] 000000000f556b08 000000000eaae298 000000000eaa5040 0000000000200000\n[ 0.000000] ...\n[ 0.000000] Call Trace:\n[ 0.000000] [<90000000037a5f0c>] efi_runtime_init+0x30/0x94\n[ 0.000000] [<90000000037a46ec>] platform_init+0x214/0x250\n[ 0.000000] [<90000000037a484c>] setup_arch+0x124/0x45c\n[ 0.000000] [<90000000037a0790>] start_kernel+0x90/0x670\n[ 0.000000] [<900000000378b0d8>] kernel_entry+0xd8/0xdc", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26768", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26768" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3fba8eab2cfc7334e0f132d29dfd2552f2f2a579" + }, + { + "url": "https://git.kernel.org/stable/c/1bcdd66d33edb446903132456c948f0b764ef2f9" + }, + { + "url": "https://git.kernel.org/stable/c/8deeefb24786ea7950b37bde4516b286c877db00" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52658" + }, + { + "url": "https://git.kernel.org/linus/8deeefb24786ea7950b37bde4516b286c877db00(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-538", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52658" + } + } + ], + "created": "2024-05-17T12:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"net/mlx5: Block entering switchdev mode with ns inconsistency\"\n\nThis reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b.\nThe revert is required due to the suspicion it is not good for anything\nand cause crash.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52658", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52658" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e8c9ae40adda2be1ba41c05fd3cd1e61cce3207" + }, + { + "url": "https://git.kernel.org/stable/c/d2f1b7fe74afd66298dbb3c7b39e7b62e4df1724" + }, + { + "url": "https://git.kernel.org/stable/c/e622502c310f1069fd9f41cd38210553115f610a" + }, + { + "url": "https://git.kernel.org/stable/c/dcaafdba6c6162bb49f1192850bc3bbc3707738c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26626" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e622502c310f1069fd9f41cd38210553115f610a(6.8-rc3)" + } + ], + "bom-ref": "vuln-539", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26626" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: fix kernel panic when forwarding mcast packets\n\nThe stacktrace was:\n[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092\n[ 86.306815] #PF: supervisor read access in kernel mode\n[ 86.307717] #PF: error_code(0x0000) - not-present page\n[ 86.308624] PGD 0 P4D 0\n[ 86.309091] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[ 86.309883] CPU: 2 PID: 3139 Comm: pimd Tainted: G U 6.8.0-6wind-knet #1\n[ 86.311027] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014\n[ 86.312728] RIP: 0010:ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.313399] Code: f9 1f 0f 87 85 03 00 00 48 8d 04 5b 48 8d 04 83 49 8d 44 c5 00 48 8b 40 70 48 39 c2 0f 84 d9 00 00 00 49 8b 46 58 48 83 e0 fe <80> b8 92 00 00 00 00 0f 84 55 ff ff ff 49 83 47 38 01 45 85 e4 0f\n[ 86.316565] RSP: 0018:ffffad21c0583ae0 EFLAGS: 00010246\n[ 86.317497] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n[ 86.318596] RDX: ffff9559cb46c000 RSI: 0000000000000000 RDI: 0000000000000000\n[ 86.319627] RBP: ffffad21c0583b30 R08: 0000000000000000 R09: 0000000000000000\n[ 86.320650] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001\n[ 86.321672] R13: ffff9559c093a000 R14: ffff9559cc00b800 R15: ffff9559c09c1d80\n[ 86.322873] FS: 00007f85db661980(0000) GS:ffff955a79d00000(0000) knlGS:0000000000000000\n[ 86.324291] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 86.325314] CR2: 0000000000000092 CR3: 000000002f13a000 CR4: 0000000000350ef0\n[ 86.326589] Call Trace:\n[ 86.327036] \n[ 86.327434] ? show_regs (/build/work/knet/arch/x86/kernel/dumpstack.c:479)\n[ 86.328049] ? __die (/build/work/knet/arch/x86/kernel/dumpstack.c:421 /build/work/knet/arch/x86/kernel/dumpstack.c:434)\n[ 86.328508] ? page_fault_oops (/build/work/knet/arch/x86/mm/fault.c:707)\n[ 86.329107] ? do_user_addr_fault (/build/work/knet/arch/x86/mm/fault.c:1264)\n[ 86.329756] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.330350] ? __irq_work_queue_local (/build/work/knet/kernel/irq_work.c:111 (discriminator 1))\n[ 86.331013] ? exc_page_fault (/build/work/knet/./arch/x86/include/asm/paravirt.h:693 /build/work/knet/arch/x86/mm/fault.c:1515 /build/work/knet/arch/x86/mm/fault.c:1563)\n[ 86.331702] ? asm_exc_page_fault (/build/work/knet/./arch/x86/include/asm/idtentry.h:570)\n[ 86.332468] ? ip_mr_forward (/build/work/knet/net/ipv4/ipmr.c:1985)\n[ 86.333183] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.333920] ipmr_mfc_add (/build/work/knet/./include/linux/rcupdate.h:782 /build/work/knet/net/ipv4/ipmr.c:1009 /build/work/knet/net/ipv4/ipmr.c:1273)\n[ 86.334583] ? __pfx_ipmr_hash_cmp (/build/work/knet/net/ipv4/ipmr.c:363)\n[ 86.335357] ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.336135] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.336854] ? ip_mroute_setsockopt (/build/work/knet/net/ipv4/ipmr.c:1470)\n[ 86.337679] do_ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:944)\n[ 86.338408] ? __pfx_unix_stream_read_actor (/build/work/knet/net/unix/af_unix.c:2862)\n[ 86.339232] ? srso_return_thunk (/build/work/knet/arch/x86/lib/retpoline.S:223)\n[ 86.339809] ? aa_sk_perm (/build/work/knet/security/apparmor/include/cred.h:153 /build/work/knet/security/apparmor/net.c:181)\n[ 86.340342] ip_setsockopt (/build/work/knet/net/ipv4/ip_sockglue.c:1415)\n[ 86.340859] raw_setsockopt (/build/work/knet/net/ipv4/raw.c:836)\n[ 86.341408] ? security_socket_setsockopt (/build/work/knet/security/security.c:4561 (discriminator 13))\n[ 86.342116] sock_common_setsockopt (/build/work/knet/net/core/sock.c:3716)\n[ 86.342747] do_sock_setsockopt (/build/work/knet/net/socket.c:2313)\n[ 86.343363] __sys_setsockopt (/build/work/knet/./include/linux/file.h:32 /build/work/kn\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26626", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26626" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57" + }, + { + "url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb" + }, + { + "url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146" + }, + { + "url": "https://git.kernel.org/stable/c/196f198ca6fce04ba6ce262f5a0e4d567d7d219d" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26585" + }, + { + "url": "https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb(6.8-rc5)" + } + ], + "bom-ref": "vuln-540", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26585" + } + }, + { + "severity": "medium", + "score": 4.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" + } + } + ], + "created": "2024-02-21T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26585", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" + }, + "cwes": [ + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T14:15:15Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/linus/8d037973d48c026224ab285e6a06985ccac6f7bf(6.3-rc1)" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1382" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1250" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0461" + }, + { + "url": "https://lkml.org/lkml/2022/12/9/178" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6224-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6235-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-2176" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0448" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0724" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1306" + }, + { + "url": "https://patchwork.kernel.org/project/linux-rdma/patch/3d0e9a2fd62bc10ba02fed1c7c48a48638952320.1672819273.git.leonro@nvidia.com/" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0439" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6228-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0881" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1367" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6194-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1404" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0897" + } + ], + "bom-ref": "vuln-541", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-2176" + } + } + ], + "created": "2023-04-20T21:15:08Z", + "description": "A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA in the Linux Kernel. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-2176", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2176" + }, + "cwes": [ + 125 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-07-27T15:21:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T18:17:48Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f51849833705dea5b4f9b0c8de714dd87bd6c95c" + }, + { + "url": "https://git.kernel.org/stable/c/73d1589b91f2099e5f6534a8497b7c6b527e064e" + }, + { + "url": "https://git.kernel.org/stable/c/9dac54f08198147f5ec0ec52fcf1bc8ac899ac05" + }, + { + "url": "https://git.kernel.org/stable/c/4facc9421117ba9d8148c73771b213887fec77f7" + }, + { + "url": "https://git.kernel.org/stable/c/f4d1960764d8a70318b02f15203a1be2b2554ca1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26933" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f4d1960764d8a70318b02f15203a1be2b2554ca1(6.9-rc2)" + } + ], + "bom-ref": "vuln-542", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26933" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: core: Fix deadlock in port \"disable\" sysfs attribute\n\nThe show and store callback routines for the \"disable\" sysfs attribute\nfile in port.c acquire the device lock for the port's parent hub\ndevice. This can cause problems if another process has locked the hub\nto remove it or change its configuration:\n\n\tRemoving the hub or changing its configuration requires the\n\thub interface to be removed, which requires the port device\n\tto be removed, and device_del() waits until all outstanding\n\tsysfs attribute callbacks for the ports have returned. The\n\tlock can't be released until then.\n\n\tBut the disable_show() or disable_store() routine can't return\n\tuntil after it has acquired the lock.\n\nThe resulting deadlock can be avoided by calling\nsysfs_break_active_protection(). This will cause the sysfs core not\nto wait for the attribute's callback routine to return, allowing the\nremoval to proceed. The disadvantage is that after making this call,\nthere is no guarantee that the hub structure won't be deallocated at\nany moment. To prevent this, we have to acquire a reference to it\nfirst by calling hub_get().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26933", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26933" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a361c2c1da5dbb13ca67601cf961ab3ad68af383" + }, + { + "url": "https://git.kernel.org/stable/c/348112522a35527c5bcba933b9fefb40a4f44f15" + }, + { + "url": "https://git.kernel.org/stable/c/56750ea5d15426b5f307554e7699e8b5f76c3182" + }, + { + "url": "https://git.kernel.org/stable/c/6fd24675188d354b1cad47462969afa2ab09d819" + }, + { + "url": "https://git.kernel.org/stable/c/2f5e1565740490706332c06f36211d4ce0f88e62" + }, + { + "url": "https://git.kernel.org/stable/c/483ae90d8f976f8339cf81066312e1329f2d3706" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-065.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26586" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-048.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-036.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2674" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1882" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1881" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2006" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2008" + } + ], + "bom-ref": "vuln-543", + "ratings": [ + { + "severity": "medium", + "score": 6.7, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26586" + } + } + ], + "created": "2024-02-22T17:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix stack corruption\n\nWhen tc filters are first added to a net device, the corresponding local\nport gets bound to an ACL group in the device. The group contains a list\nof ACLs. In turn, each ACL points to a different TCAM region where the\nfilters are stored. During forwarding, the ACLs are sequentially\nevaluated until a match is found.\n\nOne reason to place filters in different regions is when they are added\nwith decreasing priorities and in an alternating order so that two\nconsecutive filters can never fit in the same region because of their\nkey usage.\n\nIn Spectrum-2 and newer ASICs the firmware started to report that the\nmaximum number of ACLs in a group is more than 16, but the layout of the\nregister that configures ACL groups (PAGT) was not updated to account\nfor that. It is therefore possible to hit stack corruption [1] in the\nrare case where more than 16 ACLs in a group are required.\n\nFix by limiting the maximum ACL group size to the minimum between what\nthe firmware reports and the maximum ACLs that fit in the PAGT register.\n\nAdd a test case to make sure the machine does not crash when this\ncondition is hit.\n\n[1]\nKernel panic - not syncing: stack-protector: Kernel stack is corrupted in: mlxsw_sp_acl_tcam_group_update+0x116/0x120\n[...]\n dump_stack_lvl+0x36/0x50\n panic+0x305/0x330\n __stack_chk_fail+0x15/0x20\n mlxsw_sp_acl_tcam_group_update+0x116/0x120\n mlxsw_sp_acl_tcam_group_region_attach+0x69/0x110\n mlxsw_sp_acl_tcam_vchunk_get+0x492/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26586", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26586" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-26T16:10:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/03358aba991668d3bb2c65b3c82aa32c36851170" + }, + { + "url": "https://git.kernel.org/stable/c/26dfe112ec2e95fe0099681f6aec33da13c2dd8e" + }, + { + "url": "https://git.kernel.org/stable/c/aedda066d717a0b4335d7e0a00b2e3a61e40afcf" + }, + { + "url": "https://git.kernel.org/stable/c/6cdedc18ba7b9dacc36466e27e3267d201948c8d" + }, + { + "url": "https://git.kernel.org/stable/c/559b6322f9480bff68cfa98d108991e945a4f284" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/6cdedc18ba7b9dacc36466e27e3267d201948c8d(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52638" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-544", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52638" + } + } + ], + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: j1939: prevent deadlock by changing j1939_socks_lock to rwlock\n\nThe following 3 locks would race against each other, causing the\ndeadlock situation in the Syzbot bug report:\n\n- j1939_socks_lock\n- active_session_list_lock\n- sk_session_queue_lock\n\nA reasonable fix is to change j1939_socks_lock to an rwlock, since in\nthe rare situations where a write lock is required for the linked list\nthat j1939_socks_lock is protecting, the code does not attempt to\nacquire any more locks. This would break the circular lock dependency,\nwhere, for example, the current thread already locks j1939_socks_lock\nand attempts to acquire sk_session_queue_lock, and at the same time,\nanother thread attempts to acquire j1939_socks_lock while holding\nsk_session_queue_lock.\n\nNOTE: This patch along does not fix the unregister_netdevice bug\nreported by Syzbot; instead, it solves a deadlock situation to prepare\nfor one or more further patches to actually fix the Syzbot bug, which\nappears to be a reference counting problem within the j1939 codebase.\n\n[mkl: remove unrelated newline change]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52638", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52638" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d4d1e4b1513d975961de7bb4f75e450a92d65ebf" + }, + { + "url": "https://git.kernel.org/stable/c/5da6d306f315344af1ca2eff4bd9b10b130f0c28" + }, + { + "url": "https://git.kernel.org/stable/c/09a3c1e46142199adcee372a420b024b4fc61051" + }, + { + "url": "https://git.kernel.org/stable/c/7eb95e0af5c9c2e6fad50356eaf32d216d0e7bc3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26745" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-545", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26745" + } + } + ], + "created": "2024-04-04T09:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV\n\nWhen kdump kernel tries to copy dump data over SR-IOV, LPAR panics due\nto NULL pointer exception:\n\n Kernel attempted to read user page (0) - exploit attempt? (uid: 0)\n BUG: Kernel NULL pointer dereference on read at 0x00000000\n Faulting instruction address: 0xc000000020847ad4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop\n CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12\n Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries\n NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c\n REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+)\n MSR: 800000000280b033 CR: 48288244 XER: 00000008\n CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1\n ...\n NIP _find_next_zero_bit+0x24/0x110\n LR bitmap_find_next_zero_area_off+0x5c/0xe0\n Call Trace:\n dev_printk_emit+0x38/0x48 (unreliable)\n iommu_area_alloc+0xc4/0x180\n iommu_range_alloc+0x1e8/0x580\n iommu_alloc+0x60/0x130\n iommu_alloc_coherent+0x158/0x2b0\n dma_iommu_alloc_coherent+0x3c/0x50\n dma_alloc_attrs+0x170/0x1f0\n mlx5_cmd_init+0xc0/0x760 [mlx5_core]\n mlx5_function_setup+0xf0/0x510 [mlx5_core]\n mlx5_init_one+0x84/0x210 [mlx5_core]\n probe_one+0x118/0x2c0 [mlx5_core]\n local_pci_probe+0x68/0x110\n pci_call_probe+0x68/0x200\n pci_device_probe+0xbc/0x1a0\n really_probe+0x104/0x540\n __driver_probe_device+0xb4/0x230\n driver_probe_device+0x54/0x130\n __driver_attach+0x158/0x2b0\n bus_for_each_dev+0xa8/0x130\n driver_attach+0x34/0x50\n bus_add_driver+0x16c/0x300\n driver_register+0xa4/0x1b0\n __pci_register_driver+0x68/0x80\n mlx5_init+0xb8/0x100 [mlx5_core]\n do_one_initcall+0x60/0x300\n do_init_module+0x7c/0x2b0\n\nAt the time of LPAR dump, before kexec hands over control to kdump\nkernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT.\nFor the SR-IOV case, default DMA window \"ibm,dma-window\" is removed from\nthe FDT and DDW added, for the device.\n\nNow, kexec hands over control to the kdump kernel.\n\nWhen the kdump kernel initializes, PCI busses are scanned and IOMMU\ngroup/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV\ncase, there is no \"ibm,dma-window\". The original commit: b1fc44eaa9ba,\nfixes the path where memory is pre-mapped (direct mapped) to the DDW.\nWhen TCEs are direct mapped, there is no need to initialize IOMMU\ntables.\n\niommu_table_setparms_lpar() only considers \"ibm,dma-window\" property\nwhen initiallizing IOMMU table. In the scenario where TCEs are\ndynamically allocated for SR-IOV, newly created IOMMU table is not\ninitialized. Later, when the device driver tries to enter TCEs for the\nSR-IOV device, NULL pointer execption is thrown from iommu_area_alloc().\n\nThe fix is to initialize the IOMMU table with DDW property stored in the\nFDT. There are 2 points to remember:\n\n\t1. For the dedicated adapter, kdump kernel would encounter both\n\t default and DDW in FDT. In this case, DDW property is used to\n\t initialize the IOMMU table.\n\n\t2. A DDW could be direct or dynamic mapped. kdump kernel would\n\t initialize IOMMU table and mark the existing DDW as\n\t \"dynamic\". This works fine since, at the time of table\n\t initialization, iommu_table_clear() makes some space in the\n\t DDW, for some predefined number of TCEs which are needed for\n\t kdump to succeed.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26745", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26745" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5d7a8585fbb31e88fb2a0f581b70667d3300d1e9" + }, + { + "url": "https://git.kernel.org/stable/c/16da1e1dac23be45ef6e23c41b1508c400e6c544" + }, + { + "url": "https://git.kernel.org/stable/c/9ad7974856926129f190ffbe3beea78460b3b7cc" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35937" + }, + { + "url": "https://git.kernel.org/linus/9ad7974856926129f190ffbe3beea78460b3b7cc(6.9-rc1)" + } + ], + "bom-ref": "vuln-546", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35937" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: check A-MSDU format more carefully\n\nIf it looks like there's another subframe in the A-MSDU\nbut the header isn't fully there, we can end up reading\ndata out of bounds, only to discard later. Make this a\nbit more careful and check if the subframe header can\neven be present.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35937", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35937" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/228742b2ddfb99dfd71e5a307e6088ab6836272e" + }, + { + "url": "https://git.kernel.org/stable/c/98a4026b22ff440c7f47056481bcbbe442f607d6" + }, + { + "url": "https://git.kernel.org/stable/c/ea5ddbc11613b55e5128c85f57b08f907abd9b28" + }, + { + "url": "https://git.kernel.org/stable/c/38296afe3c6ee07319e01bb249aa4bb47c07b534" + }, + { + "url": "https://git.kernel.org/stable/c/e38585401d464578d30f5868ff4ca54475c34f7d" + }, + { + "url": "https://git.kernel.org/stable/c/8494ba2c9ea00a54d5b50e69b22c55a8958bce32" + }, + { + "url": "https://git.kernel.org/stable/c/862ee4422c38be5c249844a684b00d0dbe9d1e46" + }, + { + "url": "https://git.kernel.org/stable/c/7e9b622bd0748cc104d66535b76d9b3535f9dc0f" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26696" + }, + { + "url": "https://git.kernel.org/linus/38296afe3c6ee07319e01bb249aa4bb47c07b534(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-547", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26696" + } + } + ], + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix hang in nilfs_lookup_dirty_data_buffers()\n\nSyzbot reported a hang issue in migrate_pages_batch() called by mbind()\nand nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.\n\nWhile migrate_pages_batch() locks a folio and waits for the writeback to\ncomplete, the log writer thread that should bring the writeback to\ncompletion picks up the folio being written back in\nnilfs_lookup_dirty_data_buffers() that it calls for subsequent log\ncreation and was trying to lock the folio. Thus causing a deadlock.\n\nIn the first place, it is unexpected that folios/pages in the middle of\nwriteback will be updated and become dirty. Nilfs2 adds a checksum to\nverify the validity of the log being written and uses it for recovery at\nmount, so data changes during writeback are suppressed. Since this is\nbroken, an unclean shutdown could potentially cause recovery to fail.\n\nInvestigation revealed that the root cause is that the wait for writeback\ncompletion in nilfs_page_mkwrite() is conditional, and if the backing\ndevice does not require stable writes, data may be modified without\nwaiting.\n\nFix these issues by making nilfs_page_mkwrite() wait for writeback to\nfinish regardless of the stable write requirement of the backing device.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26696", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26696" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c0b22568a9d8384fd000cc49acb8f74bde40d1b5" + }, + { + "url": "https://git.kernel.org/stable/c/c7137900691f5692fe3de54566ea7b30bb35d66c" + }, + { + "url": "https://git.kernel.org/stable/c/e431c3227864b5646601c97f5f898d99472f2914" + }, + { + "url": "https://git.kernel.org/stable/c/e77e0b0f2a11735c64b105edaee54d6344faca8a" + }, + { + "url": "https://git.kernel.org/stable/c/0ece581d2a66e8e488c0d3b3e7b5760dbbfdbdd5" + }, + { + "url": "https://git.kernel.org/stable/c/1ca1ba465e55b9460e4e75dec9fff31e708fec74" + }, + { + "url": "https://git.kernel.org/stable/c/048e16dee1fc609c1c85072ccd70bfd4b5fef6ca" + }, + { + "url": "https://git.kernel.org/stable/c/59d2a4076983303f324557a114cfd5c32e1f6b29" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26857" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/1ca1ba465e55b9460e4e75dec9fff31e708fec74(6.8)" + } + ], + "bom-ref": "vuln-548", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26857" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ngeneve: make sure to pull inner header in geneve_rx()\n\nsyzbot triggered a bug in geneve_rx() [1]\n\nIssue is similar to the one I fixed in commit 8d975c15c0cd\n(\"ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\")\n\nWe have to save skb->network_header in a temporary variable\nin order to be able to recompute the network_header pointer\nafter a pskb_inet_may_pull() call.\n\npskb_inet_may_pull() makes sure the needed headers are in skb->head.\n\n[1]\nBUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n BUG: KMSAN: uninit-value in geneve_rx drivers/net/geneve.c:279 [inline]\n BUG: KMSAN: uninit-value in geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]\n geneve_rx drivers/net/geneve.c:279 [inline]\n geneve_udp_encap_recv+0x36f9/0x3c10 drivers/net/geneve.c:391\n udp_queue_rcv_one_skb+0x1d39/0x1f20 net/ipv4/udp.c:2108\n udp_queue_rcv_skb+0x6ae/0x6e0 net/ipv4/udp.c:2186\n udp_unicast_rcv_skb+0x184/0x4b0 net/ipv4/udp.c:2346\n __udp4_lib_rcv+0x1c6b/0x3010 net/ipv4/udp.c:2422\n udp_rcv+0x7d/0xa0 net/ipv4/udp.c:2604\n ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205\n ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254\n dst_input include/net/dst.h:461 [inline]\n ip_rcv_finish net/ipv4/ip_input.c:449 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569\n __netif_receive_skb_one_core net/core/dev.c:5534 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648\n process_backlog+0x480/0x8b0 net/core/dev.c:5976\n __napi_poll+0xe3/0x980 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x8b8/0x1870 net/core/dev.c:6778\n __do_softirq+0x1b7/0x7c5 kernel/softirq.c:553\n do_softirq+0x9a/0xf0 kernel/softirq.c:454\n __local_bh_enable_ip+0x9b/0xa0 kernel/softirq.c:381\n local_bh_enable include/linux/bottom_half.h:33 [inline]\n rcu_read_unlock_bh include/linux/rcupdate.h:820 [inline]\n __dev_queue_xmit+0x2768/0x51c0 net/core/dev.c:4378\n dev_queue_xmit include/linux/netdevice.h:3171 [inline]\n packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276\n packet_snd net/packet/af_packet.c:3081 [inline]\n packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:3819 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_node+0x5cb/0xbc0 mm/slub.c:3903\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x352/0x790 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1296 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6394\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2783\n packet_alloc_skb net/packet/af_packet.c:2930 [inline]\n packet_snd net/packet/af_packet.c:3024 [inline]\n packet_sendmsg+0x70c2/0x9f10 net/packet/af_packet.c:3113\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg net/socket.c:745 [inline]\n __sys_sendto+0x735/0xa10 net/socket.c:2191\n __do_sys_sendto net/socket.c:2203 [inline]\n __se_sys_sendto net/socket.c:2199 [inline]\n __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97830f3c3088638ff90b20dfba2eb4d487bf14d7" + }, + { + "url": "https://git.kernel.org/stable/c/a423042052ec2bdbf1e552e621e6a768922363cc" + }, + { + "url": "https://git.kernel.org/stable/c/93b372c39c40cbf179e56621e6bc48240943af69" + }, + { + "url": "https://git.kernel.org/stable/c/dd64bb8329ce0ea27bc557e4160c2688835402ac" + }, + { + "url": "https://git.kernel.org/stable/c/42beab162dcee1e691ee4934292d51581c29df61" + }, + { + "url": "https://git.kernel.org/stable/c/90e09c016d72b91e76de25f71c7b93d94cc3c769" + }, + { + "url": "https://git.kernel.org/stable/c/a7ae586f6f6024f490b8546c8c84670f96bb9b68" + }, + { + "url": "https://git.kernel.org/stable/c/82722b453dc2f967b172603e389ee7dc1b3137cc" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26606" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/97830f3c3088638ff90b20dfba2eb4d487bf14d7(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-549", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26606" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26606", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T17:49:01Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32020" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-550", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32020" + } + } + ], + "created": "2024-05-14T19:15:12Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-32020", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32020" + }, + "cwes": [ + 281 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a1aa5390cc912934fee76ce80af5f940452fa987" + }, + { + "url": "https://git.kernel.org/stable/c/e4a449368a2ce6d57a775d0ead27fc07f5a86e5b" + }, + { + "url": "https://git.kernel.org/stable/c/544561dc56f7e69a053c25e11e6170f48bb97898" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35878" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/a1aa5390cc912934fee76ce80af5f940452fa987(6.9-rc3)" + } + ], + "bom-ref": "vuln-551", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35878" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nof: module: prevent NULL pointer dereference in vsnprintf()\n\nIn of_modalias(), we can get passed the str and len parameters which would\ncause a kernel oops in vsnprintf() since it only allows passing a NULL ptr\nwhen the length is also 0. Also, we need to filter out the negative values\nof the len parameter as these will result in a really huge buffer since\nsnprintf() takes size_t parameter while ours is ssize_t...\n\nFound by Linux Verification Center (linuxtesting.org) with the Svace static\nanalysis tool.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35878", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35878" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/996997d1fb2126feda550d6adcedcbd94911fc69" + }, + { + "url": "https://git.kernel.org/stable/c/934212a623cbab851848b6de377eb476718c3e4c" + }, + { + "url": "https://git.kernel.org/stable/c/5e6013ae2c8d420faea553d363935f65badd32c3" + }, + { + "url": "https://git.kernel.org/stable/c/bb336cd8d5ecb69c430ebe3e7bcff68471d93fa8" + }, + { + "url": "https://git.kernel.org/stable/c/3cfcfc102a5e57b021b786a755a38935e357797d" + }, + { + "url": "https://git.kernel.org/stable/c/dd292e884c649f9b1c18af0ec75ca90b390cd044" + }, + { + "url": "https://git.kernel.org/stable/c/9806c2393cd2ab0a8e7bb9ffae02ce20e3112ec4" + }, + { + "url": "https://git.kernel.org/stable/c/bfa9d86d39a0fe4685f90c3529aa9bd62a9d97a8" + }, + { + "url": "https://git.kernel.org/stable/c/b97c37978ca825557d331c9012e0c1ddc0e42364" + }, + { + "url": "https://git.kernel.org/linus/3cfcfc102a5e57b021b786a755a38935e357797d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27388" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-552", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27388" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: fix some memleaks in gssx_dec_option_array\n\nThe creds and oa->data need to be freed in the error-handling paths after\ntheir allocation. So this patch add these deallocations in the\ncorresponding paths.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27388", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27388" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-585.html" + }, + { + "url": "https://patchwork.kernel.org/project/linux-raid/patch/20240112071017.16313-1-2045gemini@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://lore.kernel.org/linux-raid/20240112071017.16313-1-2045gemini@gmail.com/T/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23307" + } + ], + "bom-ref": "vuln-553", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23307" + } + } + ], + "created": "2024-01-25T07:15:09Z", + "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-23307", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-01-31T20:38:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/539a2b995a4ed93125cb0efae0f793b00ab2158b" + }, + { + "url": "https://git.kernel.org/stable/c/059a49aa2e25c58f90b50151f109dd3c4cdb3a47" + }, + { + "url": "https://git.kernel.org/stable/c/43a71c1b4b3a6d4db857b1435d271540279fc7de" + }, + { + "url": "https://git.kernel.org/stable/c/28e9a64638cd16bc1ecac9ff74ffeacb9fb652de" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35981" + }, + { + "url": "https://git.kernel.org/linus/059a49aa2e25c58f90b50151f109dd3c4cdb3a47(6.9-rc4)" + } + ], + "bom-ref": "vuln-554", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35981" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Do not send RSS key if it is not supported\n\nThere is a bug when setting the RSS options in virtio_net that can break\nthe whole machine, getting the kernel into an infinite loop.\n\nRunning the following command in any QEMU virtual machine with virtionet\nwill reproduce this problem:\n\n # ethtool -X eth0 hfunc toeplitz\n\nThis is how the problem happens:\n\n1) ethtool_set_rxfh() calls virtnet_set_rxfh()\n\n2) virtnet_set_rxfh() calls virtnet_commit_rss_command()\n\n3) virtnet_commit_rss_command() populates 4 entries for the rss\nscatter-gather\n\n4) Since the command above does not have a key, then the last\nscatter-gatter entry will be zeroed, since rss_key_size == 0.\nsg_buf_size = vi->rss_key_size;\n\n5) This buffer is passed to qemu, but qemu is not happy with a buffer\nwith zero length, and do the following in virtqueue_map_desc() (QEMU\nfunction):\n\n if (!sz) {\n virtio_error(vdev, \"virtio: zero sized buffers are not allowed\");\n\n6) virtio_error() (also QEMU function) set the device as broken\n\n vdev->broken = true;\n\n7) Qemu bails out, and do not repond this crazy kernel.\n\n8) The kernel is waiting for the response to come back (function\nvirtnet_send_command())\n\n9) The kernel is waiting doing the following :\n\n while (!virtqueue_get_buf(vi->cvq, &tmp) &&\n\t !virtqueue_is_broken(vi->cvq))\n\t cpu_relax();\n\n10) None of the following functions above is true, thus, the kernel\nloops here forever. Keeping in mind that virtqueue_is_broken() does\nnot look at the qemu `vdev->broken`, so, it never realizes that the\nvitio is broken at QEMU side.\n\nFix it by not sending RSS commands if the feature is not available in\nthe device.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35981", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35981" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2ef98c6d753a744e333b7e34b9cf687040fba57d" + }, + { + "url": "https://git.kernel.org/stable/c/e5ffd1263dd5b44929c676171802e7b6af483f21" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52624" + }, + { + "url": "https://git.kernel.org/linus/e5ffd1263dd5b44929c676171802e7b6af483f21(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-555", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52624" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Wake DMCUB before executing GPINT commands\n\n[Why]\nDMCUB can be in idle when we attempt to interface with the HW through\nthe GPINT mailbox resulting in a system hang.\n\n[How]\nAdd dc_wake_and_execute_gpint() to wrap the wake, execute, sleep\nsequence.\n\nIf the GPINT executes successfully then DMCUB will be put back into\nsleep after the optional response is returned.\n\nIt functions similar to the inbox command interface.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52624", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52624" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/43a202bd552976497474ae144942e32cc5f34d7e" + }, + { + "url": "https://git.kernel.org/stable/c/d9e3763a505e50ba3bd22846f2a8db99429fb857" + }, + { + "url": "https://git.kernel.org/stable/c/64ba01a365980755732972523600a961c4266b75" + }, + { + "url": "https://git.kernel.org/stable/c/e08c2a8d27e989f0f5b0888792643027d7e691e6" + }, + { + "url": "https://git.kernel.org/stable/c/0dccbb93538fe89a86c6de31d4b1c8c560848eaa" + }, + { + "url": "https://git.kernel.org/stable/c/50c70240097ce41fe6bce6478b80478281e4d0f7" + }, + { + "url": "https://git.kernel.org/stable/c/3c652f6fa1e1f9f02c3fbf359d260ad153ec5f90" + }, + { + "url": "https://git.kernel.org/stable/c/1a4371db68a31076afbe56ecce34fbbe6c80c529" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26763" + }, + { + "url": "https://git.kernel.org/linus/50c70240097ce41fe6bce6478b80478281e4d0f7(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-556", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26763" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-crypt: don't modify the data when using authenticated encryption\n\nIt was said that authenticated encryption could produce invalid tag when\nthe data that is being encrypted is modified [1]. So, fix this problem by\ncopying the data into the clone bio first and then encrypt them inside the\nclone bio.\n\nThis may reduce performance, but it is needed to prevent the user from\ncorrupting the device by writing data with O_DIRECT and modifying them at\nthe same time.\n\n[1] https://lore.kernel.org/all/20240207004723.GA35324@sol.localdomain/T/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26763", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26763" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2e16a1389b5a7983b45cb2aa20b0e3f0ee364d6c" + }, + { + "url": "https://git.kernel.org/stable/c/3f8217c323fd6ecd6829a0c3ae7ac3f14eac368e" + }, + { + "url": "https://git.kernel.org/stable/c/74ecdda68242b174920fe7c6133a856fb7d8559b" + }, + { + "url": "https://git.kernel.org/stable/c/2037cb9d95f1741885f7daf50e8a028c4ade5317" + }, + { + "url": "https://git.kernel.org/stable/c/8393c80cce45f40c1256d72e21ad351b3650c57e" + }, + { + "url": "https://git.kernel.org/stable/c/fc67a2e18f4c4e3f07e9f9ae463da24530470e73" + }, + { + "url": "https://git.kernel.org/stable/c/70780914cb57e2ba711e0ac1b677aaaa75103603" + }, + { + "url": "https://git.kernel.org/stable/c/3d3898b4d72c677d47fe3cb554449f2df5c12555" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52601" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6774-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/74ecdda68242b174920fe7c6133a856fb7d8559b(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6778-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-557", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52601" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in dbAdjTree\n\nCurrently there is a bound check missing in the dbAdjTree while\naccessing the dmt_stree. To add the required check added the bool is_ctl\nwhich is required to determine the size as suggest in the following\ncommit.\nhttps://lore.kernel.org/linux-kernel-mentees/f9475918-2186-49b8-b801-6f0f9e75f4fa@oracle.com/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52601" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/97eaa2955db4120ce6ec2ef123e860bc32232c50" + }, + { + "url": "https://git.kernel.org/stable/c/a3f2c083cb575d80a7627baf3339e78fedccbb91" + }, + { + "url": "https://git.kernel.org/stable/c/f119f2325ba70cbfdec701000dcad4d88805d5b0" + }, + { + "url": "https://git.kernel.org/stable/c/a7d6027790acea24446ddd6632d394096c0f4667" + }, + { + "url": "https://git.kernel.org/stable/c/dbc9b22d0ed319b4e29034ce0a3fe32a3ee2c587" + }, + { + "url": "https://git.kernel.org/stable/c/3ab0d6f8289ba8402ca95a9fc61a34909d5e1f3a" + }, + { + "url": "https://git.kernel.org/linus/a7d6027790acea24446ddd6632d394096c0f4667(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26733" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-558", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26733" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller reported an overflown write in arp_req_get(). [0]\n\nWhen ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour\nentry and copies neigh->ha to struct arpreq.arp_ha.sa_data.\n\nThe arp_ha here is struct sockaddr, not struct sockaddr_storage, so\nthe sa_data buffer is just 14 bytes.\n\nIn the splat below, 2 bytes are overflown to the next int field,\narp_flags. We initialise the field just after the memcpy(), so it's\nnot a problem.\n\nHowever, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),\narp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)\nin arp_ioctl() before calling arp_req_get().\n\nTo avoid the overflow, let's limit the max length of memcpy().\n\nNote that commit b5f0de6df6dc (\"net: dev: Convert sa_data to flexible\narray in struct sockaddr\") just silenced syzkaller.\n\n[0]:\nmemcpy: detected field-spanning write (size 16) of single field \"r->arp_ha.sa_data\" at net/ipv4/arp.c:1128 (size 14)\nWARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nModules linked in:\nCPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014\nRIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128\nCode: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6\nRSP: 0018:ffffc900050b7998 EFLAGS: 00010286\nRAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001\nRBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000\nR13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010\nFS: 00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \n arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261\n inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981\n sock_do_ioctl+0xdf/0x260 net/socket.c:1204\n sock_ioctl+0x3ef/0x650 net/socket.c:1321\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x64/0xce\nRIP: 0033:0x7f172b262b8d\nCode: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d\nRDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003\nRBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26733", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26733" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6ef5d5b92f7117b324efaac72b3db27ae8bb3082" + }, + { + "url": "https://git.kernel.org/stable/c/050ad2ca0ac169dd9e552075d2c6af1bbb46534c" + }, + { + "url": "https://git.kernel.org/stable/c/3dd2d99e2352903d0e0b8769e6c9b8293c7454b2" + }, + { + "url": "https://git.kernel.org/stable/c/422d5243b9f780abd3d39da2b746e3915677b07d" + }, + { + "url": "https://git.kernel.org/stable/c/ed5b8b735369b40d6c1f8ef3e62d369f74b4c491" + }, + { + "url": "https://git.kernel.org/stable/c/4a98bc739d0753a5810ce5630943cd7614c7717e" + }, + { + "url": "https://git.kernel.org/stable/c/1f0d7792e9023e8658e901b7b76a555f6aa052ec" + }, + { + "url": "https://git.kernel.org/stable/c/d14b8e2005f36319df9412d42037416d64827f6b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26722" + }, + { + "url": "https://git.kernel.org/linus/6ef5d5b92f7117b324efaac72b3db27ae8bb3082(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-559", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26722" + } + } + ], + "created": "2024-04-03T15:15:54Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: rt5645: Fix deadlock in rt5645_jack_detect_work()\n\nThere is a path in rt5645_jack_detect_work(), where rt5645->jd_mutex\nis left locked forever. That may lead to deadlock\nwhen rt5645_jack_detect_work() is called for the second time.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26722", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26722" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d6d6fe4bb105595118f12abeed4a7bdd450853f3" + }, + { + "url": "https://git.kernel.org/stable/c/169410eba271afc9f0fb476d996795aa26770c6d" + }, + { + "url": "https://git.kernel.org/stable/c/483cb92334cd7f1d5387dccc0ab5d595d27a669d" + }, + { + "url": "https://git.kernel.org/stable/c/c7f1b6146f4a46d727c0d046284c28b6882c6304" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/169410eba271afc9f0fb476d996795aa26770c6d(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52621" + } + ], + "bom-ref": "vuln-560", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52621" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before calling bpf map helpers\n\nThese three bpf_map_{lookup,update,delete}_elem() helpers are also\navailable for sleepable bpf program, so add the corresponding lock\nassertion for sleepable bpf program, otherwise the following warning\nwill be reported when a sleepable bpf program manipulates bpf map under\ninterpreter mode (aka bpf_jit_enable=0):\n\n WARNING: CPU: 3 PID: 4985 at kernel/bpf/helpers.c:40 ......\n CPU: 3 PID: 4985 Comm: test_progs Not tainted 6.6.0+ #2\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:bpf_map_lookup_elem+0x54/0x60\n ......\n Call Trace:\n \n ? __warn+0xa5/0x240\n ? bpf_map_lookup_elem+0x54/0x60\n ? report_bug+0x1ba/0x1f0\n ? handle_bug+0x40/0x80\n ? exc_invalid_op+0x18/0x50\n ? asm_exc_invalid_op+0x1b/0x20\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ? rcu_lockdep_current_cpu_online+0x65/0xb0\n ? rcu_is_watching+0x23/0x50\n ? bpf_map_lookup_elem+0x54/0x60\n ? __pfx_bpf_map_lookup_elem+0x10/0x10\n ___bpf_prog_run+0x513/0x3b70\n __bpf_prog_run32+0x9d/0xd0\n ? __bpf_prog_enter_sleepable_recur+0xad/0x120\n ? __bpf_prog_enter_sleepable_recur+0x3e/0x120\n bpf_trampoline_6442580665+0x4d/0x1000\n __x64_sys_getpgid+0x5/0x30\n ? do_syscall_64+0x36/0xb0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52621", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52621" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c04c162f82ac403917780eb6d1654694455d4e7c" + }, + { + "url": "https://git.kernel.org/stable/c/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed" + }, + { + "url": "https://git.kernel.org/stable/c/17e1361cb91dc1325834da95d2ab532959d2debc" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52591" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/49db9b1b86a82448dfaf3fcfefcf678dee56c8ed(6.8-rc1)" + } + ], + "bom-ref": "vuln-561", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52591" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nreiserfs: Avoid touching renamed directory if parent does not change\n\nThe VFS will not be locking moved directory if its parent does not\nchange. Change reiserfs rename code to avoid touching renamed directory\nif its parent does not change as without locking that can corrupt the\nfilesystem.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52591", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52591" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/89a32741f4217856066c198a4a7267bcdd1edd67" + }, + { + "url": "https://git.kernel.org/stable/c/9ab5e44b9bac946bd49fd63264a08cd1ea494e76" + }, + { + "url": "https://git.kernel.org/stable/c/e4cb8382fff6706436b66eafd9c0ee857ff0a9f5" + }, + { + "url": "https://git.kernel.org/stable/c/4beab84fbb50df3be1d8f8a976e6fe882ca65cb2" + }, + { + "url": "https://git.kernel.org/stable/c/75193678cce993aa959e7764b6df2f599886dd06" + }, + { + "url": "https://git.kernel.org/stable/c/66fab1e120b39f8f47a94186ddee36006fc02ca8" + }, + { + "url": "https://git.kernel.org/stable/c/8478394f76c748862ef179a16f651f752bdafaf0" + }, + { + "url": "https://git.kernel.org/stable/c/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810" + }, + { + "url": "https://git.kernel.org/linus/45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810(6.9-rc4)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35978" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-562", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35978" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix memory leak in hci_req_sync_complete()\n\nIn 'hci_req_sync_complete()', always free the previous sync\nrequest state before assigning reference to a new one.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35978", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35978" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/eabf131cba1db12005a68378305f13b9090a7a6b" + }, + { + "url": "https://git.kernel.org/stable/c/156c226cbbdcf5f3bce7b2408a33b59fab7fae2c" + }, + { + "url": "https://git.kernel.org/stable/c/2295bd846765c766701e666ed2e4b35396be25e6" + }, + { + "url": "https://git.kernel.org/stable/c/0336995512cdab0c65e99e4cdd47c4606debe14e" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2295bd846765c766701e666ed2e4b35396be25e6(6.9-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35916" + } + ], + "bom-ref": "vuln-563", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35916" + } + } + ], + "created": "2024-05-19T09:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: Fix NULL pointer dereference in sanitycheck()\n\nIf due to a memory allocation failure mock_chain() returns NULL, it is\npassed to dma_fence_enable_sw_signaling() resulting in NULL pointer\ndereference there.\n\nCall dma_fence_enable_sw_signaling() only if mock_chain() succeeds.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35916", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35916" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/db6338f45971b4285ea368432a84033690eaf53c" + }, + { + "url": "https://git.kernel.org/stable/c/d37c1c81419fdef66ebd0747cf76fb8b7d979059" + }, + { + "url": "https://git.kernel.org/stable/c/f5944853f7a961fedc1227dc8f60393f8936d37c" + }, + { + "url": "https://git.kernel.org/stable/c/4373534a9850627a2695317944898eb1283a2db0" + }, + { + "url": "https://git.kernel.org/stable/c/65ead8468c21c2676d4d06f50b46beffdea69df1" + }, + { + "url": "https://git.kernel.org/stable/c/07e3ca0f17f579491b5f54e9ed05173d6c1d6fcb" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26627" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/4373534a9850627a2695317944898eb1283a2db0(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-564", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26627" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: core: Move scsi_host_busy() out of host lock for waking up EH handler\n\nInside scsi_eh_wakeup(), scsi_host_busy() is called & checked with host\nlock every time for deciding if error handler kthread needs to be waken up.\n\nThis can be too heavy in case of recovery, such as:\n\n - N hardware queues\n\n - queue depth is M for each hardware queue\n\n - each scsi_host_busy() iterates over (N * M) tag/requests\n\nIf recovery is triggered in case that all requests are in-flight, each\nscsi_eh_wakeup() is strictly serialized, when scsi_eh_wakeup() is called\nfor the last in-flight request, scsi_host_busy() has been run for (N * M -\n1) times, and request has been iterated for (N*M - 1) * (N * M) times.\n\nIf both N and M are big enough, hard lockup can be triggered on acquiring\nhost lock, and it is observed on mpi3mr(128 hw queues, queue depth 8169).\n\nFix the issue by calling scsi_host_busy() outside the host lock. We don't\nneed the host lock for getting busy count because host the lock never\ncovers that.\n\n[mkp: Drop unnecessary 'busy' variables pointed out by Bart]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26627", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26627" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9b099ed46dcaf1403c531ff02c3d7400fa37fa26" + }, + { + "url": "https://git.kernel.org/stable/c/4588b13abcbd561ec67f5b3c1cb2eff690990a54" + }, + { + "url": "https://git.kernel.org/stable/c/d61608a4e394f23e0dca099df9eb8e555453d949" + }, + { + "url": "https://git.kernel.org/stable/c/4cd12c6065dfcdeba10f49949bffcf383b3952d8" + }, + { + "url": "https://git.kernel.org/linus/4cd12c6065dfcdeba10f49949bffcf383b3952d8(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26731" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-565", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26731" + } + } + ], + "created": "2024-04-03T17:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix NULL pointer dereference in sk_psock_verdict_data_ready()\n\nsyzbot reported the following NULL pointer dereference issue [1]:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n [...]\n RIP: 0010:0x0\n [...]\n Call Trace:\n \n sk_psock_verdict_data_ready+0x232/0x340 net/core/skmsg.c:1230\n unix_stream_sendmsg+0x9b4/0x1230 net/unix/af_unix.c:2293\n sock_sendmsg_nosec net/socket.c:730 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:745\n ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584\n ___sys_sendmsg net/socket.c:2638 [inline]\n __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667\n do_syscall_64+0xf9/0x240\n entry_SYSCALL_64_after_hwframe+0x6f/0x77\n\nIf sk_psock_verdict_data_ready() and sk_psock_stop_verdict() are called\nconcurrently, psock->saved_data_ready can be NULL, causing the above issue.\n\nThis patch fixes this issue by calling the appropriate data ready function\nusing the sk_psock_data_ready() helper and protecting it from concurrency\nwith sk->sk_callback_lock.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26731", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26731" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" + }, + { + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-566", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-201" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-201", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/dfe13eaab043130f90dd3d57c7d88577c04adc97" + }, + { + "url": "https://git.kernel.org/stable/c/b302dce3d9edea5b93d1902a541684a967f3c63c" + }, + { + "url": "https://git.kernel.org/stable/c/4dd0547e8b45faf6f95373be5436b66cde326c0e" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-567", + "ratings": [ + { + "severity": "unknown", + "method": "other", + "source": { + "name": "AMAZON_INSPECTOR", + "url": "https://aws.amazon.com/inspector/" + } + } + ], + "created": "2024-05-21T16:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps()\n\nreg_cap.phy_id is extracted from WMI event and could be an unexpected value\nin case some errors happen. As a result out-of-bound write may occur to\nsoc->hal_reg_cap. Fix it by validating reg_cap.phy_id before using it.\n\nThis is found during code review.\n\nCompile tested only.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52829", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52829" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-21T16:53:56Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e79b47a8615d42c68aaeb68971593333667382ed" + }, + { + "url": "https://git.kernel.org/stable/c/86658fc7414d4b9e25c2699d751034537503d637" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27012" + }, + { + "url": "https://git.kernel.org/linus/e79b47a8615d42c68aaeb68971593333667382ed(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-568", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27012" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: restore set elements when delete set fails\n\nFrom abort path, nft_mapelem_activate() needs to restore refcounters to\nthe original state. Currently, it uses the set->ops->walk() to iterate\nover these set elements. The existing set iterator skips inactive\nelements in the next generation, this does not work from the abort path\nto restore the original state since it has to skip active elements\ninstead (not inactive ones).\n\nThis patch moves the check for inactive elements to the set iterator\ncallback, then it reverses the logic for the .activate case which\nneeds to skip active elements.\n\nToggle next generation bit for elements when delete set command is\ninvoked and call nft_clear() from .activate (abort) path to restore the\nnext generation bit.\n\nThe splat below shows an object in mappings memleak:\n\n[43929.457523] ------------[ cut here ]------------\n[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[...]\n[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90\n[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246\n[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000\n[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550\n[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f\n[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0\n[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002\n[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000\n[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0\n[43929.458114] Call Trace:\n[43929.458118] \n[43929.458121] ? __warn+0x9f/0x1a0\n[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458188] ? report_bug+0x1b1/0x1e0\n[43929.458196] ? handle_bug+0x3c/0x70\n[43929.458200] ? exc_invalid_op+0x17/0x40\n[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]\n[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]\n[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]\n[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]\n[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]\n[43929.458512] ? rb_insert_color+0x2e/0x280\n[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]\n[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]\n[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]\n[43929.458701] ? __rcu_read_unlock+0x46/0x70\n[43929.458709] nft_delset+0xff/0x110 [nf_tables]\n[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]\n[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27012", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27012" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/57ca0e16f393bb21d69734e536e383a3a4c665fd" + }, + { + "url": "https://git.kernel.org/stable/c/a31cf46d108dabce3df80b3e5c07661e24912151" + }, + { + "url": "https://git.kernel.org/stable/c/2cb66b62a5d64ccf09b0591ab86fb085fa491fc5" + }, + { + "url": "https://git.kernel.org/stable/c/35b604a37ec70d68b19dafd10bbacf1db505c9ca" + }, + { + "url": "https://git.kernel.org/stable/c/76c51146820c5dac629f21deafab0a7039bc3ccd" + }, + { + "url": "https://git.kernel.org/stable/c/059285e04ebb273d32323fbad5431c5b94f77e48" + }, + { + "url": "https://git.kernel.org/stable/c/c7f43900bc723203d7554d299a2ce844054fab8e" + }, + { + "url": "https://git.kernel.org/stable/c/2b7ec68869d50ea998908af43b643bca7e54577e" + }, + { + "url": "https://git.kernel.org/linus/76c51146820c5dac629f21deafab0a7039bc3ccd(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27405" + } + ], + "bom-ref": "vuln-569", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27405" + } + } + ], + "created": "2024-05-17T12:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs\n\nIt is observed sometimes when tethering is used over NCM with Windows 11\nas host, at some instances, the gadget_giveback has one byte appended at\nthe end of a proper NTB. When the NTB is parsed, unwrap call looks for\nany leftover bytes in SKB provided by u_ether and if there are any pending\nbytes, it treats them as a separate NTB and parses it. But in case the\nsecond NTB (as per unwrap call) is faulty/corrupt, all the datagrams that\nwere parsed properly in the first NTB and saved in rx_list are dropped.\n\nAdding a few custom traces showed the following:\n[002] d..1 7828.532866: dwc3_gadget_giveback: ep1out:\nreq 000000003868811a length 1025/16384 zsI ==> 0\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb toprocess: 1025\n[002] d..1 7828.532867: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb seq: 0xce67\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x400\n[002] d..1 7828.532868: ncm_unwrap_ntb: K: ncm_unwrap_ntb ndp_len: 0x10\n[002] d..1 7828.532869: ncm_unwrap_ntb: K: Parsed NTB with 1 frames\n\nIn this case, the giveback is of 1025 bytes and block length is 1024.\nThe rest 1 byte (which is 0x00) won't be parsed resulting in drop of\nall datagrams in rx_list.\n\nSame is case with packets of size 2048:\n[002] d..1 7828.557948: dwc3_gadget_giveback: ep1out:\nreq 0000000011dfd96e length 2049/16384 zsI ==> 0\n[002] d..1 7828.557949: ncm_unwrap_ntb: K: ncm_unwrap_ntb nth: 1751999342\n[002] d..1 7828.557950: ncm_unwrap_ntb: K: ncm_unwrap_ntb blk_len: 0x800\n\nLecroy shows one byte coming in extra confirming that the byte is coming\nin from PC:\n\n Transfer 2959 - Bytes Transferred(1025) Timestamp((18.524 843 590)\n - Transaction 8391 - Data(1025 bytes) Timestamp(18.524 843 590)\n --- Packet 4063861\n Data(1024 bytes)\n Duration(2.117us) Idle(14.700ns) Timestamp(18.524 843 590)\n --- Packet 4063863\n Data(1 byte)\n Duration(66.160ns) Time(282.000ns) Timestamp(18.524 845 722)\n\nAccording to Windows driver, no ZLP is needed if wBlockLength is non-zero,\nbecause the non-zero wBlockLength has already told the function side the\nsize of transfer to be expected. However, there are in-market NCM devices\nthat rely on ZLP as long as the wBlockLength is multiple of wMaxPacketSize.\nTo deal with such devices, it pads an extra 0 at end so the transfer is no\nlonger multiple of wMaxPacketSize.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27405", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27405" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5d5c14efc987900509cec465af26608e39ac607c" + }, + { + "url": "https://git.kernel.org/stable/c/eadec8da4451c2c0897199691184602e4ee497d1" + }, + { + "url": "https://git.kernel.org/stable/c/7d1e00fc2af3b7c30835d643a3655b7e9ff7cb20" + }, + { + "url": "https://git.kernel.org/stable/c/fed835d415766a94fc0246dcebc3af4c03fe9941" + }, + { + "url": "https://git.kernel.org/stable/c/60a7a152abd494ed4f69098cf0f322e6bb140612" + }, + { + "url": "https://git.kernel.org/stable/c/b8006cb0a34aaf85cdd8741f4148fd9c76b351d3" + }, + { + "url": "https://git.kernel.org/stable/c/500936692ccca8617a955652d1929f079b17a201" + }, + { + "url": "https://git.kernel.org/stable/c/291d36d772f5ea5c68a263ee440f2c9eade371c9" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27427" + }, + { + "url": "https://git.kernel.org/linus/60a7a152abd494ed4f69098cf0f322e6bb140612(6.8)" + } + ], + "bom-ref": "vuln-570", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27427" + } + } + ], + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_timeout\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27427", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27427" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d" + }, + { + "url": "https://git.kernel.org/stable/c/574dcd3126aa2eed75437137843f254b1190dd03" + }, + { + "url": "https://git.kernel.org/stable/c/3739121443f5114c6bcf6d841a5124deb006b878" + }, + { + "url": "https://git.kernel.org/stable/c/9ab224744a47363f74ea29c6894c405e3bcf5132" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/fe0a7776d4d19e613bb8dd80fe2d78ae49e8b49d(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52593" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-571", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52593" + } + } + ], + "created": "2024-03-06T07:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()\n\nSince 'ieee80211_beacon_get()' can return NULL, 'wfx_set_mfp_ap()'\nshould check the return value before examining skb data. So convert\nthe latter to return an appropriate error code and propagate it to\nreturn from 'wfx_start_ap()' as well. Compile tested only.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52593", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52593" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0" + }, + { + "url": "https://git.kernel.org/stable/c/230e89b5ad0a33f530a2a976b3e5e4385cb27882" + }, + { + "url": "https://git.kernel.org/stable/c/0c09912dd8387e228afcc5e34ac5d79b1e3a1058" + }, + { + "url": "https://git.kernel.org/stable/c/0516c06b19dc64807c10e01bb99b552bdf2d7dbe" + }, + { + "url": "https://git.kernel.org/stable/c/2738e0aa2fb24a7ab9c878d912dc2b239738c6c6" + }, + { + "url": "https://git.kernel.org/stable/c/70ef2ba1f4286b2b73675aeb424b590c92d57b25" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0(6.8-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26712" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-572", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26712" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/kasan: Fix addr error caused by page alignment\n\nIn kasan_init_region, when k_start is not page aligned, at the begin of\nfor loop, k_cur = k_start & PAGE_MASK is less than k_start, and then\n`va = block + k_cur - k_start` is less than block, the addr va is invalid,\nbecause the memory address space from va to block is not alloced by\nmemblock_alloc, which will not be reserved by memblock_reserve later, it\nwill be used by other places.\n\nAs a result, memory overwriting occurs.\n\nfor example:\nint __init __weak kasan_init_region(void *start, size_t size)\n{\n[...]\n\t/* if say block(dcd97000) k_start(feef7400) k_end(feeff3fe) */\n\tblock = memblock_alloc(k_end - k_start, PAGE_SIZE);\n\t[...]\n\tfor (k_cur = k_start & PAGE_MASK; k_cur < k_end; k_cur += PAGE_SIZE) {\n\t\t/* at the begin of for loop\n\t\t * block(dcd97000) va(dcd96c00) k_cur(feef7000) k_start(feef7400)\n\t\t * va(dcd96c00) is less than block(dcd97000), va is invalid\n\t\t */\n\t\tvoid *va = block + k_cur - k_start;\n\t\t[...]\n\t}\n[...]\n}\n\nTherefore, page alignment is performed on k_start before\nmemblock_alloc() to ensure the validity of the VA address.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26712", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26712" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210781" + }, + { + "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A@mail.gmail.com/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-31082" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-573", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31082" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + } + } + ], + "created": "2023-04-24T06:15:07Z", + "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel. Note: This has been disputed by 3rd parties as not a valid vulnerability.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-31082", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + }, + "cwes": [ + 763 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-17T02:23:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T14:55:07Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13cd1daeea848614e585b2c6ecc11ca9c8ab2500" + }, + { + "url": "https://git.kernel.org/stable/c/83340c66b498e49353530e41542500fc8a4782d6" + }, + { + "url": "https://git.kernel.org/stable/c/0da15a70395182ee8cb75716baf00dddc0bea38d" + }, + { + "url": "https://git.kernel.org/stable/c/4c3ce64bc9d36ca9164dd6c77ff144c121011aae" + }, + { + "url": "https://git.kernel.org/stable/c/804bd8650a3a2bf3432375f8c97d5049d845ce56" + }, + { + "url": "https://git.kernel.org/stable/c/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79" + }, + { + "url": "https://git.kernel.org/stable/c/dcb4d14268595065c85dc5528056713928e17243" + }, + { + "url": "https://git.kernel.org/stable/c/c1d3a84a67db910ce28a871273c992c3d7f9efb5" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26752" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79(6.8-rc6)" + } + ], + "bom-ref": "vuln-574", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26752" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nl2tp: pass correct message length to ip6_append_data\n\nl2tp_ip6_sendmsg needs to avoid accounting for the transport header\ntwice when splicing more data into an already partially-occupied skbuff.\n\nTo manage this, we check whether the skbuff contains data using\nskb_queue_empty when deciding how much data to append using\nip6_append_data.\n\nHowever, the code which performed the calculation was incorrect:\n\n ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;\n\n...due to C operator precedence, this ends up setting ulen to\ntranshdrlen for messages with a non-zero length, which results in\ncorrupted packets on the wire.\n\nAdd parentheses to correct the calculation in line with the original\nintent.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26752", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26752" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3f0784b2f1eb9147973d8c43ba085c5fdf44ff69" + }, + { + "url": "https://git.kernel.org/stable/c/9970e059af471478455f9534e8c3db82f8c5496d" + }, + { + "url": "https://git.kernel.org/stable/c/37dc1718dc0c4392dbfcb9adec22a776e745dd69" + }, + { + "url": "https://git.kernel.org/stable/c/ecc6a2101840177e57c925c102d2d29f260d37c8" + }, + { + "url": "https://git.kernel.org/stable/c/98cdac206b112bec63852e94802791e316acc2c1" + }, + { + "url": "https://git.kernel.org/stable/c/203a68151e8eeb331d4a64ab78303f3a15faf103" + }, + { + "url": "https://git.kernel.org/linus/ecc6a2101840177e57c925c102d2d29f260d37c8(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35905" + } + ], + "bom-ref": "vuln-575", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35905" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Protect against int overflow for stack access size\n\nThis patch re-introduces protection against the size of access to stack\nmemory being negative; the access size can appear negative as a result\nof overflowing its signed int representation. This should not actually\nhappen, as there are other protections along the way, but we should\nprotect against it anyway. One code path was missing such protections\n(fixed in the previous patch in the series), causing out-of-bounds array\naccesses in check_stack_range_initialized(). This patch causes the\nverification of a program with such a non-sensical access size to fail.\n\nThis check used to exist in a more indirect way, but was inadvertendly\nremoved in a833a17aeac7.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35905", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35905" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3f3c237a706580326d3b7a1b97697e5031ca4667" + }, + { + "url": "https://git.kernel.org/stable/c/39f24c08363af1cd945abad84e3c87fd3e3c845a" + }, + { + "url": "https://git.kernel.org/stable/c/66951d98d9bf45ba25acf37fe0747253fafdf298" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26661" + }, + { + "url": "https://git.kernel.org/linus/66951d98d9bf45ba25acf37fe0747253fafdf298(6.8-rc4)" + } + ], + "bom-ref": "vuln-576", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26661" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'\n\nIn \"u32 otg_inst = pipe_ctx->stream_res.tg->inst;\"\npipe_ctx->stream_res.tg could be NULL, it is relying on the caller to\nensure the tg is not NULL.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26661", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26661" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4ebc079f0c7dcda1270843ab0f38ab4edb8f7921" + }, + { + "url": "https://git.kernel.org/stable/c/de959094eb2197636f7c803af0943cb9d3b35804" + }, + { + "url": "https://git.kernel.org/stable/c/1cfe9489fb563e9a0c9cdc5ca68257a44428c2ec" + }, + { + "url": "https://git.kernel.org/stable/c/f49b20fd0134da84a6bd8108f9e73c077b7d6231" + }, + { + "url": "https://git.kernel.org/linus/de959094eb2197636f7c803af0943cb9d3b35804(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26760" + } + ], + "bom-ref": "vuln-577", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26760" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: pscsi: Fix bio_put() for error case\n\nAs of commit 066ff571011d (\"block: turn bio_kmalloc into a simple kmalloc\nwrapper\"), a bio allocated by bio_kmalloc() must be freed by bio_uninit()\nand kfree(). That is not done properly for the error case, hitting WARN and\nNULL pointer dereference in bio_free().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26760", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26760" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/df25461119d987b8c81d232cfe4411e91dcabe66" + }, + { + "url": "https://git.kernel.org/stable/c/0233b836312e39a3c763fb53512b3fa455b473b3" + }, + { + "url": "https://git.kernel.org/stable/c/1d83c85922647758c1f1e4806a4c5c3cf591a20a" + }, + { + "url": "https://git.kernel.org/stable/c/d8c293549946ee5078ed0ab77793cec365559355" + }, + { + "url": "https://git.kernel.org/stable/c/e129c7fa7070fbce57feb0bfc5eaa65eef44b693" + }, + { + "url": "https://git.kernel.org/stable/c/4a5d0528cf19dbf060313dffbe047bc11c90c24c" + }, + { + "url": "https://git.kernel.org/stable/c/ff1c7e2fb9e9c3f53715fbe04d3ac47b80be7eb8" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52617" + }, + { + "url": "https://git.kernel.org/linus/df25461119d987b8c81d232cfe4411e91dcabe66(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-578", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52617" + } + } + ], + "created": "2024-03-18T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: switchtec: Fix stdev_release() crash after surprise hot remove\n\nA PCI device hot removal may occur while stdev->cdev is held open. The call\nto stdev_release() then happens during close or exit, at a point way past\nswitchtec_pci_remove(). Otherwise the last ref would vanish with the\ntrailing put_device(), just before return.\n\nAt that later point in time, the devm cleanup has already removed the\nstdev->mmio_mrpc mapping. Also, the stdev->pdev reference was not a counted\none. Therefore, in DMA mode, the iowrite32() in stdev_release() will cause\na fatal page fault, and the subsequent dma_free_coherent(), if reached,\nwould pass a stale &stdev->pdev->dev pointer.\n\nFix by moving MRPC DMA shutdown into switchtec_pci_remove(), after\nstdev_kill(). Counting the stdev->pdev ref is now optional, but may prevent\nfuture accidents.\n\nReproducible via the script at\nhttps://lore.kernel.org/r/20231113212150.96410-1-dns@arista.com", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52617", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52617" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c01ed748847fe8b810d86efc229b9e6c7fafa01e" + }, + { + "url": "https://git.kernel.org/stable/c/94eb0293703ced580f05dfbe5a57da5931e9aee2" + }, + { + "url": "https://git.kernel.org/stable/c/396dbbc18963648e9d1a4edbb55cfe08fa374d50" + }, + { + "url": "https://git.kernel.org/stable/c/5c43d0041e3a05c6c41c318b759fff16d2384596" + }, + { + "url": "https://git.kernel.org/stable/c/10ca82aff58434e122c7c757cf0497c335f993f3" + }, + { + "url": "https://git.kernel.org/stable/c/18d5fc3c16cc317bd0e5f5dabe0660df415cadb7" + }, + { + "url": "https://git.kernel.org/stable/c/a71cba07783abc76b547568b6452cd1dd9981410" + }, + { + "url": "https://git.kernel.org/stable/c/961ebd120565cb60cebe21cb634fbc456022db4a" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/961ebd120565cb60cebe21cb634fbc456022db4a(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35815" + } + ], + "bom-ref": "vuln-579", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35815" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion\n\nThe first kiocb_set_cancel_fn() argument may point at a struct kiocb\nthat is not embedded inside struct aio_kiocb. With the current code,\ndepending on the compiler, the req->ki_ctx read happens either before\nthe IOCB_AIO_RW test or after that test. Move the req->ki_ctx read such\nthat it is guaranteed that the IOCB_AIO_RW test happens first.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35815", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35815" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96" + }, + { + "url": "https://git.kernel.org/stable/c/ae99e199037c580b7350bfa3596f447a53bcf01f" + }, + { + "url": "https://git.kernel.org/stable/c/537040c257ab4cd0673fbae048f3940c8ea2e589" + }, + { + "url": "https://git.kernel.org/stable/c/99740c4791dc8019b0d758c5389ca6d1c0604d95" + }, + { + "url": "https://git.kernel.org/stable/c/8f562f3b25177c2055b20fd8cf000496f6fa9194" + }, + { + "url": "https://git.kernel.org/stable/c/86bf75d9158f511db7530bc82a84b19a5134d089" + }, + { + "url": "https://git.kernel.org/stable/c/3ff4a0f6a8f0ad4b4ee9e908bdfc3cacb7be4060" + }, + { + "url": "https://git.kernel.org/stable/c/7e9926fef71e514b4a8ea9d11d5a84d52b181362" + }, + { + "url": "https://git.kernel.org/stable/c/ca2cf98d46748373e830a13d85d215d64a2d9bf2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26965" + }, + { + "url": "https://git.kernel.org/linus/e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-580", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26965" + } + } + ], + "created": "2024-05-01T06:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: qcom: mmcc-msm8974: fix terminating of frequency table arrays\n\nThe frequency table arrays are supposed to be terminated with an\nempty element. Add such entry to the end of the arrays where it\nis missing in order to avoid possible out-of-bound access when\nthe table is traversed by functions like qcom_find_freq() or\nqcom_find_freq_floor().\n\nOnly compile tested.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26965", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26965" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/697624ee8ad557ab5417f985d2c804241a7ad30d" + }, + { + "url": "https://git.kernel.org/stable/c/b13c0d871cd878ff53d25507ca535f59ed1f6a2a" + }, + { + "url": "https://git.kernel.org/stable/c/9d3f959b426635c4da50dfc7b1306afd84d23e7c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35942" + }, + { + "url": "https://git.kernel.org/linus/697624ee8ad557ab5417f985d2c804241a7ad30d(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-581", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35942" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain\n\nAccording to i.MX8MP RM and HDMI ADD, the fdcc clock is part of\nhdmi rx verification IP that should not enable for HDMI TX.\nBut actually if the clock is disabled before HDMI/LCDIF probe,\nLCDIF will not get pixel clock from HDMI PHY and print the error\nlogs:\n\n[CRTC:39:crtc-2] vblank wait timed out\nWARNING: CPU: 2 PID: 9 at drivers/gpu/drm/drm_atomic_helper.c:1634 drm_atomic_helper_wait_for_vblanks.part.0+0x23c/0x260\n\nAdd fdcc clock to LCDIF and HDMI TX power domains to fix the issue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35942", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35942" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/868ec868616438df487b9e2baa5a99f8662cc47c" + }, + { + "url": "https://git.kernel.org/stable/c/b6563ad0d599110bd5cf8f56c47d279c3ed796fe" + }, + { + "url": "https://git.kernel.org/stable/c/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4" + }, + { + "url": "https://git.kernel.org/stable/c/59a534690ecc3af72c6ab121aeac1237a4adae66" + }, + { + "url": "https://git.kernel.org/stable/c/0c8c74bb59e7d77554016efc34c2d10376985e5e" + }, + { + "url": "https://git.kernel.org/linus/8ede3db5061bb1fe28e2c9683329aafa89d2b1b4(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35827" + } + ], + "bom-ref": "vuln-582", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35827" + } + } + ], + "created": "2024-05-17T14:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/net: fix overflow check in io_recvmsg_mshot_prep()\n\nThe \"controllen\" variable is type size_t (unsigned long). Casting it\nto int could lead to an integer underflow.\n\nThe check_add_overflow() function considers the type of the destination\nwhich is type int. If we add two positive values and the result cannot\nfit in an integer then that's counted as an overflow.\n\nHowever, if we cast \"controllen\" to an int and it turns negative, then\nnegative values *can* fit into an int type so there is no overflow.\n\nGood: 100 + (unsigned long)-4 = 96 <-- overflow\n Bad: 100 + (int)-4 = 96 <-- no overflow\n\nI deleted the cast of the sizeof() as well. That's not a bug but the\ncast is unnecessary.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35827", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35827" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3151051b787f7cd7e3329ea0016eb9113c248812" + }, + { + "url": "https://git.kernel.org/stable/c/d0b5b1f12429df3cd9751ab8b2f53729b77733b7" + }, + { + "url": "https://git.kernel.org/stable/c/64babb17e8150771c58575d8f93a35c5296b499f" + }, + { + "url": "https://git.kernel.org/stable/c/9c333d9891f34cea8af1b229dc754552304c8eee" + }, + { + "url": "https://git.kernel.org/stable/c/8e51f084b5716653f19e291ed5f026791d4b3ed4" + }, + { + "url": "https://git.kernel.org/stable/c/aa2b2eb3934859904c287bf5434647ba72e14c1c" + }, + { + "url": "https://git.kernel.org/stable/c/6b950c712a9a05cdda4aea7fcb2848766576c11b" + }, + { + "url": "https://git.kernel.org/stable/c/dbc1b89981f9c5360277071d33d7f04a43ffda4a" + }, + { + "url": "https://git.kernel.org/linus/aa2b2eb3934859904c287bf5434647ba72e14c1c(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26625" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-583", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26625" + } + } + ], + "created": "2024-03-06T07:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nllc: call sock_orphan() at release time\n\nsyzbot reported an interesting trace [1] caused by a stale sk->sk_wq\npointer in a closed llc socket.\n\nIn commit ff7b11aa481f (\"net: socket: set sock->sk to NULL after\ncalling proto_ops::release()\") Eric Biggers hinted that some protocols\nare missing a sock_orphan(), we need to perform a full audit.\n\nIn net-next, I plan to clear sock->sk from sock_orphan() and\namend Eric patch to add a warning.\n\n[1]\n BUG: KASAN: slab-use-after-free in list_empty include/linux/list.h:373 [inline]\n BUG: KASAN: slab-use-after-free in waitqueue_active include/linux/wait.h:127 [inline]\n BUG: KASAN: slab-use-after-free in sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n BUG: KASAN: slab-use-after-free in sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\nRead of size 8 at addr ffff88802f4fc880 by task ksoftirqd/1/27\n\nCPU: 1 PID: 27 Comm: ksoftirqd/1 Not tainted 6.8.0-rc1-syzkaller-00049-g6098d87eaf31 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc4/0x620 mm/kasan/report.c:488\n kasan_report+0xda/0x110 mm/kasan/report.c:601\n list_empty include/linux/list.h:373 [inline]\n waitqueue_active include/linux/wait.h:127 [inline]\n sock_def_write_space_wfree net/core/sock.c:3384 [inline]\n sock_wfree+0x9a8/0x9d0 net/core/sock.c:2468\n skb_release_head_state+0xa3/0x2b0 net/core/skbuff.c:1080\n skb_release_all net/core/skbuff.c:1092 [inline]\n napi_consume_skb+0x119/0x2b0 net/core/skbuff.c:1404\n e1000_unmap_and_free_tx_resource+0x144/0x200 drivers/net/ethernet/intel/e1000/e1000_main.c:1970\n e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3860 [inline]\n e1000_clean+0x4a1/0x26e0 drivers/net/ethernet/intel/e1000/e1000_main.c:3801\n __napi_poll.constprop.0+0xb4/0x540 net/core/dev.c:6576\n napi_poll net/core/dev.c:6645 [inline]\n net_rx_action+0x956/0xe90 net/core/dev.c:6778\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n run_ksoftirqd kernel/softirq.c:921 [inline]\n run_ksoftirqd+0x31/0x60 kernel/softirq.c:913\n smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164\n kthread+0x2c6/0x3a0 kernel/kthread.c:388\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242\n \n\nAllocated by task 5167:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n unpoison_slab_object mm/kasan/common.c:314 [inline]\n __kasan_slab_alloc+0x81/0x90 mm/kasan/common.c:340\n kasan_slab_alloc include/linux/kasan.h:201 [inline]\n slab_post_alloc_hook mm/slub.c:3813 [inline]\n slab_alloc_node mm/slub.c:3860 [inline]\n kmem_cache_alloc_lru+0x142/0x6f0 mm/slub.c:3879\n alloc_inode_sb include/linux/fs.h:3019 [inline]\n sock_alloc_inode+0x25/0x1c0 net/socket.c:308\n alloc_inode+0x5d/0x220 fs/inode.c:260\n new_inode_pseudo+0x16/0x80 fs/inode.c:1005\n sock_alloc+0x40/0x270 net/socket.c:634\n __sock_create+0xbc/0x800 net/socket.c:1535\n sock_create net/socket.c:1622 [inline]\n __sys_socket_create net/socket.c:1659 [inline]\n __sys_socket+0x14c/0x260 net/socket.c:1706\n __do_sys_socket net/socket.c:1720 [inline]\n __se_sys_socket net/socket.c:1718 [inline]\n __x64_sys_socket+0x72/0xb0 net/socket.c:1718\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFreed by task 0:\n kasan_save_stack+0x33/0x50 mm/kasan/common.c:47\n kasan_save_track+0x14/0x30 mm/kasan/common.c:68\n kasan_save_free_info+0x3f/0x60 mm/kasan/generic.c:640\n poison_slab_object mm/kasan/common.c:241 [inline]\n __kasan_slab_free+0x121/0x1b0 mm/kasan/common.c:257\n kasan_slab_free include/linux/kasan.h:184 [inline]\n slab_free_hook mm/slub.c:2121 [inlin\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26625", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26625" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/547545e50c913861219947ce490c68a1776b9b51" + }, + { + "url": "https://git.kernel.org/stable/c/0d8011a878fdf96123bc0d6a12e2fe7ced5fddfb" + }, + { + "url": "https://git.kernel.org/stable/c/923dea2a7ea9e1ef5ac4031fba461c1cc92e32b8" + }, + { + "url": "https://git.kernel.org/stable/c/37e8c97e539015637cb920d3e6f1e404f707a06e" + }, + { + "url": "https://git.kernel.org/stable/c/56440799fc4621c279df16176f83a995d056023a" + }, + { + "url": "https://git.kernel.org/stable/c/de769423b2f053182a41317c4db5a927e90622a0" + }, + { + "url": "https://git.kernel.org/linus/37e8c97e539015637cb920d3e6f1e404f707a06e(6.8-rc3)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26707" + } + ], + "bom-ref": "vuln-584", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26707" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()\n\nSyzkaller reported [1] hitting a warning after failing to allocate\nresources for skb in hsr_init_skb(). Since a WARN_ONCE() call will\nnot help much in this case, it might be prudent to switch to\nnetdev_warn_once(). At the very least it will suppress syzkaller\nreports such as [1].\n\nJust in case, use netdev_warn_once() in send_prp_supervision_frame()\nfor similar reasons.\n\n[1]\nHSR: Could not send supervision frame\nWARNING: CPU: 1 PID: 85 at net/hsr/hsr_device.c:294 send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\nRIP: 0010:send_hsr_supervision_frame+0x60a/0x810 net/hsr/hsr_device.c:294\n...\nCall Trace:\n \n hsr_announce+0x114/0x370 net/hsr/hsr_device.c:382\n call_timer_fn+0x193/0x590 kernel/time/timer.c:1700\n expire_timers kernel/time/timer.c:1751 [inline]\n __run_timers+0x764/0xb20 kernel/time/timer.c:2022\n run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035\n __do_softirq+0x21a/0x8de kernel/softirq.c:553\n invoke_softirq kernel/softirq.c:427 [inline]\n __irq_exit_rcu kernel/softirq.c:632 [inline]\n irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644\n sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076\n \n \n asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649\n...\n\nThis issue is also found in older kernels (at least up to 5.10).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26707", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26707" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/740ffad95ca8033bd6e080ed337655b13b4d38ac" + }, + { + "url": "https://git.kernel.org/stable/c/858c489d81d659af17a4d11cfaad2afb42e47a76" + }, + { + "url": "https://git.kernel.org/stable/c/8b8ace080319a866f5dfe9da8e665ae51d971c54" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35974" + }, + { + "url": "https://git.kernel.org/linus/8b8ace080319a866f5dfe9da8e665ae51d971c54(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-585", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35974" + } + } + ], + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix q->blkg_list corruption during disk rebind\n\nMultiple gendisk instances can allocated/added for single request queue\nin case of disk rebind. blkg may still stay in q->blkg_list when calling\nblkcg_init_disk() for rebind, then q->blkg_list becomes corrupted.\n\nFix the list corruption issue by:\n\n- add blkg_init_queue() to initialize q->blkg_list & q->blkcg_mutex only\n- move calling blkg_init_queue() into blk_alloc_queue()\n\nThe list corruption should be started since commit f1c006f1c685 (\"blk-cgroup:\nsynchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()\")\nwhich delays removing blkg from q->blkg_list into blkg_free_workfn().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35974", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35974" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS" + }, + { + "url": "https://support.apple.com/kb/HT214096" + }, + { + "url": "https://support.apple.com/kb/HT214097" + }, + { + "url": "https://code.videolan.org/videolan/dav1d/-/releases/1.4.0" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/" + }, + { + "url": "https://support.apple.com/kb/HT214098" + }, + { + "url": "https://support.apple.com/kb/HT214093" + }, + { + "url": "https://support.apple.com/kb/HT214094" + }, + { + "url": "https://support.apple.com/kb/HT214095" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-1580" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064310" + } + ], + "bom-ref": "vuln-586", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-1580" + } + } + ], + "created": "2024-02-19T11:15:08Z", + "description": "An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.\n\n\n\n", + "affects": [ + { + "ref": "comp-69" + } + ], + "id": "CVE-2024-1580", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1580" + }, + "cwes": [ + 190 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-27T18:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:43:09Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-69", + "value": "0:1.0.0-2+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f6d53d8a2617dd58c89171a6b9610c470ebda38a" + }, + { + "url": "https://git.kernel.org/stable/c/e126b508ed2e616d679d85fca2fbe77bb48bbdd7" + }, + { + "url": "https://git.kernel.org/stable/c/12f8e32a5a389a5d58afc67728c76e61beee1ad4" + }, + { + "url": "https://git.kernel.org/stable/c/4868c0ecdb6cfde7c70cf478c46e06bb9c7e5865" + }, + { + "url": "https://git.kernel.org/stable/c/2d13b79640b147bd77c34a5998533b2021a4122d" + }, + { + "url": "https://git.kernel.org/stable/c/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807" + }, + { + "url": "https://git.kernel.org/linus/5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807(6.8)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35791" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-587", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35791" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()\n\nDo the cache flush of converted pages in svm_register_enc_region() before\ndropping kvm->lock to fix use-after-free issues where region and/or its\narray of pages could be freed by a different task, e.g. if userspace has\n__unregister_enc_region_locked() already queued up for the region.\n\nNote, the \"obvious\" alternative of using local variables doesn't fully\nresolve the bug, as region->pages is also dynamically allocated. I.e. the\nregion structure itself would be fine, but region->pages could be freed.\n\nFlushing multiple pages under kvm->lock is unfortunate, but the entire\nflow is a rare slow path, and the manual flush is only needed on CPUs that\nlack coherency for encrypted memory.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35791", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35791" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b34d64e9aa5505e3c84570aed5c757f1839573e8" + }, + { + "url": "https://git.kernel.org/stable/c/7e11a2966f51695c0af0b1f976a32d64dee243b2" + }, + { + "url": "https://git.kernel.org/stable/c/4f11c741908dab7dd48fa5a986b210d4fc74ca8d" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35946" + }, + { + "url": "https://git.kernel.org/linus/7e11a2966f51695c0af0b1f976a32d64dee243b2(6.9-rc1)" + } + ], + "bom-ref": "vuln-588", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35946" + } + } + ], + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: fix null pointer access when abort scan\n\nDuring cancel scan we might use vif that weren't scanning.\nFix this by using the actual scanning vif.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35946", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35946" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680513" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0564" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258514" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0564" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-589", + "ratings": [ + { + "severity": "none", + "score": 0.00052, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0564" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + } + } + ], + "created": "2024-01-30T15:15:08Z", + "description": "A flaw was found in the Linux kernel's memory deduplication mechanism. The max page sharing of Kernel Samepage Merging (KSM), added in Linux kernel version 4.4.0-96.119, can create a side channel. When the attacker and the victim share the same host and the default setting of KSM is \"max page sharing=256\", it is possible for the attacker to time the unmap to merge with the victim's page. The unmapping time depends on whether it merges with the victim's page and additional physical pages are created beyond the KSM's \"max page share\". Through these operations, the attacker can leak the victim's page.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-0564", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0564" + }, + "cwes": [ + 203 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-08T16:36:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-13T09:01:50Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32004" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-32004" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071160" + } + ], + "bom-ref": "vuln-590", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32004" + } + } + ], + "created": "2024-05-14T19:15:11Z", + "description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.", + "affects": [ + { + "ref": "comp-14" + } + ], + "id": "CVE-2024-32004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32004" + }, + "cwes": [ + 114 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-14T19:17:55Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1bc5461a21c56a36e2a7d81e152b90ce019a3905" + }, + { + "url": "https://git.kernel.org/stable/c/74d0639261dd795dce958d1b14815bdcbb48a715" + }, + { + "url": "https://git.kernel.org/stable/c/4afa0246656d5680c8a4c3fb37ba6570c4ab819b" + }, + { + "url": "https://git.kernel.org/stable/c/a015fbf698c8957aa5fbeefc5c59dd2cf3107298" + }, + { + "url": "https://git.kernel.org/stable/c/f8ff4b4df71e87f609be0cc37d92e918107f9b90" + }, + { + "url": "https://git.kernel.org/stable/c/24355fcb0d4cbcb6ddda262596558e8cfba70f11" + }, + { + "url": "https://git.kernel.org/stable/c/ac90e22e735bac44f74b5161fb096fbeb0ff8bc2" + }, + { + "url": "https://git.kernel.org/linus/24355fcb0d4cbcb6ddda262596558e8cfba70f11(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26897" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-591", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26897" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete\n\nThe ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data\nstructures have been fully initialised by the time it runs. However, because of\nthe order in which things are initialised, this is not guaranteed to be the\ncase, because the device is exposed to the USB subsystem before the ath9k driver\ninitialisation is completed.\n\nWe already committed a partial fix for this in commit:\n8b3046abc99e (\"ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()\")\n\nHowever, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event\ntasklet, pairing it with an \"initialisation complete\" bit in the TX struct. It\nseems syzbot managed to trigger the race for one of the other commands as well,\nso let's just move the existing synchronisation bit to cover the whole\ntasklet (setting it at the end of ath9k_htc_probe_device() instead of inside\nath9k_tx_init()).", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26897", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26897" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/12609c76b755dbeb1645c0aacc0f0f4743b2eff3" + }, + { + "url": "https://git.kernel.org/stable/c/2160ad6861c4a21d3fa553d7b2aaec6634a37f8a" + }, + { + "url": "https://git.kernel.org/stable/c/aeca49661fd02fd56fb026768b580ce301b45733" + }, + { + "url": "https://git.kernel.org/stable/c/7d271b798add90c6196539167c019d0817285cf0" + }, + { + "url": "https://git.kernel.org/stable/c/c45e53c27b78afd6c81fc25608003576f27b5735" + }, + { + "url": "https://git.kernel.org/stable/c/0d27056c24efd3d63a03f3edfbcfc4827086b110" + }, + { + "url": "https://git.kernel.org/stable/c/5cd8af02b466e1beeae13e2de3dc58fcc7925e5a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26978" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/0d27056c24efd3d63a03f3edfbcfc4827086b110(6.9-rc1)" + } + ], + "bom-ref": "vuln-592", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26978" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: max310x: fix NULL pointer dereference in I2C instantiation\n\nWhen trying to instantiate a max14830 device from userspace:\n\n echo max14830 0x60 > /sys/bus/i2c/devices/i2c-2/new_device\n\nwe get the following error:\n\n Unable to handle kernel NULL pointer dereference at virtual address...\n ...\n Call trace:\n max310x_i2c_probe+0x48/0x170 [max310x]\n i2c_device_probe+0x150/0x2a0\n ...\n\nAdd check for validity of devtype to prevent the error, and abort probe\nwith a meaningful error message.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26978", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26978" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009704" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3847" + } + ], + "bom-ref": "vuln-593", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3847" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + } + } + ], + "created": "2022-04-01T23:15:10Z", + "description": "An unauthorized access to the execution of the setuid file with capabilities flaw in the Linux kernel OverlayFS subsystem was found in the way user copying a capable file from a nosuid mount into another mount. A local user could use this flaw to escalate their privileges on the system.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2021-3847", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3847" + }, + "cwes": [ + 281 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2022-04-11T20:31:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-10T01:20:18Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2022-1115" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2067022" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-1115" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282" + } + ], + "bom-ref": "vuln-594", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115" + } + }, + { + "severity": "none", + "score": 0.00112, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-1115" + } + } + ], + "created": "2022-08-29T15:15:10Z", + "description": "A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2022-1115", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115" + }, + "cwes": [ + 787, + 119 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2022-09-06T14:09:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/262534ddc88dfea7474ed18adfecf856e4fbe054" + }, + { + "url": "https://git.kernel.org/stable/c/d994f7d77aaded05dc05af58a2720fd4f4b72a83" + }, + { + "url": "https://git.kernel.org/linus/262534ddc88dfea7474ed18adfecf856e4fbe054(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35926" + } + ], + "bom-ref": "vuln-595", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35926" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: iaa - Fix async_disable descriptor leak\n\nThe disable_async paths of iaa_compress/decompress() don't free idxd\ndescriptors in the async_disable case. Currently this only happens in\nthe testcases where req->dst is set to null. Add a test to free them\nin those paths.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35926", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35926" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9d42f373391211c7c8af66a3a316533a32b8a607" + }, + { + "url": "https://git.kernel.org/stable/c/8ee0c132a61df9723813c40e742dc5321824daa9" + }, + { + "url": "https://git.kernel.org/stable/c/4f3951242ace5efc7131932e2e01e6ac6baed846" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35965" + }, + { + "url": "https://git.kernel.org/linus/4f3951242ace5efc7131932e2e01e6ac6baed846(6.9-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-596", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35965" + } + } + ], + "created": "2024-05-20T10:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix not validating setsockopt user input\n\nCheck user input length before copying data.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35965", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35965" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ad140fc856f0b1d5e2215bcb6d0cc247a86805a2" + }, + { + "url": "https://git.kernel.org/stable/c/1d38a9ee81570c4bd61f557832dead4d6f816760" + }, + { + "url": "https://git.kernel.org/stable/c/e5ad9ecb84405637df82732ee02ad741a5f782a6" + }, + { + "url": "https://git.kernel.org/linus/1d38a9ee81570c4bd61f557832dead4d6f816760(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52676" + } + ], + "bom-ref": "vuln-597", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52676" + } + } + ], + "created": "2024-05-17T15:15:18Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Guard stack limits against 32bit overflow\n\nThis patch promotes the arithmetic around checking stack bounds to be\ndone in the 64-bit domain, instead of the current 32bit. The arithmetic\nimplies adding together a 64-bit register with a int offset. The\nregister was checked to be below 1<<29 when it was variable, but not\nwhen it was fixed. The offset either comes from an instruction (in which\ncase it is 16 bit), from another register (in which case the caller\nchecked it to be below 1<<29 [1]), or from the size of an argument to a\nkfunc (in which case it can be a u32 [2]). Between the register being\ninconsistently checked to be below 1<<29, and the offset being up to an\nu32, it appears that we were open to overflowing the `int`s which were\ncurrently used for arithmetic.\n\n[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498\n[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52676", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52676" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fe752331d4b361d43cfd0b89534b4b2176057c32" + }, + { + "url": "https://git.kernel.org/stable/c/28bb27824f25f36e5f80229a358d66ee09244082" + }, + { + "url": "https://git.kernel.org/stable/c/5df3b81a567eb565029563f26f374ae3803a1dfc" + }, + { + "url": "https://git.kernel.org/stable/c/f5572c0323cf8b4f1f0618178648a25b8fb8a380" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52639" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/fe752331d4b361d43cfd0b89534b4b2176057c32(6.8-rc4)" + } + ], + "bom-ref": "vuln-598", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52639" + } + } + ], + "created": "2024-04-03T15:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: s390: vsie: fix race during shadow creation\n\nRight now it is possible to see gmap->private being zero in\nkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to the\nfact that we add gmap->private == kvm after creation:\n\nstatic int acquire_gmap_shadow(struct kvm_vcpu *vcpu,\n struct vsie_page *vsie_page)\n{\n[...]\n gmap = gmap_shadow(vcpu->arch.gmap, asce, edat);\n if (IS_ERR(gmap))\n return PTR_ERR(gmap);\n gmap->private = vcpu->kvm;\n\nLet children inherit the private field of the parent.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52639", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52639" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c835df3bcc14858ae9b27315dd7de76370b94f3a" + }, + { + "url": "https://git.kernel.org/stable/c/a9bc32879a08f23cdb80a48c738017e39aea1080" + }, + { + "url": "https://git.kernel.org/stable/c/d54e4da98bbfa8c257bdca94c49652d81d18a4d8" + }, + { + "url": "https://git.kernel.org/stable/c/350a6640fac4b53564ec20aa3f4a0922cb0ba5e6" + }, + { + "url": "https://git.kernel.org/stable/c/af6b5c50d47ab43e5272ad61935d0ed2e264d3f0" + }, + { + "url": "https://git.kernel.org/stable/c/8d975c15c0cd744000ca386247432d57b21f9df0" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26641" + }, + { + "url": "https://git.kernel.org/linus/8d975c15c0cd744000ca386247432d57b21f9df0(6.8-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-599", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26641" + } + } + ], + "created": "2024-03-18T11:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()\n\nsyzbot found __ip6_tnl_rcv() could access unitiliazed data [1].\n\nCall pskb_inet_may_pull() to fix this, and initialize ipv6h\nvariable after this call as it can change skb->head.\n\n[1]\n BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]\n INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]\n IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321\n ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727\n __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845\n ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888\n gre_rcv+0x143f/0x1870\n ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438\n ip6_input_finish net/ipv6/ip6_input.c:483 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492\n ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586\n dst_input include/net/dst.h:461 [inline]\n ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79\n NF_HOOK include/linux/netfilter.h:314 [inline]\n ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310\n __netif_receive_skb_one_core net/core/dev.c:5532 [inline]\n __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646\n netif_receive_skb_internal net/core/dev.c:5732 [inline]\n netif_receive_skb+0x58/0x660 net/core/dev.c:5791\n tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555\n tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523\n kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560\n __alloc_skb+0x318/0x740 net/core/skbuff.c:651\n alloc_skb include/linux/skbuff.h:1286 [inline]\n alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334\n sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787\n tun_alloc_skb drivers/net/tun.c:1531 [inline]\n tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846\n tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048\n call_write_iter include/linux/fs.h:2084 [inline]\n new_sync_write fs/read_write.c:497 [inline]\n vfs_write+0x786/0x1200 fs/read_write.c:590\n ksys_write+0x20f/0x4c0 fs/read_write.c:643\n __do_sys_write fs/read_write.c:655 [inline]\n __se_sys_write fs/read_write.c:652 [inline]\n __x64_sys_write+0x93/0xd0 fs/read_write.c:652\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nCPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26641", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26641" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-18T12:38:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/fef965764cf562f28afb997b626fc7c3cec99693" + }, + { + "url": "https://git.kernel.org/stable/c/0080bf99499468030248ebd25dd645e487dcecdc" + }, + { + "url": "https://git.kernel.org/stable/c/46efa4d5930cf3c2af8c01f75e0a47e4fc045e3b" + }, + { + "url": "https://git.kernel.org/stable/c/48c4bb81df19402d4346032353d0795260255e3b" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27014" + }, + { + "url": "https://git.kernel.org/linus/fef965764cf562f28afb997b626fc7c3cec99693(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-600", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27014" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Prevent deadlock while disabling aRFS\n\nWhen disabling aRFS under the `priv->state_lock`, any scheduled\naRFS works are canceled using the `cancel_work_sync` function,\nwhich waits for the work to end if it has already started.\nHowever, while waiting for the work handler, the handler will\ntry to acquire the `state_lock` which is already acquired.\n\nThe worker acquires the lock to delete the rules if the state\nis down, which is not the worker's responsibility since\ndisabling aRFS deletes the rules.\n\nAdd an aRFS state variable, which indicates whether the aRFS is\nenabled and prevent adding rules when the aRFS is disabled.\n\nKernel log:\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.7.0-rc4_net_next_mlx5_5483eb2 #1 Tainted: G I\n------------------------------------------------------\nethtool/386089 is trying to acquire lock:\nffff88810f21ce68 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}, at: __flush_work+0x74/0x4e0\n\nbut task is already holding lock:\nffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #1 (&priv->state_lock){+.+.}-{3:3}:\n __mutex_lock+0x80/0xc90\n arfs_handle_work+0x4b/0x3b0 [mlx5_core]\n process_one_work+0x1dc/0x4a0\n worker_thread+0x1bf/0x3c0\n kthread+0xd7/0x100\n ret_from_fork+0x2d/0x50\n ret_from_fork_asm+0x11/0x20\n\n-> #0 ((work_completion)(&rule->arfs_work)){+.+.}-{0:0}:\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n __flush_work+0x7a/0x4e0\n __cancel_work_timer+0x131/0x1c0\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n netlink_rcv_skb+0x54/0x100\n genl_rcv+0x24/0x40\n netlink_unicast+0x1a1/0x270\n netlink_sendmsg+0x214/0x460\n __sock_sendmsg+0x38/0x60\n __sys_sendto+0x113/0x170\n __x64_sys_sendto+0x20/0x30\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x46/0x4e\n\nother info that might help us debug this:\n\n Possible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n lock(&priv->state_lock);\n lock((work_completion)(&rule->arfs_work));\n\n *** DEADLOCK ***\n\n3 locks held by ethtool/386089:\n #0: ffffffff82ea7210 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40\n #1: ffffffff82e94c88 (rtnl_mutex){+.+.}-{3:3}, at: ethnl_default_set_doit+0xd3/0x240\n #2: ffff8884a1808cc0 (&priv->state_lock){+.+.}-{3:3}, at: mlx5e_ethtool_set_channels+0x53/0x200 [mlx5_core]\n\nstack backtrace:\nCPU: 15 PID: 386089 Comm: ethtool Tainted: G I 6.7.0-rc4_net_next_mlx5_5483eb2 #1\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nCall Trace:\n \n dump_stack_lvl+0x60/0xa0\n check_noncircular+0x144/0x160\n __lock_acquire+0x17b4/0x2c80\n lock_acquire+0xd0/0x2b0\n ? __flush_work+0x74/0x4e0\n ? save_trace+0x3e/0x360\n ? __flush_work+0x74/0x4e0\n __flush_work+0x7a/0x4e0\n ? __flush_work+0x74/0x4e0\n ? __lock_acquire+0xa78/0x2c80\n ? lock_acquire+0xd0/0x2b0\n ? mark_held_locks+0x49/0x70\n __cancel_work_timer+0x131/0x1c0\n ? mark_held_locks+0x49/0x70\n arfs_del_rules+0x143/0x1e0 [mlx5_core]\n mlx5e_arfs_disable+0x1b/0x30 [mlx5_core]\n mlx5e_ethtool_set_channels+0xcb/0x200 [mlx5_core]\n ethnl_set_channels+0x28f/0x3b0\n ethnl_default_set_doit+0xec/0x240\n genl_family_rcv_msg_doit+0xd0/0x120\n genl_rcv_msg+0x188/0x2c0\n ? ethn\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27014", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27014" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ae62f1dde66a6f0eee98defc4c7a346bd5acd239" + }, + { + "url": "https://git.kernel.org/stable/c/4b6b479b2da6badff099b2e3abf0248936eefbf5" + }, + { + "url": "https://git.kernel.org/stable/c/e7b2b108cdeab76a7e7324459e50b0c1214c0386" + }, + { + "url": "https://git.kernel.org/linus/e7b2b108cdeab76a7e7324459e50b0c1214c0386(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52671" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-601", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52671" + } + } + ], + "created": "2024-05-17T14:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix hang/underflow when transitioning to ODM4:1\n\n[Why]\nUnder some circumstances, disabling an OPTC and attempting to reclaim\nits OPP(s) for a different OPTC could cause a hang/underflow due to OPPs\nnot being properly disconnected from the disabled OPTC.\n\n[How]\nEnsure that all OPPs are unassigned from an OPTC when it gets disabled.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52671", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52671" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1e7feb31a18c197d63a5e606025ed63c762f8918" + }, + { + "url": "https://git.kernel.org/stable/c/5a7dfb8fcd3f29fc93161100179b27f24f3d5f35" + }, + { + "url": "https://git.kernel.org/stable/c/e46d3be714ad9652480c6db129ab8125e2d20ab7" + }, + { + "url": "https://git.kernel.org/stable/c/89f9a1e876b5a7ad884918c03a46831af202c8a0" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26983" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/89f9a1e876b5a7ad884918c03a46831af202c8a0(6.9-rc5)" + } + ], + "bom-ref": "vuln-602", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26983" + } + } + ], + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbootconfig: use memblock_free_late to free xbc memory to buddy\n\nOn the time to free xbc memory in xbc_exit(), memblock may has handed\nover memory to buddy allocator. So it doesn't make sense to free memory\nback to memblock. memblock_free() called by xbc_exit() even causes UAF bugs\non architectures with CONFIG_ARCH_KEEP_MEMBLOCK disabled like x86.\nFollowing KASAN logs shows this case.\n\nThis patch fixes the xbc memory free problem by calling memblock_free()\nin early xbc init error rewind path and calling memblock_free_late() in\nxbc exit path to free memory to buddy allocator.\n\n[ 9.410890] ==================================================================\n[ 9.418962] BUG: KASAN: use-after-free in memblock_isolate_range+0x12d/0x260\n[ 9.426850] Read of size 8 at addr ffff88845dd30000 by task swapper/0/1\n\n[ 9.435901] CPU: 9 PID: 1 Comm: swapper/0 Tainted: G U 6.9.0-rc3-00208-g586b5dfb51b9 #5\n[ 9.446403] Hardware name: Intel Corporation RPLP LP5 (CPU:RaptorLake)/RPLP LP5 (ID:13), BIOS IRPPN02.01.01.00.00.19.015.D-00000000 Dec 28 2023\n[ 9.460789] Call Trace:\n[ 9.463518] \n[ 9.465859] dump_stack_lvl+0x53/0x70\n[ 9.469949] print_report+0xce/0x610\n[ 9.473944] ? __virt_addr_valid+0xf5/0x1b0\n[ 9.478619] ? memblock_isolate_range+0x12d/0x260\n[ 9.483877] kasan_report+0xc6/0x100\n[ 9.487870] ? memblock_isolate_range+0x12d/0x260\n[ 9.493125] memblock_isolate_range+0x12d/0x260\n[ 9.498187] memblock_phys_free+0xb4/0x160\n[ 9.502762] ? __pfx_memblock_phys_free+0x10/0x10\n[ 9.508021] ? mutex_unlock+0x7e/0xd0\n[ 9.512111] ? __pfx_mutex_unlock+0x10/0x10\n[ 9.516786] ? kernel_init_freeable+0x2d4/0x430\n[ 9.521850] ? __pfx_kernel_init+0x10/0x10\n[ 9.526426] xbc_exit+0x17/0x70\n[ 9.529935] kernel_init+0x38/0x1e0\n[ 9.533829] ? _raw_spin_unlock_irq+0xd/0x30\n[ 9.538601] ret_from_fork+0x2c/0x50\n[ 9.542596] ? __pfx_kernel_init+0x10/0x10\n[ 9.547170] ret_from_fork_asm+0x1a/0x30\n[ 9.551552] \n\n[ 9.555649] The buggy address belongs to the physical page:\n[ 9.561875] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x45dd30\n[ 9.570821] flags: 0x200000000000000(node=0|zone=2)\n[ 9.576271] page_type: 0xffffffff()\n[ 9.580167] raw: 0200000000000000 ffffea0011774c48 ffffea0012ba1848 0000000000000000\n[ 9.588823] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000\n[ 9.597476] page dumped because: kasan: bad access detected\n\n[ 9.605362] Memory state around the buggy address:\n[ 9.610714] ffff88845dd2ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.618786] ffff88845dd2ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[ 9.626857] >ffff88845dd30000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.634930] ^\n[ 9.638534] ffff88845dd30080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.646605] ffff88845dd30100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n[ 9.654675] ==================================================================", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26983", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26983" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270836" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1223307" + }, + { + "url": "https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3008.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2627" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2758" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2628" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-25743" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-603", + "created": "2024-05-15T18:15:10Z", + "description": "In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. This affects AMD SEV-SNP and AMD SEV-ES.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-25743", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25743" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-17T22:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T23:32:36Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/745003b5917b610352f52fe0d11ef658d6471ec2" + }, + { + "url": "https://git.kernel.org/stable/c/205c50306acf58a335eb19fa84e40140f4fe814f" + }, + { + "url": "https://git.kernel.org/stable/c/5800ec78775c0cd646f71eb9bf8402fb794807de" + }, + { + "url": "https://git.kernel.org/stable/c/4bfd20d5f5c62b5495d6c0016ee6933bd3add7ce" + }, + { + "url": "https://git.kernel.org/stable/c/dd50d3ead6e3707bb0a5df7cc832730c93ace3a7" + }, + { + "url": "https://git.kernel.org/stable/c/e556006de4ea93abe2b46cba202a2556c544b8b2" + }, + { + "url": "https://git.kernel.org/stable/c/b4bbf38c350acb6500cbe667b1e2e68f896e4b38" + }, + { + "url": "https://git.kernel.org/stable/c/d80fc436751cfa6b02a8eda74eb6cce7dadfe5a2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27053" + }, + { + "url": "https://git.kernel.org/linus/205c50306acf58a335eb19fa84e40140f4fe814f(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-604", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27053" + } + } + ], + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: fix RCU usage in connect path\n\nWith lockdep enabled, calls to the connect function from cfg802.11 layer\nlead to the following warning:\n\n=============================\nWARNING: suspicious RCU usage\n6.7.0-rc1-wt+ #333 Not tainted\n-----------------------------\ndrivers/net/wireless/microchip/wilc1000/hif.c:386\nsuspicious rcu_dereference_check() usage!\n[...]\nstack backtrace:\nCPU: 0 PID: 100 Comm: wpa_supplicant Not tainted 6.7.0-rc1-wt+ #333\nHardware name: Atmel SAMA5\n unwind_backtrace from show_stack+0x18/0x1c\n show_stack from dump_stack_lvl+0x34/0x48\n dump_stack_lvl from wilc_parse_join_bss_param+0x7dc/0x7f4\n wilc_parse_join_bss_param from connect+0x2c4/0x648\n connect from cfg80211_connect+0x30c/0xb74\n cfg80211_connect from nl80211_connect+0x860/0xa94\n nl80211_connect from genl_rcv_msg+0x3fc/0x59c\n genl_rcv_msg from netlink_rcv_skb+0xd0/0x1f8\n netlink_rcv_skb from genl_rcv+0x2c/0x3c\n genl_rcv from netlink_unicast+0x3b0/0x550\n netlink_unicast from netlink_sendmsg+0x368/0x688\n netlink_sendmsg from ____sys_sendmsg+0x190/0x430\n ____sys_sendmsg from ___sys_sendmsg+0x110/0x158\n ___sys_sendmsg from sys_sendmsg+0xe8/0x150\n sys_sendmsg from ret_fast_syscall+0x0/0x1c\n\nThis warning is emitted because in the connect path, when trying to parse\ntarget BSS parameters, we dereference a RCU pointer whithout being in RCU\ncritical section.\nFix RCU dereference usage by moving it to a RCU read critical section. To\navoid wrapping the whole wilc_parse_join_bss_param under the critical\nsection, just use the critical section to copy ies data", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27053", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27053" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/c660be571609e03e7d5972343536a736fcb31557" + }, + { + "url": "https://git.kernel.org/stable/c/244296cc3a155199a8b080d19e645d7d49081a38" + }, + { + "url": "https://git.kernel.org/stable/c/8bf574183282d219cfa991f7df37aad491d74c11" + }, + { + "url": "https://git.kernel.org/stable/c/8e3c94767cad5150198e4337c8b91f3bb068e14b" + }, + { + "url": "https://git.kernel.org/stable/c/0ccac964520a6f19e355652c8ca38af2a7f27076" + }, + { + "url": "https://git.kernel.org/stable/c/fcdd5bb4a8c81c64c1334d7e0aba41a8829a24de" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35990" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/244296cc3a155199a8b080d19e645d7d49081a38(6.9-rc6)" + } + ], + "bom-ref": "vuln-605", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35990" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several places where either chan->lock or chan->vchan.lock was\nnot held. Add appropriate locking. This fixes lockdep warnings like\n\n[ 31.077578] ------------[ cut here ]------------\n[ 31.077831] WARNING: CPU: 2 PID: 40 at drivers/dma/xilinx/xilinx_dpdma.c:834 xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.077953] Modules linked in:\n[ 31.078019] CPU: 2 PID: 40 Comm: kworker/u12:1 Not tainted 6.6.20+ #98\n[ 31.078102] Hardware name: xlnx,zynqmp (DT)\n[ 31.078169] Workqueue: events_unbound deferred_probe_work_func\n[ 31.078272] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 31.078377] pc : xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.078473] lr : xilinx_dpdma_chan_queue_transfer+0x270/0x5e0\n[ 31.078550] sp : ffffffc083bb2e10\n[ 31.078590] x29: ffffffc083bb2e10 x28: 0000000000000000 x27: ffffff880165a168\n[ 31.078754] x26: ffffff880164e920 x25: ffffff880164eab8 x24: ffffff880164d480\n[ 31.078920] x23: ffffff880165a148 x22: ffffff880164e988 x21: 0000000000000000\n[ 31.079132] x20: ffffffc082aa3000 x19: ffffff880164e880 x18: 0000000000000000\n[ 31.079295] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[ 31.079453] x14: 0000000000000000 x13: ffffff8802263dc0 x12: 0000000000000001\n[ 31.079613] x11: 0001ffc083bb2e34 x10: 0001ff880164e98f x9 : 0001ffc082aa3def\n[ 31.079824] x8 : 0001ffc082aa3dec x7 : 0000000000000000 x6 : 0000000000000516\n[ 31.079982] x5 : ffffffc7f8d43000 x4 : ffffff88003c9c40 x3 : ffffffffffffffff\n[ 31.080147] x2 : ffffffc7f8d43000 x1 : 00000000000000c0 x0 : 0000000000000000\n[ 31.080307] Call trace:\n[ 31.080340] xilinx_dpdma_chan_queue_transfer+0x274/0x5e0\n[ 31.080518] xilinx_dpdma_issue_pending+0x11c/0x120\n[ 31.080595] zynqmp_disp_layer_update+0x180/0x3ac\n[ 31.080712] zynqmp_dpsub_plane_atomic_update+0x11c/0x21c\n[ 31.080825] drm_atomic_helper_commit_planes+0x20c/0x684\n[ 31.080951] drm_atomic_helper_commit_tail+0x5c/0xb0\n[ 31.081139] commit_tail+0x234/0x294\n[ 31.081246] drm_atomic_helper_commit+0x1f8/0x210\n[ 31.081363] drm_atomic_commit+0x100/0x140\n[ 31.081477] drm_client_modeset_commit_atomic+0x318/0x384\n[ 31.081634] drm_client_modeset_commit_locked+0x8c/0x24c\n[ 31.081725] drm_client_modeset_commit+0x34/0x5c\n[ 31.081812] __drm_fb_helper_restore_fbdev_mode_unlocked+0x104/0x168\n[ 31.081899] drm_fb_helper_set_par+0x50/0x70\n[ 31.081971] fbcon_init+0x538/0xc48\n[ 31.082047] visual_init+0x16c/0x23c\n[ 31.082207] do_bind_con_driver.isra.0+0x2d0/0x634\n[ 31.082320] do_take_over_console+0x24c/0x33c\n[ 31.082429] do_fbcon_takeover+0xbc/0x1b0\n[ 31.082503] fbcon_fb_registered+0x2d0/0x34c\n[ 31.082663] register_framebuffer+0x27c/0x38c\n[ 31.082767] __drm_fb_helper_initial_config_and_unlock+0x5c0/0x91c\n[ 31.082939] drm_fb_helper_initial_config+0x50/0x74\n[ 31.083012] drm_fbdev_dma_client_hotplug+0xb8/0x108\n[ 31.083115] drm_client_register+0xa0/0xf4\n[ 31.083195] drm_fbdev_dma_setup+0xb0/0x1cc\n[ 31.083293] zynqmp_dpsub_drm_init+0x45c/0x4e0\n[ 31.083431] zynqmp_dpsub_probe+0x444/0x5e0\n[ 31.083616] platform_probe+0x8c/0x13c\n[ 31.083713] really_probe+0x258/0x59c\n[ 31.083793] __driver_probe_device+0xc4/0x224\n[ 31.083878] driver_probe_device+0x70/0x1c0\n[ 31.083961] __device_attach_driver+0x108/0x1e0\n[ 31.084052] bus_for_each_drv+0x9c/0x100\n[ 31.084125] __device_attach+0x100/0x298\n[ 31.084207] device_initial_probe+0x14/0x20\n[ 31.084292] bus_probe_device+0xd8/0xdc\n[ 31.084368] deferred_probe_work_func+0x11c/0x180\n[ 31.084451] process_one_work+0x3ac/0x988\n[ 31.084643] worker_thread+0x398/0x694\n[ 31.084752] kthread+0x1bc/0x1c0\n[ 31.084848] ret_from_fork+0x10/0x20\n[ 31.084932] irq event stamp: 64549\n[ 31.084970] hardirqs last enabled at (64548): [] _raw_spin_unlock_irqrestore+0x80/0x90\n[ 31.085157]\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35990", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35990" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b1f04b9b1c5317f562a455384c5f7473e46bdbaa" + }, + { + "url": "https://git.kernel.org/stable/c/8b12fc7b032633539acdf7864888b0ebd49e90f2" + }, + { + "url": "https://git.kernel.org/stable/c/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75" + }, + { + "url": "https://git.kernel.org/stable/c/ef13eeca7c79136bc38e21eb67322c1cbd5c40ee" + }, + { + "url": "https://git.kernel.org/stable/c/1fd7db5c16028dc07b2ceec190f2e895dddb532d" + }, + { + "url": "https://git.kernel.org/stable/c/d4da6b084f1c5625937d49bb6722c5b4aef11b8d" + }, + { + "url": "https://git.kernel.org/stable/c/212e3baccdb1939606420d88f7f52d346b49a284" + }, + { + "url": "https://git.kernel.org/stable/c/f68039375d4d6d67303674c0ab2d06b7295c0ec9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26922" + }, + { + "url": "https://git.kernel.org/linus/6fef2d4c00b5b8561ad68dd2b68173f5c6af1e75(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-606", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26922" + } + } + ], + "created": "2024-04-23T13:15:46Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: validate the parameters of bo mapping operations more clearly\n\nVerify the parameters of\namdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26922", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26922" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b996e8699da810e4c915841d6aaef761007f933a" + }, + { + "url": "https://git.kernel.org/stable/c/feabdac2057e863d0e140a2adf3d232eb4882db4" + }, + { + "url": "https://git.kernel.org/stable/c/1b73f6e4ea770410a937a8db98f77e52594d23a0" + }, + { + "url": "https://git.kernel.org/stable/c/b183b915beef818a25e3154d719ca015a1ae0770" + }, + { + "url": "https://git.kernel.org/stable/c/e24d2487424779c02760ff50cd9021b8676e19ef" + }, + { + "url": "https://git.kernel.org/stable/c/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4" + }, + { + "url": "https://git.kernel.org/stable/c/c17976b42d546ee118ca300db559630ee96fb758" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35855" + }, + { + "url": "https://git.kernel.org/linus/79b5b4b18bc85b19d3a518483f9abbbe6d7b3ba4(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-607", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35855" + } + } + ], + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update\n\nThe rule activity update delayed work periodically traverses the list of\nconfigured rules and queries their activity from the device.\n\nAs part of this task it accesses the entry pointed by 'ventry->entry',\nbut this entry can be changed concurrently by the rehash delayed work,\nleading to a use-after-free [1].\n\nFix by closing the race and perform the activity query under the\n'vregion->lock' mutex.\n\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\nRead of size 8 at addr ffff8881054ed808 by task kworker/0:18/181\n\nCPU: 0 PID: 181 Comm: kworker/0:18 Not tainted 6.9.0-rc2-custom-00781-gd5ab772d32f7 #2\nHardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019\nWorkqueue: mlxsw_core mlxsw_sp_acl_rule_activity_update_work\nCall Trace:\n \n dump_stack_lvl+0xc6/0x120\n print_report+0xce/0x670\n kasan_report+0xd7/0x110\n mlxsw_sp_acl_tcam_flower_rule_activity_get+0x121/0x140\n mlxsw_sp_acl_rule_activity_update_work+0x219/0x400\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n \n\nAllocated by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n __kasan_kmalloc+0x8f/0xa0\n __kmalloc+0x19c/0x360\n mlxsw_sp_acl_tcam_entry_create+0x7b/0x1f0\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x30d/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30\n\nFreed by task 1039:\n kasan_save_stack+0x33/0x60\n kasan_save_track+0x14/0x30\n kasan_save_free_info+0x3b/0x60\n poison_slab_object+0x102/0x170\n __kasan_slab_free+0x14/0x30\n kfree+0xc1/0x290\n mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3d7/0xb50\n mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300\n process_one_work+0x8eb/0x19b0\n worker_thread+0x6c9/0xf70\n kthread+0x2c9/0x3b0\n ret_from_fork+0x4d/0x80\n ret_from_fork_asm+0x1a/0x30", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35855", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35855" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/06dd21045a7e8bc8701b0ebedcd9a30a6325878b" + }, + { + "url": "https://git.kernel.org/stable/c/c0691de7df1d51482a52cac93b7fe82fd9dd296b" + }, + { + "url": "https://git.kernel.org/stable/c/589ec16174dd9378953b8232ae76fad0a96e1563" + }, + { + "url": "https://git.kernel.org/stable/c/0307cf443308ecc6be9b2ca312bb31bae5e5a7ad" + }, + { + "url": "https://git.kernel.org/stable/c/4469c0c5b14a0919f5965c7ceac96b523eb57b79" + }, + { + "url": "https://git.kernel.org/stable/c/2a2ff709511617de9c6c072eeee82bcbbdfecaf8" + }, + { + "url": "https://git.kernel.org/stable/c/0e939a002c8a7d66e60bd0ea6b281fb39d713c1a" + }, + { + "url": "https://git.kernel.org/linus/4469c0c5b14a0919f5965c7ceac96b523eb57b79(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27047" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-608", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27047" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: phy: fix phy_get_internal_delay accessing an empty array\n\nThe phy_get_internal_delay function could try to access to an empty\narray in the case that the driver is calling phy_get_internal_delay\nwithout defining delay_values and rx-internal-delay-ps or\ntx-internal-delay-ps is defined to 0 in the device-tree.\nThis will lead to \"unable to handle kernel NULL pointer dereference at\nvirtual address 0\". To avoid this kernel oops, the test should be delay\n>= 0. As there is already delay < 0 test just before, the test could\nonly be size == 0.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27047", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27047" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7d5a7dd5a35876f0ecc286f3602a88887a788217" + }, + { + "url": "https://git.kernel.org/stable/c/beaf0e7996b79e06ccc2bdcb4442fbaeccc31200" + }, + { + "url": "https://git.kernel.org/stable/c/b4fdb3c197e35f655b2d9b6759ce29440eacdfda" + }, + { + "url": "https://git.kernel.org/stable/c/2e22c9cb618716b8e557fe17c3d4958171288082" + }, + { + "url": "https://git.kernel.org/linus/7d5a7dd5a35876f0ecc286f3602a88887a788217(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35909" + } + ], + "bom-ref": "vuln-609", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35909" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: Split 64bit accesses to fix alignment issues\n\nSome of the registers are aligned on a 32bit boundary, causing\nalignment faults on 64bit platforms.\n\n Unable to handle kernel paging request at virtual address ffffffc084a1d004\n Mem abort info:\n ESR = 0x0000000096000061\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x21: alignment fault\n Data abort info:\n ISV = 0, ISS = 0x00000061, ISS2 = 0x00000000\n CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000046ad6000\n [ffffffc084a1d004] pgd=100000013ffff003, p4d=100000013ffff003, pud=100000013ffff003, pmd=0068000020a00711\n Internal error: Oops: 0000000096000061 [#1] SMP\n Modules linked in: mtk_t7xx(+) qcserial pppoe ppp_async option nft_fib_inet nf_flow_table_inet mt7921u(O) mt7921s(O) mt7921e(O) mt7921_common(O) iwlmvm(O) iwldvm(O) usb_wwan rndis_host qmi_wwan pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7996e(O) mt792x_usb(O) mt792x_lib(O) mt7915e(O) mt76_usb(O) mt76_sdio(O) mt76_connac_lib(O) mt76(O) mac80211(O) iwlwifi(O) huawei_cdc_ncm cfg80211(O) cdc_ncm cdc_ether wwan usbserial usbnet slhc sfp rtc_pcf8563 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mt6577_auxadc mdio_i2c libcrc32c compat(O) cdc_wdm cdc_acm at24 crypto_safexcel pwm_fan i2c_gpio i2c_smbus industrialio i2c_algo_bit i2c_mux_reg i2c_mux_pca954x i2c_mux_pca9541 i2c_mux_gpio i2c_mux dummy oid_registry tun sha512_arm64 sha1_ce sha1_generic seqiv\n md5 geniv des_generic libdes cbc authencesn authenc leds_gpio xhci_plat_hcd xhci_pci xhci_mtk_hcd xhci_hcd nvme nvme_core gpio_button_hotplug(O) dm_mirror dm_region_hash dm_log dm_crypt dm_mod dax usbcore usb_common ptp aquantia pps_core mii tpm encrypted_keys trusted\n CPU: 3 PID: 5266 Comm: kworker/u9:1 Tainted: G O 6.6.22 #0\n Hardware name: Bananapi BPI-R4 (DT)\n Workqueue: md_hk_wq t7xx_fsm_uninit [mtk_t7xx]\n pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n lr : t7xx_cldma_start+0xac/0x13c [mtk_t7xx]\n sp : ffffffc085d63d30\n x29: ffffffc085d63d30 x28: 0000000000000000 x27: 0000000000000000\n x26: 0000000000000000 x25: ffffff80c804f2c0 x24: ffffff80ca196c05\n x23: 0000000000000000 x22: ffffff80c814b9b8 x21: ffffff80c814b128\n x20: 0000000000000001 x19: ffffff80c814b080 x18: 0000000000000014\n x17: 0000000055c9806b x16: 000000007c5296d0 x15: 000000000f6bca68\n x14: 00000000dbdbdce4 x13: 000000001aeaf72a x12: 0000000000000001\n x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n x8 : ffffff80ca1ef6b4 x7 : ffffff80c814b818 x6 : 0000000000000018\n x5 : 0000000000000870 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : 000000010a947000 x1 : ffffffc084a1d004 x0 : ffffffc084a1d004\n Call trace:\n t7xx_cldma_hw_set_start_addr+0x1c/0x3c [mtk_t7xx]\n t7xx_fsm_uninit+0x578/0x5ec [mtk_t7xx]\n process_one_work+0x154/0x2a0\n worker_thread+0x2ac/0x488\n kthread+0xe0/0xec\n ret_from_fork+0x10/0x20\n Code: f9400800 91001000 8b214001 d50332bf (f9000022)\n ---[ end trace 0000000000000000 ]---\n\nThe inclusion of io-64-nonatomic-lo-hi.h indicates that all 64bit\naccesses can be replaced by pairs of nonatomic 32bit access. Fix\nalignment by forcing all accesses to be 32bit on 64bit platforms.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35909", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35909" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5266caaf5660529e3da53004b8b7174cab6374ed" + }, + { + "url": "https://git.kernel.org/stable/c/6d8b01624a2540336a32be91f25187a433af53a0" + }, + { + "url": "https://git.kernel.org/stable/c/ecd7744a1446eb02ccc63e493e2eb6ede4ef1e10" + }, + { + "url": "https://git.kernel.org/stable/c/9525b38180e2753f0daa1a522b7767a2aa969676" + }, + { + "url": "https://git.kernel.org/stable/c/89e0e66682e1538aeeaa3109503473663cd24c8b" + }, + { + "url": "https://git.kernel.org/stable/c/f1bc0d8163f8ee84a8d5affdf624cfad657df1d2" + }, + { + "url": "https://git.kernel.org/stable/c/7610ba1319253225a9ba8a9d28d472fc883b4e2f" + }, + { + "url": "https://git.kernel.org/stable/c/1d9c777d3e70bdc57dddf7a14a80059d65919e56" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://git.kernel.org/linus/5266caaf5660529e3da53004b8b7174cab6374ed(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26671" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-610", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26671" + } + } + ], + "created": "2024-04-02T07:15:43Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblk-mq: fix IO hang from sbitmap wakeup race\n\nIn blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered\nwith the following blk_mq_get_driver_tag() in case of getting driver\ntag failure.\n\nThen in __sbitmap_queue_wake_up(), waitqueue_active() may not observe\nthe added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime\nblk_mq_mark_tag_wait() can't get driver tag successfully.\n\nThis issue can be reproduced by running the following test in loop, and\nfio hang can be observed in < 30min when running it on my test VM\nin laptop.\n\n\tmodprobe -r scsi_debug\n\tmodprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4\n\tdev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename`\n\tfio --filename=/dev/\"$dev\" --direct=1 --rw=randrw --bs=4k --iodepth=1 \\\n \t\t--runtime=100 --numjobs=40 --time_based --name=test \\\n \t--ioengine=libaio\n\nFix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which\nis just fine in case of running out of tag.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26671", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26671" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVVYSTEVMPYGF6GDSOD44MUXZXAZHOHB/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSXNF4RLEFLH35BFUQGYXRRVHHUIVBAE/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-22099" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-611", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22099" + } + } + ], + "created": "2024-01-25T07:15:08Z", + "description": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-22099", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-13T03:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/334b56cea5d9df5989be6cf1a5898114fa70ad98" + }, + { + "url": "https://git.kernel.org/stable/c/d37a08f840485995e3fb91dad95e441b9d28a269" + }, + { + "url": "https://git.kernel.org/linus/334b56cea5d9df5989be6cf1a5898114fa70ad98(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26948" + } + ], + "bom-ref": "vuln-612", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26948" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add a dc_state NULL check in dc_state_release\n\n[How]\nCheck wheather state is NULL before releasing it.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26948", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26948" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4a22aeac24d0d5f26ba741408e8b5a4be6dc5dc0" + }, + { + "url": "https://git.kernel.org/stable/c/165376f6b23e9a779850e750fb2eb06622e5a531" + }, + { + "url": "https://git.kernel.org/stable/c/0ad011776c057ce881b7fd6d8c79ecd459c087e9" + }, + { + "url": "https://git.kernel.org/linus/165376f6b23e9a779850e750fb2eb06622e5a531(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35790" + } + ], + "bom-ref": "vuln-613", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35790" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group\n\nThe DisplayPort driver's sysfs nodes may be present to the userspace before\ntypec_altmode_set_drvdata() completes in dp_altmode_probe. This means that\na sysfs read can trigger a NULL pointer error by deferencing dp->hpd in\nhpd_show or dp->lock in pin_assignment_show, as dev_get_drvdata() returns\nNULL in those cases.\n\nRemove manual sysfs node creation in favor of adding attribute group as\ndefault for devices bound to the driver. The ATTRIBUTE_GROUPS() macro is\nnot used here otherwise the path to the sysfs nodes is no longer compliant\nwith the ABI.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35790", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35790" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/af280e137e273935f2e09f4d73169998298792ed" + }, + { + "url": "https://git.kernel.org/stable/c/7626913652cc786c238e2dd7d8740b17d41b2637" + }, + { + "url": "https://git.kernel.org/stable/c/b5d40f02e7222da032c2042aebcf2a07de9b342f" + }, + { + "url": "https://git.kernel.org/stable/c/6d21d0356aa44157a62e39c0d1a13d4c69a8d0c8" + }, + { + "url": "https://git.kernel.org/stable/c/5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6" + }, + { + "url": "https://git.kernel.org/stable/c/f3749345a9b7295dd071d0ed589634cb46364f77" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26977" + }, + { + "url": "https://git.kernel.org/linus/7626913652cc786c238e2dd7d8740b17d41b2637(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-614", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26977" + } + } + ], + "created": "2024-05-01T06:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npci_iounmap(): Fix MMIO mapping leak\n\nThe #ifdef ARCH_HAS_GENERIC_IOPORT_MAP accidentally also guards iounmap(),\nwhich means MMIO mappings are leaked.\n\nMove the guard so we call iounmap() for MMIO mappings.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26977", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26977" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cf656fc7276e5b3709a81bc9d9639459be2b2647" + }, + { + "url": "https://git.kernel.org/stable/c/6aa5ede6665122f4c8abce3c6eba06b49e54d25c" + }, + { + "url": "https://git.kernel.org/stable/c/3bb9b1f958c3d986ed90a3ff009f1e77e9553207" + }, + { + "url": "https://git.kernel.org/linus/3bb9b1f958c3d986ed90a3ff009f1e77e9553207(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26647" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-615", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26647" + } + } + ], + "created": "2024-03-26T18:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()'\n\nIn link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'\nwas dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'\nNULL pointer check.\n\nFixes the below:\ndrivers/gpu/drm/amd/amdgpu/../display/dc/link/link_dpms.c:905 link_set_dsc_pps_packet() warn: variable dereferenced before check 'dsc' (see line 903)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26647", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26647" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-27T12:29:41Z" + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/CALGdzuo6awWdau3X=8XK547x2vX_-VoFmH1aPsqosRTQ5WzJVA@mail.gmail.com/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + }, + { + "url": "https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu@suse.com/" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23850" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6725-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6724-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + } + ], + "bom-ref": "vuln-616", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23850" + } + } + ], + "created": "2024-01-23T09:15:36Z", + "description": "In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-23850", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23850" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-28T03:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f3d0bf1d0c62b539d54c5b9108a845cff619b99" + }, + { + "url": "https://git.kernel.org/stable/c/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a" + }, + { + "url": "https://git.kernel.org/stable/c/21ff9d7d223c5c19cb4334009e4c0c83a2f4d674" + }, + { + "url": "https://git.kernel.org/stable/c/2c27a64a2bc47d9bfc7c3cf8be14be53b1ee7cb6" + }, + { + "url": "https://git.kernel.org/stable/c/5c20b242d4fed73a93591e48bfd9772e2322fb11" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26936" + }, + { + "url": "https://git.kernel.org/linus/17cf0c2794bdb6f39671265aa18aea5c22ee8c4a(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-617", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26936" + } + } + ], + "created": "2024-05-01T06:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate request buffer size in smb2_allocate_rsp_buf()\n\nThe response buffer should be allocated in smb2_allocate_rsp_buf\nbefore validating request. But the fields in payload as well as smb2 header\nis used in smb2_allocate_rsp_buf(). This patch add simple buffer size\nvalidation to avoid potencial out-of-bounds in request buffer.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26936", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26936" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706" + }, + { + "url": "https://git.kernel.org/stable/c/9c2b4b657739ecda38e3b383354a29566955ac48" + }, + { + "url": "https://git.kernel.org/stable/c/43fad1d0284de30159661d0badfc3cbaf7e6f8f8" + }, + { + "url": "https://git.kernel.org/stable/c/201e4aaf405dfd1308da54448654053004c579b5" + }, + { + "url": "https://git.kernel.org/stable/c/6564b014af92b677c1f07c44d7f5b595d589cf6e" + }, + { + "url": "https://git.kernel.org/linus/65291dcfcf8936e1b23cfd7718fdfde7cfaf7706(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35872" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-618", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35872" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/secretmem: fix GUP-fast succeeding on secretmem folios\n\nfolio_is_secretmem() currently relies on secretmem folios being LRU\nfolios, to save some cycles.\n\nHowever, folios might reside in a folio batch without the LRU flag set, or\ntemporarily have their LRU flag cleared. Consequently, the LRU flag is\nunreliable for this purpose.\n\nIn particular, this is the case when secretmem_fault() allocates a fresh\npage and calls filemap_add_folio()->folio_add_lru(). The folio might be\nadded to the per-cpu folio batch and won't get the LRU flag set until the\nbatch was drained using e.g., lru_add_drain().\n\nConsequently, folio_is_secretmem() might not detect secretmem folios and\nGUP-fast can succeed in grabbing a secretmem folio, crashing the kernel\nwhen we would later try reading/writing to the folio, because the folio\nhas been unmapped from the directmap.\n\nFix it by removing that unreliable check.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35872", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35872" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e9a0d3f376eb356d54ffce36e7cc37514cbfbd6f" + }, + { + "url": "https://git.kernel.org/stable/c/fe40ffbca19dc70d7c6b1e3c77b9ccb404c57351" + }, + { + "url": "https://git.kernel.org/stable/c/e4988d8415bd0294d6f9f4a1e7095f8b50a97ca9" + }, + { + "url": "https://git.kernel.org/stable/c/72c1efe3f247a581667b7d368fff3bd9a03cd57a" + }, + { + "url": "https://git.kernel.org/stable/c/c0c2176d1814b92ea4c8e7eb7c9cd94cd99c1b12" + }, + { + "url": "https://git.kernel.org/stable/c/7cdc1be24cc1bcd56a3e89ac4aef20e31ad09199" + }, + { + "url": "https://git.kernel.org/stable/c/8e07c16695583a66e81f67ce4c46e94dece47ba7" + }, + { + "url": "https://git.kernel.org/stable/c/16603605b667b70da974bea8216c93e7db043bf1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26642" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-619", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26642" + } + } + ], + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: disallow anonymous set with timeout flag\n\nAnonymous sets are never used with timeout from userspace, reject this.\nException to this rule is NFT_SET_EVAL to ensure legacy meters still work.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26642", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26642" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cb1cd176e0b431644653a7fa8691a1aaf7be98da" + }, + { + "url": "https://git.kernel.org/stable/c/21162ad2de7446438cbd6224b3794a375bcb24df" + }, + { + "url": "https://git.kernel.org/stable/c/5245a6da27ef79f8dba98dad5542ebe56d311837" + }, + { + "url": "https://git.kernel.org/stable/c/e21e1c45e1fe2e31732f40256b49c04e76a17cee" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35923" + }, + { + "url": "https://git.kernel.org/linus/e21e1c45e1fe2e31732f40256b49c04e76a17cee(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-620", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35923" + } + } + ], + "created": "2024-05-19T11:15:48Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: clear opcode specific data for an early failure\n\nIf failure happens before the opcode prep handler is called, ensure that\nwe clear the opcode specific area of the request, which holds data\nspecific to that request type. This prevents errors where opcode\nhandlers either don't get to clear per-request private data since prep\nisn't even called.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35923", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35923" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/50e60de381c342008c0956fd762e1c26408f372c" + }, + { + "url": "https://git.kernel.org/stable/c/ad6759e233db6fcc131055f8e23b4eafbe81053c" + }, + { + "url": "https://git.kernel.org/stable/c/772f18ded0e240cc1fa2b7020cc640e3e5c32b70" + }, + { + "url": "https://git.kernel.org/stable/c/dc29dd00705a62c77de75b6d752259b869aac49d" + }, + { + "url": "https://git.kernel.org/stable/c/29d2550d79a8cbd31e0fbaa5c0e2a2efdc444e44" + }, + { + "url": "https://git.kernel.org/stable/c/4fedae8f9eafa2ac8cdaca58e315f52a7e2a8701" + }, + { + "url": "https://git.kernel.org/stable/c/94cb17e5cf3a3c484063abc0ce4b8a2b2e8c1cb2" + }, + { + "url": "https://git.kernel.org/stable/c/766c2627acb2d9d1722cce2e24837044d52d888a" + }, + { + "url": "https://git.kernel.org/linus/50e60de381c342008c0956fd762e1c26408f372c(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27030" + } + ], + "bom-ref": "vuln-621", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27030" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nocteontx2-af: Use separate handlers for interrupts\n\nFor PF to AF interrupt vector and VF to AF vector same\ninterrupt handler is registered which is causing race condition.\nWhen two interrupts are raised to two CPUs at same time\nthen two cores serve same event corrupting the data.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27030", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27030" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6678a1e7d896c00030b31491690e8ddc9a90767a" + }, + { + "url": "https://git.kernel.org/stable/c/0b812f706fd7090be74812101114a0e165b36744" + }, + { + "url": "https://git.kernel.org/stable/c/0a7591e14a8da794d0b93b5d1c6254ccb23adacb" + }, + { + "url": "https://git.kernel.org/stable/c/8e3f03f4ef7c36091f46e7349096efb5a2cdb3a1" + }, + { + "url": "https://git.kernel.org/stable/c/190794848e2b9d15de92d502b6ac652806904f5a" + }, + { + "url": "https://git.kernel.org/stable/c/202c503935042272e2f9e1bb549d5f69a8681169" + }, + { + "url": "https://git.kernel.org/stable/c/0f7352557a35ab7888bc7831411ec8a3cbe20d78" + }, + { + "url": "https://git.kernel.org/stable/c/8c36205123dc57349b59b4f1a2301eb278cbc731" + }, + { + "url": "https://git.kernel.org/stable/c/bacb8c3ab86dcd760c15903fcee58169bc3026aa" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35811" + }, + { + "url": "https://git.kernel.org/linus/0f7352557a35ab7888bc7831411ec8a3cbe20d78(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-622", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35811" + } + } + ], + "created": "2024-05-17T14:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach\n\nThis is the candidate patch of CVE-2023-47233 :\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-47233\n\nIn brcm80211 driver,it starts with the following invoking chain\nto start init a timeout worker:\n\n->brcmf_usb_probe\n ->brcmf_usb_probe_cb\n ->brcmf_attach\n ->brcmf_bus_started\n ->brcmf_cfg80211_attach\n ->wl_init_priv\n ->brcmf_init_escan\n ->INIT_WORK(&cfg->escan_timeout_work,\n\t\t brcmf_cfg80211_escan_timeout_worker);\n\nIf we disconnect the USB by hotplug, it will call\nbrcmf_usb_disconnect to make cleanup. The invoking chain is :\n\nbrcmf_usb_disconnect\n ->brcmf_usb_disconnect_cb\n ->brcmf_detach\n ->brcmf_cfg80211_detach\n ->kfree(cfg);\n\nWhile the timeout woker may still be running. This will cause\na use-after-free bug on cfg in brcmf_cfg80211_escan_timeout_worker.\n\nFix it by deleting the timer and canceling the worker in\nbrcmf_cfg80211_detach.\n\n[arend.vanspriel@broadcom.com: keep timer delete as is and cancel work just before free]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35811", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35811" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d68dc711d84fdcf698e5d45308c3ddeede586350" + }, + { + "url": "https://git.kernel.org/stable/c/23b7ee4a8d559bf38eac7ce5bb2f6ebf76f9c401" + }, + { + "url": "https://git.kernel.org/stable/c/3e2979bf080c40da4f7c93aff8575ab8bc62b767" + }, + { + "url": "https://git.kernel.org/stable/c/599c9ad5e1d43f5c12d869f5fd406ba5d8c55270" + }, + { + "url": "https://git.kernel.org/stable/c/c58e88d49097bd12dfcfef4f075b43f5d5830941" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35857" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/c58e88d49097bd12dfcfef4f075b43f5d5830941(6.9-rc6)" + } + ], + "bom-ref": "vuln-623", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35857" + } + } + ], + "created": "2024-05-17T15:15:23Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nicmp: prevent possible NULL dereferences from icmp_build_probe()\n\nFirst problem is a double call to __in_dev_get_rcu(), because\nthe second one could return NULL.\n\nif (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list)\n\nSecond problem is a read from dev->ip6_ptr with no NULL check:\n\nif (!list_empty(&rcu_dereference(dev->ip6_ptr)->addr_list))\n\nUse the correct RCU API to fix these.\n\nv2: add missing include ", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35857" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/4bac28f441e3cc9d3f1a84c8d023228a68d8a7c1" + }, + { + "url": "https://git.kernel.org/stable/c/e6450d5e46a737a008b4885aa223486113bf0ad6" + }, + { + "url": "https://git.kernel.org/stable/c/772a7def9868091da3bcb0d6c6ff9f0c03d7fa8b" + }, + { + "url": "https://git.kernel.org/stable/c/c1362eae861db28b1608b9dc23e49634fe87b63b" + }, + { + "url": "https://git.kernel.org/stable/c/cde76b3af247f615447bcfecf610bb76c3529126" + }, + { + "url": "https://git.kernel.org/stable/c/bf9ec1b24ab4e94345aa1c60811dd329f069c38b" + }, + { + "url": "https://git.kernel.org/stable/c/423b6bdf19bbc5e1f7e7461045099917378f7e71" + }, + { + "url": "https://git.kernel.org/stable/c/cba138f1ef37ec6f961baeab62f312dedc7cf730" + }, + { + "url": "https://git.kernel.org/stable/c/3948abaa4e2be938ccdfc289385a27342fb13d43" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26901" + }, + { + "url": "https://git.kernel.org/linus/3948abaa4e2be938ccdfc289385a27342fb13d43(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-624", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26901" + } + } + ], + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndo_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak\n\nsyzbot identified a kernel information leak vulnerability in\ndo_sys_name_to_handle() and issued the following report [1].\n\n[1]\n\"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\nBUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x100 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n do_sys_name_to_handle fs/fhandle.c:73 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nUninit was created at:\n slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768\n slab_alloc_node mm/slub.c:3478 [inline]\n __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517\n __do_kmalloc_node mm/slab_common.c:1006 [inline]\n __kmalloc+0x121/0x3c0 mm/slab_common.c:1020\n kmalloc include/linux/slab.h:604 [inline]\n do_sys_name_to_handle fs/fhandle.c:39 [inline]\n __do_sys_name_to_handle_at fs/fhandle.c:112 [inline]\n __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94\n __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94\n ...\n\nBytes 18-19 of 20 are uninitialized\nMemory access of size 20 starts at ffff888128a46380\nData copied to user address 0000000020000240\"\n\nPer Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to\nsolve the problem.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26901", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26901" + }, + "cwes": [ + 908 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:38:34Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2d623c94fbba3554f4446ba6f3c764994e8b0d26" + }, + { + "url": "https://git.kernel.org/stable/c/673629018ba04906899dcb631beec34d871f709c" + }, + { + "url": "https://git.kernel.org/stable/c/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86" + }, + { + "url": "https://git.kernel.org/stable/c/19a77b27163820f793b4d022979ffdca8f659b77" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26775" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/e169bd4fb2b36c4b2bee63c35c740c85daeb2e86(6.8-rc2)" + } + ], + "bom-ref": "vuln-625", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26775" + } + } + ], + "created": "2024-04-03T17:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\naoe: avoid potential deadlock at set_capacity\n\nMove set_capacity() outside of the section procected by (&d->lock).\nTo avoid possible interrupt unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n[1] lock(&bdev->bd_size_lock);\n local_irq_disable();\n [2] lock(&d->lock);\n [3] lock(&bdev->bd_size_lock);\n \n[4] lock(&d->lock);\n\n *** DEADLOCK ***\n\nWhere [1](&bdev->bd_size_lock) hold by zram_add()->set_capacity().\n[2]lock(&d->lock) hold by aoeblk_gdalloc(). And aoeblk_gdalloc()\nis trying to acquire [3](&bdev->bd_size_lock) at set_capacity() call.\nIn this situation an attempt to acquire [4]lock(&d->lock) from\naoecmd_cfg_rsp() will lead to deadlock.\n\nSo the simplest solution is breaking lock dependency\n[2](&d->lock) -> [3](&bdev->bd_size_lock) by moving set_capacity()\noutside.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26775", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26775" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24857" + }, + { + "url": "https://lore.kernel.org/all/20231222162310.6461-1-2045gemini@gmail.com/" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-626", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24857" + } + }, + { + "severity": "medium", + "score": 6.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + } + } + ], + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth device driver in conn_info_{min,max}_age_set() function. This can result in integrity overflow issue, possibly leading to bluetooth connection abnormality or denial of service.\n\n\n\n\n", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-24857", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24857" + }, + "cwes": [ + 190, + 362 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-10T04:06:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/7c1250796b6c262b505a46192f4716b8c6a6a8c6" + }, + { + "url": "https://git.kernel.org/stable/c/c8b7b2f158d9d4fb89cd2f68244af154f7549bb4" + }, + { + "url": "https://git.kernel.org/stable/c/4143b9479caa29bb2380f3620dcbe16ea84eb3b1" + }, + { + "url": "https://git.kernel.org/stable/c/037965402a010898d34f4e35327d22c0a95cd51f" + }, + { + "url": "https://git.kernel.org/stable/c/27aa3e4b3088426b7e34584274ad45b5afaf7629" + }, + { + "url": "https://git.kernel.org/linus/037965402a010898d34f4e35327d22c0a95cd51f(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27393" + } + ], + "bom-ref": "vuln-627", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27393" + } + } + ], + "created": "2024-05-14T15:12:26Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxen-netfront: Add missing skb_mark_for_recycle\n\nNotice that skb_mark_for_recycle() is introduced later than fixes tag in\ncommit 6a5bcd84e886 (\"page_pool: Allow drivers to hint on SKB recycling\").\n\nIt is believed that fixes tag were missing a call to page_pool_release_page()\nbetween v5.9 to v5.14, after which is should have used skb_mark_for_recycle().\nSince v6.6 the call page_pool_release_page() were removed (in\ncommit 535b9c61bdef (\"net: page_pool: hide page_pool_release_page()\")\nand remaining callers converted (in commit 6bfef2ec0172 (\"Merge branch\n'net-page_pool-remove-page_pool_release_page'\")).\n\nThis leak became visible in v6.8 via commit dba1b8a7ab68 (\"mm/page_pool: catch\npage_pool memory leaks\").", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27393", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27393" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2f91a96b892fab2f2543b4a55740c5bee36b1a6b" + }, + { + "url": "https://git.kernel.org/stable/c/20a4b5214f7bee13c897477168c77bbf79683c3d" + }, + { + "url": "https://git.kernel.org/stable/c/73a6bd68a1342f3a44cac9dffad81ad6a003e520" + }, + { + "url": "https://git.kernel.org/stable/c/00d6a284fcf3fad1b7e1b5bc3cd87cbfb60ce03f" + }, + { + "url": "https://git.kernel.org/stable/c/a2c881413dcc5d801bdc9535e51270cc88cb9cd8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26798" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-628", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26798" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do_set_font()\n\nCommit a5a923038d70 (fbdev: fbcon: Properly revert changes when\nvc_resize() failed) started restoring old font data upon failure (of\nvc_resize()). But it performs so only for user fonts. It means that the\n\"system\"/internal fonts are not restored at all. So in result, the very\nfirst call to fbcon_do_set_font() performs no restore at all upon\nfailing vc_resize().\n\nThis can be reproduced by Syzkaller to crash the system on the next\ninvocation of font_get(). It's rather hard to hit the allocation failure\nin vc_resize() on the first font_set(), but not impossible. Esp. if\nfault injection is used to aid the execution/failure. It was\ndemonstrated by Sirius:\n BUG: unable to handle page fault for address: fffffffffffffff8\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD cb7b067 P4D cb7b067 PUD cb7d067 PMD 0\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 1 PID: 8007 Comm: poc Not tainted 6.7.0-g9d1694dc91ce #20\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:fbcon_get_font+0x229/0x800 drivers/video/fbdev/core/fbcon.c:2286\n Call Trace:\n \n con_font_get drivers/tty/vt/vt.c:4558 [inline]\n con_font_op+0x1fc/0xf20 drivers/tty/vt/vt.c:4673\n vt_k_ioctl drivers/tty/vt/vt_ioctl.c:474 [inline]\n vt_ioctl+0x632/0x2ec0 drivers/tty/vt/vt_ioctl.c:752\n tty_ioctl+0x6f8/0x1570 drivers/tty/tty_io.c:2803\n vfs_ioctl fs/ioctl.c:51 [inline]\n ...\n\nSo restore the font data in any case, not only for user fonts. Note the\nlater 'if' is now protected by 'old_userfont' and not 'old_data' as the\nlatter is always set now. (And it is supposed to be non-NULL. Otherwise\nwe would see the bug above again.)", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26798", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26798" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/adf0398cee86643b8eacde95f17d073d022f782c" + }, + { + "url": "https://git.kernel.org/stable/c/e97e16433eb4533083b096a3824b93a5ca3aee79" + }, + { + "url": "https://git.kernel.org/stable/c/e137e2ba96e51902dc2878131823a96bf8e638ae" + }, + { + "url": "https://git.kernel.org/stable/c/eb86f955488c39526534211f2610e48a5cf8ead4" + }, + { + "url": "https://git.kernel.org/stable/c/955b5b6c54d95b5e7444dfc81c95c8e013f27ac0" + }, + { + "url": "https://git.kernel.org/stable/c/8960ff650aec70485b40771cd8e6e8c4cb467d33" + }, + { + "url": "https://git.kernel.org/stable/c/06acb75e7ed600d0bbf7bff5628aa8f24a97978c" + }, + { + "url": "https://git.kernel.org/stable/c/6466ee65e5b27161c846c73ef407f49dfa1bd1d9" + }, + { + "url": "https://git.kernel.org/linus/adf0398cee86643b8eacde95f17d073d022f782c(6.9)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27399" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-629", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27399" + } + } + ], + "created": "2024-05-14T15:12:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout\n\nThere is a race condition between l2cap_chan_timeout() and\nl2cap_chan_del(). When we use l2cap_chan_del() to delete the\nchannel, the chan->conn will be set to null. But the conn could\nbe dereferenced again in the mutex_lock() of l2cap_chan_timeout().\nAs a result the null pointer dereference bug will happen. The\nKASAN report triggered by POC is shown below:\n\n[ 472.074580] ==================================================================\n[ 472.075284] BUG: KASAN: null-ptr-deref in mutex_lock+0x68/0xc0\n[ 472.075308] Write of size 8 at addr 0000000000000158 by task kworker/0:0/7\n[ 472.075308]\n[ 472.075308] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.075308] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.075308] Workqueue: events l2cap_chan_timeout\n[ 472.075308] Call Trace:\n[ 472.075308] \n[ 472.075308] dump_stack_lvl+0x137/0x1a0\n[ 472.075308] print_report+0x101/0x250\n[ 472.075308] ? __virt_addr_valid+0x77/0x160\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_report+0x139/0x170\n[ 472.075308] ? mutex_lock+0x68/0xc0\n[ 472.075308] kasan_check_range+0x2c3/0x2e0\n[ 472.075308] mutex_lock+0x68/0xc0\n[ 472.075308] l2cap_chan_timeout+0x181/0x300\n[ 472.075308] process_one_work+0x5d2/0xe00\n[ 472.075308] worker_thread+0xe1d/0x1660\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] kthread+0x2b7/0x350\n[ 472.075308] ? pr_cont_work+0x5e0/0x5e0\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork+0x4d/0x80\n[ 472.075308] ? kthread_blkcg+0xd0/0xd0\n[ 472.075308] ret_from_fork_asm+0x11/0x20\n[ 472.075308] \n[ 472.075308] ==================================================================\n[ 472.094860] Disabling lock debugging due to kernel taint\n[ 472.096136] BUG: kernel NULL pointer dereference, address: 0000000000000158\n[ 472.096136] #PF: supervisor write access in kernel mode\n[ 472.096136] #PF: error_code(0x0002) - not-present page\n[ 472.096136] PGD 0 P4D 0\n[ 472.096136] Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI\n[ 472.096136] CPU: 0 PID: 7 Comm: kworker/0:0 Tainted: G B 6.9.0-rc5-00356-g78c0094a146b #36\n[ 472.096136] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu4\n[ 472.096136] Workqueue: events l2cap_chan_timeout\n[ 472.096136] RIP: 0010:mutex_lock+0x88/0xc0\n[ 472.096136] Code: be 08 00 00 00 e8 f8 23 1f fd 4c 89 f7 be 08 00 00 00 e8 eb 23 1f fd 42 80 3c 23 00 74 08 48 88\n[ 472.096136] RSP: 0018:ffff88800744fc78 EFLAGS: 00000246\n[ 472.096136] RAX: 0000000000000000 RBX: 1ffff11000e89f8f RCX: ffffffff8457c865\n[ 472.096136] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88800744fc78\n[ 472.096136] RBP: 0000000000000158 R08: ffff88800744fc7f R09: 1ffff11000e89f8f\n[ 472.096136] R10: dffffc0000000000 R11: ffffed1000e89f90 R12: dffffc0000000000\n[ 472.096136] R13: 0000000000000158 R14: ffff88800744fc78 R15: ffff888007405a00\n[ 472.096136] FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000\n[ 472.096136] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 472.096136] CR2: 0000000000000158 CR3: 000000000da32000 CR4: 00000000000006f0\n[ 472.096136] Call Trace:\n[ 472.096136] \n[ 472.096136] ? __die_body+0x8d/0xe0\n[ 472.096136] ? page_fault_oops+0x6b8/0x9a0\n[ 472.096136] ? kernelmode_fixup_or_oops+0x20c/0x2a0\n[ 472.096136] ? do_user_addr_fault+0x1027/0x1340\n[ 472.096136] ? _printk+0x7a/0xa0\n[ 472.096136] ? mutex_lock+0x68/0xc0\n[ 472.096136] ? add_taint+0x42/0xd0\n[ 472.096136] ? exc_page_fault+0x6a/0x1b0\n[ 472.096136] ? asm_exc_page_fault+0x26/0x30\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] ? mutex_lock+0x88/0xc0\n[ 472.096136] ? mutex_lock+0x75/0xc0\n[ 472.096136] l2cap_chan_timeo\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27399", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27399" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T11:15:08Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" + } + ], + "bom-ref": "vuln-630", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" + } + } + ], + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "affects": [ + { + "ref": "comp-197" + } + ], + "id": "CVE-2024-28182", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/security/cve/CVE-2023-3428" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218369" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-3428" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-249.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6200-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1781.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2123.html" + } + ], + "bom-ref": "vuln-631", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-3428" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428" + } + } + ], + "created": "2023-10-04T19:15:10Z", + "description": "A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.", + "affects": [ + { + "ref": "comp-215" + } + ], + "id": "CVE-2023-3428", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428" + }, + "cwes": [ + 787, + 122 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2023-11-07T04:18:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", + "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/262da920896e2f2ab0e3947d9dbee0aa09045818" + }, + { + "url": "https://git.kernel.org/stable/c/ff2f90f88d78559802466ad1c84ac5bda4416b3a" + }, + { + "url": "https://git.kernel.org/stable/c/6851778504cdb49431809b4ba061903d5f592c96" + }, + { + "url": "https://git.kernel.org/stable/c/149afee5c7418ec5db9d7387b9c9a5c1eb7ea2a8" + }, + { + "url": "https://git.kernel.org/stable/c/de105068fead55ed5c07ade75e9c8e7f86a00d1d" + }, + { + "url": "https://git.kernel.org/linus/de105068fead55ed5c07ade75e9c8e7f86a00d1d(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27435" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-632", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27435" + } + } + ], + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix reconnection fail due to reserved tag allocation\n\nWe found a issue on production environment while using NVMe over RDMA,\nadmin_q reconnect failed forever while remote target and network is ok.\nAfter dig into it, we found it may caused by a ABBA deadlock due to tag\nallocation. In my case, the tag was hold by a keep alive request\nwaiting inside admin_q, as we quiesced admin_q while reset ctrl, so the\nrequest maked as idle and will not process before reset success. As\nfabric_q shares tagset with admin_q, while reconnect remote target, we\nneed a tag for connect command, but the only one reserved tag was held\nby keep alive command which waiting inside admin_q. As a result, we\nfailed to reconnect admin_q forever. In order to fix this issue, I\nthink we should keep two reserved tags for admin queue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27435", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27435" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/64c6a38136b74a2f18c42199830975edd9fbc379" + }, + { + "url": "https://git.kernel.org/stable/c/3f8445f1c746fda180a7f75372ed06b24e9cefe2" + }, + { + "url": "https://git.kernel.org/stable/c/2cc572e0085ebd4b662b74a0f43222bc00df9a00" + }, + { + "url": "https://git.kernel.org/stable/c/d575765b1b62e8bdb00af11caa1aabeb01763d9f" + }, + { + "url": "https://git.kernel.org/stable/c/95d1f1228c1bb54803ae57525b76db60e99b37e4" + }, + { + "url": "https://git.kernel.org/stable/c/e0b0d1c46a2ce1e46b79d004a7270fdef872e097" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27039" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/64c6a38136b74a2f18c42199830975edd9fbc379(6.9-rc1)" + } + ], + "bom-ref": "vuln-633", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27039" + } + } + ], + "created": "2024-05-01T13:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: hisilicon: hi3559a: Fix an erroneous devm_kfree()\n\n'p_clk' is an array allocated just before the for loop for all clk that\nneed to be registered.\nIt is incremented at each loop iteration.\n\nIf a clk_register() call fails, 'p_clk' may point to something different\nfrom what should be freed.\n\nThe best we can do, is to avoid this wrong release of memory.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27039" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://security-tracker.debian.org/tracker/CVE-2021-3864" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2015046" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/" + }, + { + "url": "https://lore.kernel.org/all/20211226150310.GA992@1wt.eu/" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2021-3864" + }, + { + "url": "https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2021-3864" + }, + { + "url": "https://lore.kernel.org/all/20211221021744.864115-1-longman@redhat.com" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-634", + "ratings": [ + { + "severity": "high", + "score": 7.0, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-3864" + } + } + ], + "created": "2022-08-26T16:15:09Z", + "description": "A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2021-3864", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3864" + }, + "cwes": [ + 284 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2023-02-12T23:42:51Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-04-10T01:20:18Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cbaf9be337f7da25742acfce325119e3395b1f1b" + }, + { + "url": "https://git.kernel.org/stable/c/8fc80874103a5c20aebdc2401361aa01c817f75b" + }, + { + "url": "https://git.kernel.org/stable/c/0f1bae071de9967602807472921829a54b2e5956" + }, + { + "url": "https://git.kernel.org/stable/c/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6" + }, + { + "url": "https://git.kernel.org/linus/13f3956eb5681a4045a8dfdef48df5dc4d9f58a6(6.8-rc2)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26844" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-635", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26844" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: Fix WARNING in _copy_from_iter\n\nSyzkaller reports a warning in _copy_from_iter because an\niov_iter is supposedly used in the wrong direction. The reason\nis that syzcaller managed to generate a request with\na transfer direction of SG_DXFER_TO_FROM_DEV. This instructs\nthe kernel to copy user buffers into the kernel, read into\nthe copied buffers and then copy the data back to user space.\n\nThus the iovec is used in both directions.\n\nDetect this situation in the block layer and construct a new\niterator with the correct direction for the copy-in.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26844", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26844" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/bd508f96b5fef96d8a0ce9cbb211d82bcfc2341f" + }, + { + "url": "https://git.kernel.org/stable/c/11f3fe5001ed05721e641f0ecaa7a73b7deb245d" + }, + { + "url": "https://git.kernel.org/stable/c/425a571a7e6fc389954cf2564e1edbba3740e171" + }, + { + "url": "https://git.kernel.org/stable/c/36bc5040c863b44af06094b22f1e50059227b9cb" + }, + { + "url": "https://git.kernel.org/stable/c/e717bd412001495f17400bfc09f606f1b594ef5a" + }, + { + "url": "https://git.kernel.org/stable/c/168ed59170de1fd7274080fe102216162d6826cf" + }, + { + "url": "https://git.kernel.org/stable/c/a9849b67b4402a12eb35eadc9306c1ef9847d53d" + }, + { + "url": "https://git.kernel.org/stable/c/83ab68168a3d990d5ff39ab030ad5754cbbccb25" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26845" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/83ab68168a3d990d5ff39ab030ad5754cbbccb25(6.8-rc1)" + } + ], + "bom-ref": "vuln-636", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26845" + } + } + ], + "created": "2024-04-17T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: core: Add TMF to tmr_list handling\n\nAn abort that is responded to by iSCSI itself is added to tmr_list but does\nnot go to target core. A LUN_RESET that goes through tmr_list takes a\nrefcounter on the abort and waits for completion. However, the abort will\nbe never complete because it was not started in target core.\n\n Unable to locate ITT: 0x05000000 on CID: 0\n Unable to locate RefTaskTag: 0x05000000 on CID: 0.\n wait_for_tasks: Stopping tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n wait for tasks: tmf LUN_RESET with tag 0x0 ref_task_tag 0x0 i_state 34 t_state ISTATE_PROCESSING refcnt 2 transport_state active,stop,fabric_stop\n...\n INFO: task kworker/0:2:49 blocked for more than 491 seconds.\n task:kworker/0:2 state:D stack: 0 pid: 49 ppid: 2 flags:0x00000800\n Workqueue: events target_tmr_work [target_core_mod]\nCall Trace:\n __switch_to+0x2c4/0x470\n _schedule+0x314/0x1730\n schedule+0x64/0x130\n schedule_timeout+0x168/0x430\n wait_for_completion+0x140/0x270\n target_put_cmd_and_wait+0x64/0xb0 [target_core_mod]\n core_tmr_lun_reset+0x30/0xa0 [target_core_mod]\n target_tmr_work+0xc8/0x1b0 [target_core_mod]\n process_one_work+0x2d4/0x5d0\n worker_thread+0x78/0x6c0\n\nTo fix this, only add abort to tmr_list if it will be handled by target\ncore.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26845", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26845" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/042ef0afc40fa1a22b3608f22915b91ce39d128f" + }, + { + "url": "https://git.kernel.org/stable/c/016119154981d81c9e8f2ea3f56b9e2b4ea14500" + }, + { + "url": "https://git.kernel.org/stable/c/eb08db0fc5354fa17b7ed66dab3c503332423451" + }, + { + "url": "https://git.kernel.org/stable/c/4be9075fec0a639384ed19975634b662bfab938f" + }, + { + "url": "https://git.kernel.org/stable/c/25e3ce59c1200f1f0563e39de151f34962ab0fe1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26940" + }, + { + "url": "https://git.kernel.org/linus/4be9075fec0a639384ed19975634b662bfab938f(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-637", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26940" + } + } + ], + "created": "2024-05-01T06:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed\n\nThe driver creates /sys/kernel/debug/dri/0/mob_ttm even when the\ncorresponding ttm_resource_manager is not allocated.\nThis leads to a crash when trying to read from this file.\n\nAdd a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file\nonly when the corresponding ttm_resource_manager is allocated.\n\ncrash> bt\nPID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: \"grep\"\n #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3\n #1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a\n #2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1\n #3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1\n #4 [ffffb954506b3c70] no_context at ffffffffb2a7e913\n #5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c\n #6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887\n #7 [ffffb954506b3d40] page_fault at ffffffffb360116e\n [exception RIP: ttm_resource_manager_debug+0x11]\n RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246\n RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940\n RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000\n RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000\n R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff\n R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200\n ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018\n #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]\n #9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3\n RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246\n RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985\n RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003\n RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30\n R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000\n R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003\n ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26940", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26940" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/328efda22af81130c2ad981c110518cb29ff2f1d" + }, + { + "url": "https://git.kernel.org/stable/c/9ab0c303ccabfd6bdce14432792d41090070008c" + }, + { + "url": "https://git.kernel.org/stable/c/4041c60a9d543b3ad50225385b072ba68e96166e" + }, + { + "url": "https://git.kernel.org/stable/c/515cc676dfbce40d93c92b1ff3c1070e917f4e52" + }, + { + "url": "https://git.kernel.org/stable/c/90ae293d1d255f622318fce6eeea2e18f9fde5c1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27391" + }, + { + "url": "https://git.kernel.org/linus/328efda22af81130c2ad981c110518cb29ff2f1d(6.9-rc1)" + } + ], + "bom-ref": "vuln-638", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27391" + } + } + ], + "created": "2024-05-01T13:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: wilc1000: do not realloc workqueue everytime an interface is added\n\nCommit 09ed8bfc5215 (\"wilc1000: Rename workqueue from \"WILC_wq\" to\n\"NETDEV-wq\"\") moved workqueue creation in wilc_netdev_ifc_init in order to\nset the interface name in the workqueue name. However, while the driver\nneeds only one workqueue, the wilc_netdev_ifc_init is called each time we\nadd an interface over a phy, which in turns overwrite the workqueue with a\nnew one. This can be observed with the following commands:\n\nfor i in $(seq 0 10)\ndo\n iw phy phy0 interface add wlan1 type managed\n iw dev wlan1 del\ndone\nps -eo pid,comm|grep wlan\n\n 39 kworker/R-wlan0\n 98 kworker/R-wlan1\n102 kworker/R-wlan1\n105 kworker/R-wlan1\n108 kworker/R-wlan1\n111 kworker/R-wlan1\n114 kworker/R-wlan1\n117 kworker/R-wlan1\n120 kworker/R-wlan1\n123 kworker/R-wlan1\n126 kworker/R-wlan1\n129 kworker/R-wlan1\n\nFix this leakage by putting back hif_workqueue allocation in\nwilc_cfg80211_init. Regarding the workqueue name, it is indeed relevant to\nset it lowercase, however it is not attached to a specific netdev, so\nenforcing netdev name in the name is not so relevant. Still, enrich the\nname with the wiphy name to make it clear which phy is using the workqueue.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27391", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27391" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T19:50:25Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8f9abaa6d7de0a70fc68acaedce290c1f96e2e59" + }, + { + "url": "https://git.kernel.org/stable/c/0580f4403ad33f379eef865c2a6fe94de37febdf" + }, + { + "url": "https://git.kernel.org/stable/c/42084a428a139f1a429f597d44621e3a18f3e414" + }, + { + "url": "https://git.kernel.org/stable/c/de4f5ed63b8a199704d8cdcbf810309d7eb4b36b" + }, + { + "url": "https://git.kernel.org/stable/c/848e1d7fd710900397e1d0e7584680c1c04e3afd" + }, + { + "url": "https://git.kernel.org/stable/c/beee482cc4c9a6b1dcffb2e190b4fd8782258678" + }, + { + "url": "https://git.kernel.org/stable/c/abd26515d4b767ba48241eea77b28ce0872aef3e" + }, + { + "url": "https://git.kernel.org/stable/c/28b8ba8eebf26f66d9f2df4ba550b6b3b136082c" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52606" + }, + { + "url": "https://git.kernel.org/linus/8f9abaa6d7de0a70fc68acaedce290c1f96e2e59(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-639", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52606" + } + } + ], + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/lib: Validate size for vector operations\n\nSome of the fp/vmx code in sstep.c assume a certain maximum size for the\ninstructions being emulated. The size of those operations however is\ndetermined separately in analyse_instr().\n\nAdd a check to validate the assumption on the maximum size of the\noperations, so as to prevent any unintended kernel stack corruption.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52606", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52606" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d78d867dcea69c328db30df665be5be7d0148484" + }, + { + "url": "https://git.kernel.org/stable/c/4ca946b19caf655a08d5e2266d4d5526025ebb73" + }, + { + "url": "https://git.kernel.org/stable/c/ad333578f736d56920e090d7db1f8dec891d815e" + }, + { + "url": "https://git.kernel.org/stable/c/379bf7257bc5f2a1b1ca8514e08a871b7bf6d920" + }, + { + "url": "https://git.kernel.org/stable/c/df7c0fb8c2b9f9cac65659332581b19682a71349" + }, + { + "url": "https://git.kernel.org/linus/d78d867dcea69c328db30df665be5be7d0148484(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27019" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-640", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27019" + } + } + ], + "created": "2024-05-01T06:15:20Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()\n\nnft_unregister_obj() can concurrent with __nft_obj_type_get(),\nand there is not any protection when iterate over nf_tables_objects\nlist in __nft_obj_type_get(). Therefore, there is potential data-race\nof nf_tables_objects list entry.\n\nUse list_for_each_entry_rcu() to iterate over nf_tables_objects\nlist in __nft_obj_type_get(), and use rcu_read_lock() in the caller\nnft_obj_type_get() to protect the entire type query process.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27019", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27019" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:12Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/752cd08da320a667a833803a8fd6bb266114cce5" + }, + { + "url": "https://git.kernel.org/stable/c/0d862db64d26c2905ba1a6a8561466b215b664c2" + }, + { + "url": "https://git.kernel.org/stable/c/b1ec3d6b86fdd057559a5908e6668279bf770e0e" + }, + { + "url": "https://git.kernel.org/linus/752cd08da320a667a833803a8fd6bb266114cce5(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26841" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-641", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26841" + } + } + ], + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: Update cpu_sibling_map when disabling nonboot CPUs\n\nUpdate cpu_sibling_map when disabling nonboot CPUs by defining & calling\nclear_cpu_sibling_map(), otherwise we get such errors on SMT systems:\n\njump label: negative count!\nWARNING: CPU: 6 PID: 45 at kernel/jump_label.c:263 __static_key_slow_dec_cpuslocked+0xec/0x100\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\npc 90000000004c302c ra 90000000004c302c tp 90000001005bc000 sp 90000001005bfd20\na0 000000000000001b a1 900000000224c278 a2 90000001005bfb58 a3 900000000224c280\na4 900000000224c278 a5 90000001005bfb50 a6 0000000000000001 a7 0000000000000001\nt0 ce87a4763eb5234a t1 ce87a4763eb5234a t2 0000000000000000 t3 0000000000000000\nt4 0000000000000006 t5 0000000000000000 t6 0000000000000064 t7 0000000000001964\nt8 000000000009ebf6 u0 9000000001f2a068 s9 0000000000000000 s0 900000000246a2d8\ns1 ffffffffffffffff s2 ffffffffffffffff s3 90000000021518c0 s4 0000000000000040\ns5 9000000002151058 s6 9000000009828e40 s7 00000000000000b4 s8 0000000000000006\n ra: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n ERA: 90000000004c302c __static_key_slow_dec_cpuslocked+0xec/0x100\n CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)\n PRMD: 00000004 (PPLV0 +PIE -PWE)\n EUEN: 00000000 (-FPE -SXE -ASXE -BTE)\n ECFG: 00071c1c (LIE=2-4,10-12 VS=7)\nESTAT: 000c0000 [BRK] (IS= ECode=12 EsubCode=0)\n PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV)\nCPU: 6 PID: 45 Comm: cpuhp/6 Not tainted 6.8.0-rc5+ #1340\nStack : 0000000000000000 900000000203f258 900000000179afc8 90000001005bc000\n 90000001005bf980 0000000000000000 90000001005bf988 9000000001fe0be0\n 900000000224c280 900000000224c278 90000001005bf8c0 0000000000000001\n 0000000000000001 ce87a4763eb5234a 0000000007f38000 90000001003f8cc0\n 0000000000000000 0000000000000006 0000000000000000 4c206e6f73676e6f\n 6f4c203a656d616e 000000000009ec99 0000000007f38000 0000000000000000\n 900000000214b000 9000000001fe0be0 0000000000000004 0000000000000000\n 0000000000000107 0000000000000009 ffffffffffafdabe 00000000000000b4\n 0000000000000006 90000000004c302c 9000000000224528 00005555939a0c7c\n 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c\n ...\nCall Trace:\n[<9000000000224528>] show_stack+0x48/0x1a0\n[<900000000179afc8>] dump_stack_lvl+0x78/0xa0\n[<9000000000263ed0>] __warn+0x90/0x1a0\n[<90000000017419b8>] report_bug+0x1b8/0x280\n[<900000000179c564>] do_bp+0x264/0x420\n[<90000000004c302c>] __static_key_slow_dec_cpuslocked+0xec/0x100\n[<90000000002b4d7c>] sched_cpu_deactivate+0x2fc/0x300\n[<9000000000266498>] cpuhp_invoke_callback+0x178/0x8a0\n[<9000000000267f70>] cpuhp_thread_fun+0xf0/0x240\n[<90000000002a117c>] smpboot_thread_fn+0x1dc/0x2e0\n[<900000000029a720>] kthread+0x140/0x160\n[<9000000000222288>] ret_from_kernel_thread+0xc/0xa4", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26841", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26841" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/55656b2afd5f1efcec4245f3e7e814c2a9ef53f6" + }, + { + "url": "https://git.kernel.org/stable/c/26fde0ea40dda1b08fad3bc0a43f122f6dd8bddf" + }, + { + "url": "https://git.kernel.org/stable/c/75bf5e78b2a27cb1bca6fa826e3ab685015165e1" + }, + { + "url": "https://git.kernel.org/stable/c/eed04fa96c48790c1cce73c8a248e9d460b088f8" + }, + { + "url": "https://git.kernel.org/stable/c/8aa5c28ac65cb5e7f1b9c0c3238c00b661dd2b8c" + }, + { + "url": "https://git.kernel.org/stable/c/257d313e37d66c3bcc87197fb5b8549129c45dfe" + }, + { + "url": "https://git.kernel.org/stable/c/9de10b59d16880a0a3ae2876c142fe54ce45d816" + }, + { + "url": "https://git.kernel.org/stable/c/8a139fa44870e84ac228b7b76423a49610e5ba9a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26997" + }, + { + "url": "https://git.kernel.org/linus/eed04fa96c48790c1cce73c8a248e9d460b088f8(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-642", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26997" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc2: host: Fix dereference issue in DDMA completion flow.\n\nFixed variable dereference issue in DDMA completion flow.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26997", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26997" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13114dc5543069f7b97991e3b79937b6da05f5b0" + }, + { + "url": "https://git.kernel.org/stable/c/f2b85a4cc763841843de693bbd7308fe9a2c4c89" + }, + { + "url": "https://git.kernel.org/stable/c/81be85353b0f5a7b660635634b655329b429eefe" + }, + { + "url": "https://git.kernel.org/stable/c/1ac9fb84bc7ecd4bc6428118301d9d864d2a58d1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26800" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-643", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26800" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix use-after-free on failed backlog decryption\n\nWhen the decrypt request goes to the backlog and crypto_aead_decrypt\nreturns -EBUSY, tls_do_decryption will wait until all async\ndecryptions have completed. If one of them fails, tls_do_decryption\nwill return -EBADMSG and tls_decrypt_sg jumps to the error path,\nreleasing all the pages. But the pages have been passed to the async\ncallback, and have already been released by tls_decrypt_done.\n\nThe only true async case is when crypto_aead_decrypt returns\n -EINPROGRESS. With -EBUSY, we already waited so we can tell\ntls_sw_recvmsg that the data is available for immediate copy, but we\nneed to notify tls_decrypt_sg (via the new ->async_done flag) that the\nmemory has already been released.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26800", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26800" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T14:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f28bba37fe244889b81bb5c508d3f6e5c6e342c5" + }, + { + "url": "https://git.kernel.org/stable/c/43f00210cb257bcb0387e8caeb4b46375d67f30c" + }, + { + "url": "https://git.kernel.org/stable/c/84bd4c2ae9c3d0a7d3a5c032ea7efff17af17e17" + }, + { + "url": "https://git.kernel.org/stable/c/ac107356aabc362aaeb77463e814fc067a5d3957" + }, + { + "url": "https://git.kernel.org/stable/c/a90bca2228c0646fc29a72689d308e5fe03e6d78" + }, + { + "url": "https://git.kernel.org/stable/c/5d43e072285e81b0b63cee7189b3357c7768a43b" + }, + { + "url": "https://git.kernel.org/stable/c/57baab0f376bec8f54b0fe6beb8f77a57c228063" + }, + { + "url": "https://git.kernel.org/stable/c/a4c99b57d43bab45225ba92d574a8683f9edc8e4" + }, + { + "url": "https://git.kernel.org/linus/a90bca2228c0646fc29a72689d308e5fe03e6d78(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26993" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-644", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26993" + } + } + ], + "created": "2024-05-01T06:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: sysfs: Fix reference leak in sysfs_break_active_protection()\n\nThe sysfs_break_active_protection() routine has an obvious reference\nleak in its error path. If the call to kernfs_find_and_get() fails then\nkn will be NULL, so the companion sysfs_unbreak_active_protection()\nroutine won't get called (and would only cause an access violation by\ntrying to dereference kn->parent if it was called). As a result, the\nreference to kobj acquired at the start of the function will never be\nreleased.\n\nFix the leak by adding an explicit kobject_put() call when kn is NULL.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26993", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26993" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T06:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57" + }, + { + "url": "https://git.kernel.org/stable/c/01d992088dce3945f70f49f34b0b911c5213c238" + }, + { + "url": "https://git.kernel.org/stable/c/7407c61f43b66e90ad127d0cdd13cbc9d87141a5" + }, + { + "url": "https://git.kernel.org/stable/c/5cd7185d2db76c42a9b7e69adad9591d9fca093f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26700" + }, + { + "url": "https://git.kernel.org/linus/e6a7df96facdcf5b1f71eb3ec26f2f9f6ad61e57(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-645", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26700" + } + } + ], + "created": "2024-04-03T15:15:53Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix MST Null Ptr for RV\n\nThe change try to fix below error specific to RV platform:\n\nBUG: kernel NULL pointer dereference, address: 0000000000000008\nPGD 0 P4D 0\nOops: 0000 [#1] PREEMPT SMP NOPTI\nCPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2\nHardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0\nCall Trace:\n \n ? __die+0x23/0x70\n ? page_fault_oops+0x171/0x4e0\n ? plist_add+0xbe/0x100\n ? exc_page_fault+0x7c/0x180\n ? asm_exc_page_fault+0x26/0x30\n ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026]\n compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n drm_atomic_check_only+0x5c5/0xa40\n drm_mode_atomic_ioctl+0x76e/0xbc0\n ? _copy_to_user+0x25/0x30\n ? drm_ioctl+0x296/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n drm_ioctl_kernel+0xcd/0x170\n drm_ioctl+0x26d/0x4b0\n ? __pfx_drm_mode_atomic_ioctl+0x10/0x10\n amdgpu_drm_ioctl+0x4e/0x90 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054]\n __x64_sys_ioctl+0x94/0xd0\n do_syscall_64+0x60/0x90\n ? do_syscall_64+0x6c/0x90\n entry_SYSCALL_64_after_hwframe+0x72/0xdc\nRIP: 0033:0x7f4dad17f76f\nCode: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c>\nRSP: 002b:00007ffd9ae859f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055e255a55900 RCX: 00007f4dad17f76f\nRDX: 00007ffd9ae85a90 RSI: 00000000c03864bc RDI: 000000000000000b\nRBP: 00007ffd9ae85a90 R08: 0000000000000003 R09: 0000000000000003\nR10: 0000000000000000 R11: 0000000000000246 R12: 00000000c03864bc\nR13: 000000000000000b R14: 000055e255a7fc60 R15: 000055e255a01eb0\n \nModules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm cmac algif_hash algif_skcipher af_alg joydev mousedev bnep >\n typec libphy k10temp ipmi_msghandler roles i2c_scmi acpi_cpufreq mac_hid nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_mas>\nCR2: 0000000000000008\n---[ end trace 0000000000000000 ]---\nRIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper]\nCode: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8>\nRSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224\nRDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280\nRBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850\nR10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000\nR13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224\nFS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26700", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26700" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/32edca2f03a6cc42c650ddc3ad83d086e3f365d1" + }, + { + "url": "https://git.kernel.org/stable/c/9a3ca8292ce9fdcce122706c28c3f07bc857fe5e" + }, + { + "url": "https://git.kernel.org/stable/c/54d26adf64c04f186098b39dba86b86037084baa" + }, + { + "url": "https://git.kernel.org/stable/c/cd53a8ae5aacb4ecd25088486dea1cd02e74b506" + }, + { + "url": "https://git.kernel.org/stable/c/f39d36b7540cf0088ed7ce2de2794f2aa237f6df" + }, + { + "url": "https://git.kernel.org/stable/c/2b3fede8225133671ce837c0d284804aa3bc7a02" + }, + { + "url": "https://git.kernel.org/stable/c/ff50716b7d5b7985979a5b21163cd79fb3d21d59" + }, + { + "url": "https://git.kernel.org/stable/c/d6b5aac451c9cc12e43ab7308e0e2ddc52c62c14" + }, + { + "url": "https://git.kernel.org/stable/c/fbec4e7fed89b579f2483041fabf9650fb0dd6bc" + }, + { + "url": "https://git.kernel.org/linus/fbec4e7fed89b579f2483041fabf9650fb0dd6bc(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35819" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-646", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35819" + } + } + ], + "created": "2024-05-17T14:15:16Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: fsl: qbman: Use raw spinlock for cgr_lock\n\nsmp_call_function always runs its callback in hard IRQ context, even on\nPREEMPT_RT, where spinlocks can sleep. So we need to use a raw spinlock\nfor cgr_lock to ensure we aren't waiting on a sleeping task.\n\nAlthough this bug has existed for a while, it was not apparent until\ncommit ef2a8d5478b9 (\"net: dpaa: Adjust queue depth on rate change\")\nwhich invokes smp_call_function_single via qman_update_cgr_safe every\ntime a link goes up or down.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35819", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35819" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-647", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-416" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/58acd1f497162e7d282077f816faa519487be045" + }, + { + "url": "https://git.kernel.org/stable/c/10e17ca4000ec34737bde002a13435c38ace2682" + }, + { + "url": "https://git.kernel.org/stable/c/3103163ccd3be4adcfa37e15608fb497be044113" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35866" + }, + { + "url": "https://git.kernel.org/linus/58acd1f497162e7d282077f816faa519487be045(6.9-rc3)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-648", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35866" + } + } + ], + "created": "2024-05-19T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix potential UAF in cifs_dump_full_key()\n\nSkip sessions that are being teared down (status == SES_EXITING) to\navoid UAF.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35866", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35866" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/99731076722eb7ed26b0c87c879da7bb71d24290" + }, + { + "url": "https://git.kernel.org/stable/c/df5cbb908f1687e8ab97e222a16b7890d5501acf" + }, + { + "url": "https://git.kernel.org/stable/c/2b002c308e184feeaeb72987bca3f1b11e5f70b8" + }, + { + "url": "https://git.kernel.org/stable/c/f74c5e0b54b02706d9a862ac6cddade30ac86bcf" + }, + { + "url": "https://git.kernel.org/stable/c/3e944ddc17c042945d983e006df7860687a8849a" + }, + { + "url": "https://git.kernel.org/stable/c/2a587a035214fa1b5ef598aea0b81848c5b72e5e" + }, + { + "url": "https://git.kernel.org/stable/c/68d951880d0c52c7f13dcefb5501b69b8605ce8c" + }, + { + "url": "https://git.kernel.org/stable/c/30511676eb54d480d014352bf784f02577a10252" + }, + { + "url": "https://git.kernel.org/stable/c/36177c2595df12225b95ce74eb1ac77b43d5a58c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35822" + }, + { + "url": "https://git.kernel.org/linus/2a587a035214fa1b5ef598aea0b81848c5b72e5e(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-649", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35822" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: udc: remove warning when queue disabled ep\n\nIt is possible trigger below warning message from mass storage function,\n\nWARNING: CPU: 6 PID: 3839 at drivers/usb/gadget/udc/core.c:294 usb_ep_queue+0x7c/0x104\npc : usb_ep_queue+0x7c/0x104\nlr : fsg_main_thread+0x494/0x1b3c\n\nRoot cause is mass storage function try to queue request from main thread,\nbut other thread may already disable ep when function disable.\n\nAs there is no function failure in the driver, in order to avoid effort\nto fix warning, change WARN_ON_ONCE() in usb_ep_queue() to pr_debug().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35822", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35822" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b" + }, + { + "url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2" + }, + { + "url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f" + }, + { + "url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26853" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/ef27f655b438bed4c83680e4f01e1cde2739854b(6.8)" + } + ], + "bom-ref": "vuln-650", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26853" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26853", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26853" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/821e28d5b506e6a73ccc367ff792bd894050d48b" + }, + { + "url": "https://git.kernel.org/stable/c/9384b4d85c46ce839f51af01374062ce6318b2f2" + }, + { + "url": "https://git.kernel.org/stable/c/362508506bf545e9ce18c72a2c48dcbfb891ab9c" + }, + { + "url": "https://git.kernel.org/stable/c/b36b83297ff4910dfc8705402c8abffd4bbf8144" + }, + { + "url": "https://git.kernel.org/stable/c/ff90050771412b91e928093ccd8736ae680063c2" + }, + { + "url": "https://git.kernel.org/stable/c/5ad233dc731ab64cdc47b84a5c1f78fff6c024af" + }, + { + "url": "https://git.kernel.org/stable/c/b0e256f3dd2ba6532f37c5c22e07cb07a36031ee" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26809" + } + ], + "bom-ref": "vuln-651", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26809" + } + } + ], + "created": "2024-04-04T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo: release elements in clone only from destroy path\n\nClone already always provides a current view of the lookup table, use it\nto destroy the set, otherwise it is possible to destroy elements twice.\n\nThis fix requires:\n\n 212ed75dc5fb (\"netfilter: nf_tables: integrate pipapo into commit protocol\")\n\nwhich came after:\n\n 9827a0e6e23b (\"netfilter: nft_set_pipapo: release elements in clone from abort path\").", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26809", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26809" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6" + }, + { + "url": "https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9" + }, + { + "url": "https://git.kernel.org/linus/86a1471d7cde792941109b93b558b5dc078b9ee9(6.9-rc5)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27011" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-652", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27011" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: fix memleak in map from abort path\n\nThe delete set command does not rely on the transaction object for\nelement removal, therefore, a combination of delete element + delete set\nfrom the abort path could result in restoring twice the refcount of the\nmapping.\n\nCheck for inactive element in the next generation for the delete element\ncommand in the abort path, skip restoring state if next generation bit\nhas been already cleared. This is similar to the activate logic using\nthe set walk iterator.\n\n[ 6170.286929] ------------[ cut here ]------------\n[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287071] Modules linked in: [...]\n[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365\n[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f\n[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202\n[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000\n[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750\n[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55\n[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10\n[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100\n[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000\n[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0\n[ 6170.287962] Call Trace:\n[ 6170.287967] \n[ 6170.287973] ? __warn+0x9f/0x1a0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288092] ? report_bug+0x1b1/0x1e0\n[ 6170.288104] ? handle_bug+0x3c/0x70\n[ 6170.288112] ? exc_invalid_op+0x17/0x40\n[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20\n[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]\n[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]\n[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27011", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27011" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b" + }, + { + "url": "https://git.kernel.org/stable/c/0d14f104027e30720582448706c7d6b43065c851" + }, + { + "url": "https://git.kernel.org/stable/c/c42b073d9af4a5329b25b17390c63ab3847f30e8" + }, + { + "url": "https://git.kernel.org/stable/c/4fee8fa86a15d7790268eea458b1aec69c695530" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-36009" + }, + { + "url": "https://git.kernel.org/linus/467324bcfe1a31ec65d0cf4aa59421d6b7a7d52b(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-653", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-36009" + } + } + ], + "created": "2024-05-20T10:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: Fix netdev refcount issue\n\nThe dev_tracker is added to ax25_cb in ax25_bind(). When the\nax25 device is detaching, the dev_tracker of ax25_cb should be\ndeallocated in ax25_kill_by_device() instead of the dev_tracker\nof ax25_dev. The log reported by ref_tracker is shown below:\n\n[ 80.884935] ref_tracker: reference already released.\n[ 80.885150] ref_tracker: allocated in:\n[ 80.885349] ax25_dev_device_up+0x105/0x540\n[ 80.885730] ax25_device_event+0xa4/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] __dev_notify_flags+0x138/0x280\n[ 80.885730] dev_change_flags+0xd7/0x180\n[ 80.885730] dev_ifsioc+0x6a9/0xa30\n[ 80.885730] dev_ioctl+0x4d8/0xd90\n[ 80.885730] sock_do_ioctl+0x1c2/0x2d0\n[ 80.885730] sock_ioctl+0x38b/0x4f0\n[ 80.885730] __se_sys_ioctl+0xad/0xf0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.885730] ref_tracker: freed in:\n[ 80.885730] ax25_device_event+0x272/0x420\n[ 80.885730] notifier_call_chain+0xc9/0x1e0\n[ 80.885730] dev_close_many+0x272/0x370\n[ 80.885730] unregister_netdevice_many_notify+0x3b5/0x1180\n[ 80.885730] unregister_netdev+0xcf/0x120\n[ 80.885730] sixpack_close+0x11f/0x1b0\n[ 80.885730] tty_ldisc_kill+0xcb/0x190\n[ 80.885730] tty_ldisc_hangup+0x338/0x3d0\n[ 80.885730] __tty_hangup+0x504/0x740\n[ 80.885730] tty_release+0x46e/0xd80\n[ 80.885730] __fput+0x37f/0x770\n[ 80.885730] __x64_sys_close+0x7b/0xb0\n[ 80.885730] do_syscall_64+0xc4/0x1b0\n[ 80.885730] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n[ 80.893739] ------------[ cut here ]------------\n[ 80.894030] WARNING: CPU: 2 PID: 140 at lib/ref_tracker.c:255 ref_tracker_free+0x47b/0x6b0\n[ 80.894297] Modules linked in:\n[ 80.894929] CPU: 2 PID: 140 Comm: ax25_conn_rel_6 Not tainted 6.9.0-rc4-g8cd26fd90c1a #11\n[ 80.895190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qem4\n[ 80.895514] RIP: 0010:ref_tracker_free+0x47b/0x6b0\n[ 80.895808] Code: 83 c5 18 4c 89 eb 48 c1 eb 03 8a 04 13 84 c0 0f 85 df 01 00 00 41 83 7d 00 00 75 4b 4c 89 ff 9\n[ 80.896171] RSP: 0018:ffff888009edf8c0 EFLAGS: 00000286\n[ 80.896339] RAX: 1ffff1100141ac00 RBX: 1ffff1100149463b RCX: dffffc0000000000\n[ 80.896502] RDX: 0000000000000001 RSI: 0000000000000246 RDI: ffff88800a0d6518\n[ 80.896925] RBP: ffff888009edf9b0 R08: ffff88806d3288d3 R09: 1ffff1100da6511a\n[ 80.897212] R10: dffffc0000000000 R11: ffffed100da6511b R12: ffff88800a4a31d4\n[ 80.897859] R13: ffff88800a4a31d8 R14: dffffc0000000000 R15: ffff88800a0d6518\n[ 80.898279] FS: 00007fd88b7fe700(0000) GS:ffff88806d300000(0000) knlGS:0000000000000000\n[ 80.899436] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 80.900181] CR2: 00007fd88c001d48 CR3: 000000000993e000 CR4: 00000000000006f0\n...\n[ 80.935774] ref_tracker: sp%d@000000000bb9df3d has 1/1 users at\n[ 80.935774] ax25_bind+0x424/0x4e0\n[ 80.935774] __sys_bind+0x1d9/0x270\n[ 80.935774] __x64_sys_bind+0x75/0x80\n[ 80.935774] do_syscall_64+0xc4/0x1b0\n[ 80.935774] entry_SYSCALL_64_after_hwframe+0x67/0x6f\n\nChange ax25_dev->dev_tracker to the dev_tracker of ax25_cb\nin order to mitigate the bug.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-36009", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36009" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f5e7ffa9269a448a720e21f1ed1384d118298c97" + }, + { + "url": "https://git.kernel.org/stable/c/418456c0ce56209610523f21734c5612ee634134" + }, + { + "url": "https://git.kernel.org/stable/c/2e3ec80ea7ba58bbb210e83b5a0afefee7c171d3" + }, + { + "url": "https://git.kernel.org/stable/c/696e4112e5c1ee61996198f0ebb6ca3fab55166e" + }, + { + "url": "https://git.kernel.org/stable/c/2aa7bcfdbb46241c701811bbc0d64d7884e3346c" + }, + { + "url": "https://git.kernel.org/stable/c/7c4650ded49e5b88929ecbbb631efb8b0838e811" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26659" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/7c4650ded49e5b88929ecbbb631efb8b0838e811(6.8-rc3)" + } + ], + "bom-ref": "vuln-654", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26659" + } + } + ], + "created": "2024-04-02T07:15:42Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: handle isoc Babble and Buffer Overrun events properly\n\nxHCI 4.9 explicitly forbids assuming that the xHC has released its\nownership of a multi-TRB TD when it reports an error on one of the\nearly TRBs. Yet the driver makes such assumption and releases the TD,\nallowing the remaining TRBs to be freed or overwritten by new TDs.\n\nThe xHC should also report completion of the final TRB due to its IOC\nflag being set by us, regardless of prior errors. This event cannot\nbe recognized if the TD has already been freed earlier, resulting in\n\"Transfer event TRB DMA ptr not part of current TD\" error message.\n\nFix this by reusing the logic for processing isoc Transaction Errors.\nThis also handles hosts which fail to report the final completion.\n\nFix transfer length reporting on Babble errors. They may be caused by\ndevice malfunction, no guarantee that the buffer has been filled.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26659", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26659" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/8af411bbba1f457c33734795f024d0ef26d0963f" + }, + { + "url": "https://git.kernel.org/stable/c/8e99556301172465c8fe33c7f78c39a3d4ce8462" + }, + { + "url": "https://git.kernel.org/stable/c/699b103e48ce32d03fc86c35b37ee8ae4288c7e3" + }, + { + "url": "https://git.kernel.org/stable/c/17ccd9798fe0beda3db212cfa3ebe373f605cbd6" + }, + { + "url": "https://git.kernel.org/stable/c/f72cf22dccc94038cbbaa1029cb575bf52e5cbc8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26802" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-655", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26802" + } + } + ], + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nCurrently when suspending driver and stopping workqueue it is checked whether\nworkqueue is not NULL and if so, it is destroyed.\nFunction destroy_workqueue() does drain queue and does clear variable, but\nit does not set workqueue variable to NULL. This can cause kernel/module\npanic if code attempts to clear workqueue that was not initialized.\n\nThis scenario is possible when resuming suspended driver in stmmac_resume(),\nbecause there is no handling for failed stmmac_hw_setup(),\nwhich can fail and return if DMA engine has failed to initialize,\nand workqueue is initialized after DMA engine.\nShould DMA engine fail to initialize, resume will proceed normally,\nbut interface won't work and TX queue will eventually timeout,\ncausing 'Reset adapter' error.\nThis then does destroy workqueue during reset process.\nAnd since workqueue is initialized after DMA engine and can be skipped,\nit will cause kernel/module panic.\n\nTo secure against this possible crash, set workqueue variable to NULL when\ndestroying workqueue.\n\nLog/backtrace from crash goes as follows:\n[88.031977]------------[ cut here ]------------\n[88.031985]NETDEV WATCHDOG: eth0 (sxgmac): transmit queue 1 timed out\n[88.032017]WARNING: CPU: 0 PID: 0 at net/sched/sch_generic.c:477 dev_watchdog+0x390/0x398\n \n[88.032251]---[ end trace e70de432e4d5c2c0 ]---\n[88.032282]sxgmac 16d88000.ethernet eth0: Reset adapter.\n[88.036359]------------[ cut here ]------------\n[88.036519]Call trace:\n[88.036523] flush_workqueue+0x3e4/0x430\n[88.036528] drain_workqueue+0xc4/0x160\n[88.036533] destroy_workqueue+0x40/0x270\n[88.036537] stmmac_fpe_stop_wq+0x4c/0x70\n[88.036541] stmmac_release+0x278/0x280\n[88.036546] __dev_close_many+0xcc/0x158\n[88.036551] dev_close_many+0xbc/0x190\n[88.036555] dev_close.part.0+0x70/0xc0\n[88.036560] dev_close+0x24/0x30\n[88.036564] stmmac_service_task+0x110/0x140\n[88.036569] process_one_work+0x1d8/0x4a0\n[88.036573] worker_thread+0x54/0x408\n[88.036578] kthread+0x164/0x170\n[88.036583] ret_from_fork+0x10/0x20\n[88.036588]---[ end trace e70de432e4d5c2c1 ]---\n[88.036597]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26802", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26802" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:22Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28863" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-656", + "references": [ + { + "id": "GHSA-f5x3-32g6-xq36", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36" + } + } + ], + "created": "2024-03-21T23:15:10Z", + "description": "node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.", + "affects": [ + { + "ref": "comp-776" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863" + }, + "cwes": [ + 400, + 770 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28863" + } + } + ], + "id": "CVE-2024-28863", + "updated": "2024-03-22T12:45:36Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-776", + "value": "6.2.1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f278ff9db67264715d0d50e3e75044f8b78990f4" + }, + { + "url": "https://git.kernel.org/stable/c/c3198822c6cb9fb588e446540485669cc81c5d34" + }, + { + "url": "https://git.kernel.org/stable/c/1abb20a5f4b02fb3020f88456fc1e6069b3cdc45" + }, + { + "url": "https://git.kernel.org/stable/c/8291b4eac429c480386669444c6377573f5d8664" + }, + { + "url": "https://git.kernel.org/linus/c3198822c6cb9fb588e446540485669cc81c5d34(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26953" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-657", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26953" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: esp: fix bad handling of pages from page_pool\n\nWhen the skb is reorganized during esp_output (!esp->inline), the pages\ncoming from the original skb fragments are supposed to be released back\nto the system through put_page. But if the skb fragment pages are\noriginating from a page_pool, calling put_page on them will trigger a\npage_pool leak which will eventually result in a crash.\n\nThis leak can be easily observed when using CONFIG_DEBUG_VM and doing\nipsec + gre (non offloaded) forwarding:\n\n BUG: Bad page state in process ksoftirqd/16 pfn:1451b6\n page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6\n flags: 0x200000000000000(node=0|zone=2)\n page_type: 0xffffffff()\n raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000\n raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000\n page dumped because: page_pool leak\n Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core]\n CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Call Trace:\n \n dump_stack_lvl+0x36/0x50\n bad_page+0x70/0xf0\n free_unref_page_prepare+0x27a/0x460\n free_unref_page+0x38/0x120\n esp_ssg_unref.isra.0+0x15f/0x200\n esp_output_tail+0x66d/0x780\n esp_xmit+0x2c5/0x360\n validate_xmit_xfrm+0x313/0x370\n ? validate_xmit_skb+0x1d/0x330\n validate_xmit_skb_list+0x4c/0x70\n sch_direct_xmit+0x23e/0x350\n __dev_queue_xmit+0x337/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x25e/0x580\n iptunnel_xmit+0x19b/0x240\n ip_tunnel_xmit+0x5fb/0xb60\n ipgre_xmit+0x14d/0x280 [ip_gre]\n dev_hard_start_xmit+0xc3/0x1c0\n __dev_queue_xmit+0x208/0xba0\n ? nf_hook_slow+0x3f/0xd0\n ip_finish_output2+0x1ca/0x580\n ip_sublist_rcv_finish+0x32/0x40\n ip_sublist_rcv+0x1b2/0x1f0\n ? ip_rcv_finish_core.constprop.0+0x460/0x460\n ip_list_rcv+0x103/0x130\n __netif_receive_skb_list_core+0x181/0x1e0\n netif_receive_skb_list_internal+0x1b3/0x2c0\n napi_gro_receive+0xc8/0x200\n gro_cell_poll+0x52/0x90\n __napi_poll+0x25/0x1a0\n net_rx_action+0x28e/0x300\n __do_softirq+0xc3/0x276\n ? sort_range+0x20/0x20\n run_ksoftirqd+0x1e/0x30\n smpboot_thread_fn+0xa6/0x130\n kthread+0xcd/0x100\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x31/0x50\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork_asm+0x11/0x20\n \n\nThe suggested fix is to introduce a new wrapper (skb_page_unref) that\ncovers page refcounting for page_pool pages as well.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26953", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26953" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9f7ddc222cae8254e93d5c169a8ae11a49d912a7" + }, + { + "url": "https://git.kernel.org/stable/c/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc" + }, + { + "url": "https://git.kernel.org/stable/c/0c027c2bad7f5111c51a358b5d392e1a695dabff" + }, + { + "url": "https://git.kernel.org/stable/c/fb3a122a978626b33de3367ee1762da934c0f512" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26947" + }, + { + "url": "https://git.kernel.org/linus/0c66c6f4e21cb22220cbd8821c5c73fc157d20dc(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-658", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26947" + } + } + ], + "created": "2024-05-01T06:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses\n\nSince commit a4d5613c4dc6 (\"arm: extend pfn_valid to take into account\nfreed memory map alignment\") changes the semantics of pfn_valid() to check\npresence of the memory map for a PFN. A valid page for an address which\nis reserved but not mapped by the kernel[1], the system crashed during\nsome uio test with the following memory layout:\n\n node 0: [mem 0x00000000c0a00000-0x00000000cc8fffff]\n node 0: [mem 0x00000000d0000000-0x00000000da1fffff]\n the uio layout is:0xc0900000, 0x100000\n\nthe crash backtrace like:\n\n Unable to handle kernel paging request at virtual address bff00000\n [...]\n CPU: 1 PID: 465 Comm: startapp.bin Tainted: G O 5.10.0 #1\n Hardware name: Generic DT based system\n PC is at b15_flush_kern_dcache_area+0x24/0x3c\n LR is at __sync_icache_dcache+0x6c/0x98\n [...]\n (b15_flush_kern_dcache_area) from (__sync_icache_dcache+0x6c/0x98)\n (__sync_icache_dcache) from (set_pte_at+0x28/0x54)\n (set_pte_at) from (remap_pfn_range+0x1a0/0x274)\n (remap_pfn_range) from (uio_mmap+0x184/0x1b8 [uio])\n (uio_mmap [uio]) from (__mmap_region+0x264/0x5f4)\n (__mmap_region) from (__do_mmap_mm+0x3ec/0x440)\n (__do_mmap_mm) from (do_mmap+0x50/0x58)\n (do_mmap) from (vm_mmap_pgoff+0xfc/0x188)\n (vm_mmap_pgoff) from (ksys_mmap_pgoff+0xac/0xc4)\n (ksys_mmap_pgoff) from (ret_fast_syscall+0x0/0x5c)\n Code: e0801001 e2423001 e1c00003 f57ff04f (ee070f3e)\n ---[ end trace 09cf0734c3805d52 ]---\n Kernel panic - not syncing: Fatal exception\n\nSo check if PG_reserved was set to solve this issue.\n\n[1]: https://lore.kernel.org/lkml/Zbtdue57RO0QScJM@linux.ibm.com/", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26947", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26947" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:10Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/0dab75b433ed2480d57ae4f8f725186a46223e42" + }, + { + "url": "https://git.kernel.org/stable/c/f341055b10bd8be55c3c995dff5f770b236b8ca9" + }, + { + "url": "https://git.kernel.org/linus/f341055b10bd8be55c3c995dff5f770b236b8ca9(6.9-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35906" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-659", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35906" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Send DTBCLK disable message on first commit\n\n[Why]\nPrevious patch to allow DTBCLK disable didn't address boot case. Driver\nthinks DTBCLK is disabled by default, so we don't send disable message to\nPMFW. DTBCLK is then enabled at idle desktop on boot, burning power.\n\n[How]\nSet dtbclk_en to true on boot so that disable message is sent during first\ncommit.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35906", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35906" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/24ec7504a08a67247fbe798d1de995208a8c128a" + }, + { + "url": "https://git.kernel.org/stable/c/50fb4e17df319bb33be6f14e2a856950c1577dee" + }, + { + "url": "https://git.kernel.org/stable/c/b6a2a9cbb67545c825ec95f06adb7ff300a2ad71" + }, + { + "url": "https://git.kernel.org/stable/c/3cd139875e9a7688b3fc715264032620812a5fa3" + }, + { + "url": "https://git.kernel.org/stable/c/2441a64070b85c14eecc3728cc87e883f953f265" + }, + { + "url": "https://git.kernel.org/stable/c/944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://git.kernel.org/stable/c/c5b2063c65d05e79fad8029324581d86cfba7eea" + }, + { + "url": "https://git.kernel.org/stable/c/db896bbe4a9c67cee377e5f6a743350d3ae4acf6" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26602" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2582" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1250" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.15-2024-039.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1765" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1249" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2525.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1332" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2585" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1653" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1532" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1533" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2006" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2008" + } + ], + "bom-ref": "vuln-660", + "ratings": [ + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + } + }, + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26602" + } + } + ], + "created": "2024-02-26T16:28:00Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/membarrier: reduce the ability to hammer on sys_membarrier\n\nOn some systems, sys_membarrier can be very expensive, causing overall\nslowdowns for everything. So put a lock on the path in order to\nserialize the accesses to prevent the ability for this to be called at\ntoo high of a frequency and saturate the machine.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26602" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-17T18:01:43Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:26:36Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/b4eea7a05ee0ab5ab0514421e6ba8c5d249cf942" + }, + { + "url": "https://git.kernel.org/stable/c/d7b6fa97ec894edd02f64b83e5e72e1aa352f353" + }, + { + "url": "https://git.kernel.org/stable/c/ea1cd64d59f22d6d13f367d62ec6e27b9344695f" + }, + { + "url": "https://git.kernel.org/stable/c/e7e23fc5d5fe422827c9a43ecb579448f73876c7" + }, + { + "url": "https://git.kernel.org/stable/c/b820de741ae48ccf50dd95e297889c286ff4f760" + }, + { + "url": "https://git.kernel.org/stable/c/18f614369def2a11a52f569fe0f910b199d13487" + }, + { + "url": "https://git.kernel.org/stable/c/337b543e274fe7a8f47df3c8293cc6686ffa620f" + }, + { + "url": "https://git.kernel.org/stable/c/1dc7d74fe456944a9b1c57bd776280249f441ac6" + }, + { + "url": "https://git.kernel.org/linus/b820de741ae48ccf50dd95e297889c286ff4f760(6.8-rc6)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26764" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-661", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26764" + } + } + ], + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio\n\nIf kiocb_set_cancel_fn() is called for I/O submitted via io_uring, the\nfollowing kernel warning appears:\n\nWARNING: CPU: 3 PID: 368 at fs/aio.c:598 kiocb_set_cancel_fn+0x9c/0xa8\nCall trace:\n kiocb_set_cancel_fn+0x9c/0xa8\n ffs_epfile_read_iter+0x144/0x1d0\n io_read+0x19c/0x498\n io_issue_sqe+0x118/0x27c\n io_submit_sqes+0x25c/0x5fc\n __arm64_sys_io_uring_enter+0x104/0xab0\n invoke_syscall+0x58/0x11c\n el0_svc_common+0xb4/0xf4\n do_el0_svc+0x2c/0xb0\n el0_svc+0x2c/0xa4\n el0t_64_sync_handler+0x68/0xb4\n el0t_64_sync+0x1a4/0x1a8\n\nFix this by setting the IOCB_AIO_RW flag for read and write I/O that is\nsubmitted by libaio.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26764", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26764" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/13d107794304306164481d31ce33f8fdb25a9c04" + }, + { + "url": "https://git.kernel.org/stable/c/b7cea3a9af0853fdbb1b16633a458f991dde6aac" + }, + { + "url": "https://git.kernel.org/stable/c/55b6c738673871c9b0edae05d0c97995c1ff08c4" + }, + { + "url": "https://git.kernel.org/stable/c/302b2dfc013baca3dea7ceda383930d9297d231d" + }, + { + "url": "https://git.kernel.org/stable/c/7bedfe4cfa38771840a355970e4437cd52d4046b" + }, + { + "url": "https://git.kernel.org/stable/c/f52be46e3e6ecefc2539119784324f0cbc09620a" + }, + { + "url": "https://git.kernel.org/stable/c/710a177f347282eea162aec8712beb1f42d5ad87" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26951" + }, + { + "url": "https://git.kernel.org/linus/55b6c738673871c9b0edae05d0c97995c1ff08c4(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-662", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26951" + } + } + ], + "created": "2024-05-01T06:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwireguard: netlink: check for dangling peer via is_dead instead of empty list\n\nIf all peers are removed via wg_peer_remove_all(), rather than setting\npeer_list to empty, the peer is added to a temporary list with a head on\nthe stack of wg_peer_remove_all(). If a netlink dump is resumed and the\ncursored peer is one that has been removed via wg_peer_remove_all(), it\nwill iterate from that peer and then attempt to dump freed peers.\n\nFix this by instead checking peer->is_dead, which was explictly created\nfor this purpose. Also move up the device_update_lock lockdep assertion,\nsince reading is_dead relies on that.\n\nIt can be reproduced by a small script like:\n\n echo \"Setting config...\"\n ip link add dev wg0 type wireguard\n wg setconf wg0 /big-config\n (\n while true; do\n echo \"Showing config...\"\n wg showconf wg0 > /dev/null\n done\n ) &\n sleep 4\n wg setconf wg0 <(printf \"[Peer]\\nPublicKey=$(wg genkey)\\n\")\n\nResulting in:\n\n BUG: KASAN: slab-use-after-free in __lock_acquire+0x182a/0x1b20\n Read of size 8 at addr ffff88811956ec70 by task wg/59\n CPU: 2 PID: 59 Comm: wg Not tainted 6.8.0-rc2-debug+ #5\n Call Trace:\n \n dump_stack_lvl+0x47/0x70\n print_address_description.constprop.0+0x2c/0x380\n print_report+0xab/0x250\n kasan_report+0xba/0xf0\n __lock_acquire+0x182a/0x1b20\n lock_acquire+0x191/0x4b0\n down_read+0x80/0x440\n get_peer+0x140/0xcb0\n wg_get_device_dump+0x471/0x1130", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26951", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26951" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/5b696e9c388251f1c7373be92293769a489fd367" + }, + { + "url": "https://git.kernel.org/stable/c/ad2f8920c314e0a2d9e984fc94b729eca3cda471" + }, + { + "url": "https://git.kernel.org/stable/c/518d78b4fac68cac29a263554d7f3b19da99d0da" + }, + { + "url": "https://git.kernel.org/stable/c/bb3a06e9b9a30e33d96aadc0e077be095a4f8580" + }, + { + "url": "https://git.kernel.org/stable/c/9d739bccf261dd93ec1babf82f5c5d71dd4caa3e" + }, + { + "url": "https://git.kernel.org/stable/c/237ecf1afe6c22534fa43abdf2bf0b0f52de0aaa" + }, + { + "url": "https://git.kernel.org/stable/c/106c1ac953a66556ec77456c46e818208d3a9bce" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26790" + } + ], + "bom-ref": "vuln-663", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26790" + } + } + ], + "created": "2024-04-04T09:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read\n\nThere is chip (ls1028a) errata:\n\nThe SoC may hang on 16 byte unaligned read transactions by QDMA.\n\nUnaligned read transactions initiated by QDMA may stall in the NOC\n(Network On-Chip), causing a deadlock condition. Stalled transactions will\ntrigger completion timeouts in PCIe controller.\n\nWorkaround:\nEnable prefetch by setting the source descriptor prefetchable bit\n( SD[PF] = 1 ).\n\nImplement this workaround.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26790", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26790" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-04T12:48:41Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/a2ab028151841cd833cb53eb99427e0cc990112d" + }, + { + "url": "https://git.kernel.org/stable/c/0ac219c4c3ab253f3981f346903458d20bacab32" + }, + { + "url": "https://git.kernel.org/stable/c/9a0d18853c280f6a0ee99f91619f2442a17a323a" + }, + { + "url": "https://git.kernel.org/stable/c/7a9d14c63b35f89563c5ecbadf918ad64979712d" + }, + { + "url": "https://git.kernel.org/linus/9a0d18853c280f6a0ee99f91619f2442a17a323a(6.8-rc7)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26849" + } + ], + "bom-ref": "vuln-664", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26849" + } + } + ], + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: add nla be16/32 types to minlen array\n\nBUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]\nBUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]\nBUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]\nBUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631\n nla_validate_range_unsigned lib/nlattr.c:222 [inline]\n nla_validate_int_range lib/nlattr.c:336 [inline]\n validate_nla lib/nlattr.c:575 [inline]\n...\n\nThe message in question matches this policy:\n\n [NFTA_TARGET_REV] = NLA_POLICY_MAX(NLA_BE32, 255),\n\nbut because NLA_BE32 size in minlen array is 0, the validation\ncode will read past the malformed (too small) attribute.\n\nNote: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:\nthose likely should be added too.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26849", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26849" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e87bb99d2df6512d8ee37a5d63d2ca9a39a8c051" + }, + { + "url": "https://git.kernel.org/stable/c/feacd430b42bbfa9ab3ed9e4f38b86c43e348c75" + }, + { + "url": "https://git.kernel.org/stable/c/491a1eb07c2bd8841d63cb5263455e185be5866f" + }, + { + "url": "https://git.kernel.org/stable/c/130b0cd064874e0d0f58e18fb00e6f3993e90c74" + }, + { + "url": "https://git.kernel.org/stable/c/dae70a57565686f16089737adb8ac64471570f73" + }, + { + "url": "https://git.kernel.org/stable/c/ad78c5047dc4076d0b3c4fad4f42ffe9c86e8100" + }, + { + "url": "https://git.kernel.org/stable/c/f15eca95138b3d4ec17b63c3c1937b0aa0d3624b" + }, + { + "url": "https://git.kernel.org/stable/c/19b070fefd0d024af3daa7329cbc0d00de5302ec" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35944" + }, + { + "url": "https://git.kernel.org/linus/19b070fefd0d024af3daa7329cbc0d00de5302ec(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-665", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35944" + } + } + ], + "created": "2024-05-19T11:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nVMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()\n\nSyzkaller hit 'WARNING in dg_dispatch_as_host' bug.\n\nmemcpy: detected field-spanning write (size 56) of single field \"&dg_info->msg\"\nat drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)\n\nWARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237\ndg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237\n\nSome code commentry, based on my understanding:\n\n544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)\n/// This is 24 + payload_size\n\nmemcpy(&dg_info->msg, dg, dg_size);\n\tDestination = dg_info->msg ---> this is a 24 byte\n\t\t\t\t\tstructure(struct vmci_datagram)\n\tSource = dg --> this is a 24 byte structure (struct vmci_datagram)\n\tSize = dg_size = 24 + payload_size\n\n{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.\n\n 35 struct delayed_datagram_info {\n 36 struct datagram_entry *entry;\n 37 struct work_struct work;\n 38 bool in_dg_host_queue;\n 39 /* msg and msg_payload must be together. */\n 40 struct vmci_datagram msg;\n 41 u8 msg_payload[];\n 42 };\n\nSo those extra bytes of payload are copied into msg_payload[], a run time\nwarning is seen while fuzzing with Syzkaller.\n\nOne possible way to fix the warning is to split the memcpy() into\ntwo parts -- one -- direct assignment of msg and second taking care of payload.\n\nGustavo quoted:\n\"Under FORTIFY_SOURCE we should not copy data across multiple members\nin a structure.\"", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35944", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35944" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/3076b3c38a704e10df5e143c213653309d532538" + }, + { + "url": "https://git.kernel.org/stable/c/559f3a6333397ab6cd4a696edd65a70b6be62c6e" + }, + { + "url": "https://git.kernel.org/stable/c/2d8527f2f911fab84aec04df4788c0c23af3df48" + }, + { + "url": "https://git.kernel.org/stable/c/a4234decd0fe429832ca81c4637be7248b88b49e" + }, + { + "url": "https://git.kernel.org/stable/c/2df56f4ea769ff81e51bbb05699989603bde9c49" + }, + { + "url": "https://git.kernel.org/linus/2d8527f2f911fab84aec04df4788c0c23af3df48(6.9-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27009" + } + ], + "bom-ref": "vuln-666", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27009" + } + } + ], + "created": "2024-05-01T06:15:19Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/cio: fix race condition during online processing\n\nA race condition exists in ccw_device_set_online() that can cause the\nonline process to fail, leaving the affected device in an inconsistent\nstate. As a result, subsequent attempts to set that device online fail\nwith return code ENODEV.\n\nThe problem occurs when a path verification request arrives after\na wait for final device state completed, but before the result state\nis evaluated.\n\nFix this by ensuring that the CCW-device lock is held between\ndetermining final state and checking result state.\n\nNote that since:\n\ncommit 2297791c92d0 (\"s390/cio: dont unregister subchannel from child-drivers\")\n\npath verification requests are much more likely to occur during boot,\nresulting in an increased chance of this race condition occurring.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27009", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27009" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-13T08:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + }, + { + "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + }, + { + "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26595" + } + ], + "bom-ref": "vuln-667", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26595" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + } + } + ], + "created": "2024-02-23T15:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26595", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T19:55:31Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2134e9906e17b1e5284300fab547869ebacfd7d9" + }, + { + "url": "https://git.kernel.org/stable/c/b40328eea93c75a5645891408010141a0159f643" + }, + { + "url": "https://git.kernel.org/stable/c/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6" + }, + { + "url": "https://git.kernel.org/stable/c/29e42e1578a10c611b3f1a38f3229b2d664b5d16" + }, + { + "url": "https://git.kernel.org/stable/c/4e5c73b15d95452c1ba9c771dd013a3fbe052ff3" + }, + { + "url": "https://git.kernel.org/stable/c/cfa9abb5570c489dabf6f7fb3a066cc576fc8824" + }, + { + "url": "https://git.kernel.org/stable/c/9a07244f614bc417de527b799da779dcae780b5d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26749" + }, + { + "url": "https://git.kernel.org/linus/cd45f99034b0c8c9cb346dd0d6407a95ca3d36f6(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-668", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26749" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()\n\n ...\n cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request);\n list_del_init(&priv_req->list);\n ...\n\n'priv_req' actually free at cdns3_gadget_ep_free_request(). But\nlist_del_init() use priv_req->list after it.\n\n[ 1542.642868][ T534] BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xd4\n[ 1542.642868][ T534]\n[ 1542.653162][ T534] Use-after-free read at 0x000000009ed0ba99 (in kfence-#3):\n[ 1542.660311][ T534] __list_del_entry_valid+0x10/0xd4\n[ 1542.665375][ T534] cdns3_gadget_ep_disable+0x1f8/0x388 [cdns3]\n[ 1542.671571][ T534] usb_ep_disable+0x44/0xe4\n[ 1542.675948][ T534] ffs_func_eps_disable+0x64/0xc8\n[ 1542.680839][ T534] ffs_func_set_alt+0x74/0x368\n[ 1542.685478][ T534] ffs_func_disable+0x18/0x28\n\nMove list_del_init() before cdns3_gadget_ep_free_request() to resolve this\nproblem.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26749", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26749" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f85af9f1aa5e2f53694a6cbe72010f754b5ff862" + }, + { + "url": "https://git.kernel.org/stable/c/9b43d2884b54d415caab48878b526dfe2ae9921b" + }, + { + "url": "https://git.kernel.org/stable/c/846fb9f112f618ec6ae181d8dae7961652574774" + }, + { + "url": "https://git.kernel.org/stable/c/b03e626bd6d3f0684f56ee1890d70fc9ca991c04" + }, + { + "url": "https://git.kernel.org/stable/c/82f522ae0d97119a43da53e0f729275691b9c525" + }, + { + "url": "https://git.kernel.org/stable/c/282877633b25d67021a34169c5b5519b1d4ef65e" + }, + { + "url": "https://git.kernel.org/linus/82f522ae0d97119a43da53e0f729275691b9c525(6.9-rc2)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26929" + } + ], + "bom-ref": "vuln-669", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26929" + } + } + ], + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of fcport\n\nThe server was crashing after LOGO because fcport was getting freed twice.\n\n -----------[ cut here ]-----------\n kernel BUG at mm/slub.c:371!\n invalid opcode: 0000 1 SMP PTI\n CPU: 35 PID: 4610 Comm: bash Kdump: loaded Tainted: G OE --------- - - 4.18.0-425.3.1.el8.x86_64 #1\n Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 09/03/2021\n RIP: 0010:set_freepointer.part.57+0x0/0x10\n RSP: 0018:ffffb07107027d90 EFLAGS: 00010246\n RAX: ffff9cb7e3150000 RBX: ffff9cb7e332b9c0 RCX: ffff9cb7e3150400\n RDX: 0000000000001f37 RSI: 0000000000000000 RDI: ffff9cb7c0005500\n RBP: fffff693448c5400 R08: 0000000080000000 R09: 0000000000000009\n R10: 0000000000000000 R11: 0000000000132af0 R12: ffff9cb7c0005500\n R13: ffff9cb7e3150000 R14: ffffffffc06990e0 R15: ffff9cb7ea85ea58\n FS: 00007ff6b79c2740(0000) GS:ffff9cb8f7ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000055b426b7d700 CR3: 0000000169c18002 CR4: 00000000007706e0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n kfree+0x238/0x250\n qla2x00_els_dcmd_sp_free+0x20/0x230 [qla2xxx]\n ? qla24xx_els_dcmd_iocb+0x607/0x690 [qla2xxx]\n qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? qla2x00_issue_logo+0x28c/0x2a0 [qla2xxx]\n ? kernfs_fop_write+0x11e/0x1a0\n\nRemove one of the free calls and add check for valid fcport. Also use\nfunction qla2x00_free_fcport() instead of kfree().", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26929", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26929" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T13:02:20Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-670", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-416" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/9783b3b0e71d704949214a8f76468f591a31f3f5" + }, + { + "url": "https://git.kernel.org/stable/c/36a1cb0371aa6f0698910ee70cb4ed3c349f4fa4" + }, + { + "url": "https://git.kernel.org/stable/c/09ba28e1cd3cf715daab1fca6e1623e22fd754a6" + }, + { + "url": "https://git.kernel.org/stable/c/63a10b530e22cc923008b5925821c26872f37971" + }, + { + "url": "https://git.kernel.org/stable/c/80247e0eca14ff177d565f58ecd3010f6b7910a4" + }, + { + "url": "https://git.kernel.org/linus/09ba28e1cd3cf715daab1fca6e1623e22fd754a6(6.9-rc3)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35885" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-671", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35885" + } + } + ], + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf_gige: stop interface during shutdown\n\nThe mlxbf_gige driver intermittantly encounters a NULL pointer\nexception while the system is shutting down via \"reboot\" command.\nThe mlxbf_driver will experience an exception right after executing\nits shutdown() method. One example of this exception is:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000070\nMem abort info:\n ESR = 0x0000000096000004\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x04: level 0 translation fault\nData abort info:\n ISV = 0, ISS = 0x00000004\n CM = 0, WnR = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000011d373000\n[0000000000000070] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 96000004 [#1] SMP\nCPU: 0 PID: 13 Comm: ksoftirqd/0 Tainted: G S OE 5.15.0-bf.6.gef6992a #1\nHardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS 4.0.2.12669 Apr 21 2023\npstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\nlr : mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\nsp : ffff8000080d3c10\nx29: ffff8000080d3c10 x28: ffffcce72cbb7000 x27: ffff8000080d3d58\nx26: ffff0000814e7340 x25: ffff331cd1a05000 x24: ffffcce72c4ea008\nx23: ffff0000814e4b40 x22: ffff0000814e4d10 x21: ffff0000814e4128\nx20: 0000000000000000 x19: ffff0000814e4a80 x18: ffffffffffffffff\nx17: 000000000000001c x16: ffffcce72b4553f4 x15: ffff80008805b8a7\nx14: 0000000000000000 x13: 0000000000000030 x12: 0101010101010101\nx11: 7f7f7f7f7f7f7f7f x10: c2ac898b17576267 x9 : ffffcce720fa5404\nx8 : ffff000080812138 x7 : 0000000000002e9a x6 : 0000000000000080\nx5 : ffff00008de3b000 x4 : 0000000000000000 x3 : 0000000000000001\nx2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\nCall trace:\n mlxbf_gige_handle_tx_complete+0xc8/0x170 [mlxbf_gige]\n mlxbf_gige_poll+0x54/0x160 [mlxbf_gige]\n __napi_poll+0x40/0x1c8\n net_rx_action+0x314/0x3a0\n __do_softirq+0x128/0x334\n run_ksoftirqd+0x54/0x6c\n smpboot_thread_fn+0x14c/0x190\n kthread+0x10c/0x110\n ret_from_fork+0x10/0x20\nCode: 8b070000 f9000ea0 f95056c0 f86178a1 (b9407002)\n---[ end trace 7cc3941aa0d8e6a4 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\nKernel Offset: 0x4ce722520000 from 0xffff800008000000\nPHYS_OFFSET: 0x80000000\nCPU features: 0x000005c1,a3330e5a\nMemory Limit: none\n---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---\n\nDuring system shutdown, the mlxbf_gige driver's shutdown() is always executed.\nHowever, the driver's stop() method will only execute if networking interface\nconfiguration logic within the Linux distribution has been setup to do so.\n\nIf shutdown() executes but stop() does not execute, NAPI remains enabled\nand this can lead to an exception if NAPI is scheduled while the hardware\ninterface has only been partially deinitialized.\n\nThe networking interface managed by the mlxbf_gige driver must be properly\nstopped during system shutdown so that IFF_UP is cleared, the hardware\ninterface is put into a clean state, and NAPI is fully deinitialized.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35885", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35885" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/cdbe0be8874c63bca85b8c38e5b1eecbdd18df31" + }, + { + "url": "https://git.kernel.org/stable/c/faf51b201bc42adf500945732abb6220c707d6f3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26913" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/faf51b201bc42adf500945732abb6220c707d6f3(6.8-rc3)" + } + ], + "bom-ref": "vuln-672", + "ratings": [ + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913" + } + }, + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26913" + } + } + ], + "created": "2024-04-17T16:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue\n\n[why]\nodm calculation is missing for pipe split policy determination\nand cause Underflow/Corruption issue.\n\n[how]\nAdd the odm calculation.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26913", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913" + }, + "cwes": [ + 191 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-29T19:29:54Z" + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/2309b369fae2d9cdc3c945cd3eaec84eb1958ca3" + }, + { + "url": "https://git.kernel.org/stable/c/498f1d6da11ed6d736d655a2db14ee2d9569eecb" + }, + { + "url": "https://git.kernel.org/stable/c/73426c32e259c767d40613b956d5b80d0c28a9a9" + }, + { + "url": "https://git.kernel.org/stable/c/4eacb242e22e31385a50a393681d0fe4b55ed1e9" + }, + { + "url": "https://git.kernel.org/stable/c/01d4e3afe257768cd2a45f15a0e57bacf932b140" + }, + { + "url": "https://git.kernel.org/stable/c/6f254abae02abd4a0aca062c1b3812d7e2d8ea94" + }, + { + "url": "https://git.kernel.org/stable/c/f99b494b40431f0ca416859f2345746199398e2b" + }, + { + "url": "https://git.kernel.org/stable/c/cbba77abb4a553c1f5afac1ba2a0861aa1f13549" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27422" + }, + { + "url": "https://git.kernel.org/linus/f99b494b40431f0ca416859f2345746199398e2b(6.8)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-673", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27422" + } + } + ], + "created": "2024-05-17T12:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-27422", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27422" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/e0e1958f4c365e380b17ccb35617345b31ef7bf3" + }, + { + "url": "https://git.kernel.org/stable/c/8e44dc3f96e903815dab1d74fff8faafdc6feb61" + }, + { + "url": "https://git.kernel.org/stable/c/bc6ef64dbe71136f327d63b2b9071b828af2c2a8" + }, + { + "url": "https://git.kernel.org/stable/c/32e8f2d95528d45828c613417cb2827d866cbdce" + }, + { + "url": "https://git.kernel.org/stable/c/bacdaa04251382d7efd4f09f9a0686bfcc297e2e" + }, + { + "url": "https://git.kernel.org/stable/c/81b4249ef37297fb17ba102a524039a05c6c5d35" + }, + { + "url": "https://git.kernel.org/stable/c/93df0a2a0b3cde2d7ab3a52ed46ea1d6d4aaba5f" + }, + { + "url": "https://git.kernel.org/stable/c/1696d6d7d4a1b373e96428d0fe1166bd7c3c795e" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/e0e1958f4c365e380b17ccb35617345b31ef7bf3(6.8-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52600" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" + } + ], + "bom-ref": "vuln-674", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52600" + } + } + ], + "created": "2024-03-06T07:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix uaf in jfs_evict_inode\n\nWhen the execution of diMount(ipimap) fails, the object ipimap that has been\nreleased may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs\nwhen rcu_core() calls jfs_free_node().\n\nTherefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as\nipimap.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52600" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/417e91e856099e9b8a42a2520e2255e6afe024be" + }, + { + "url": "https://git.kernel.org/stable/c/f1b7f14130d782433bc98c1e1e41ce6b4d4c3096" + }, + { + "url": "https://git.kernel.org/stable/c/30fabe50a7ace3e9d57cf7f9288f33ea408491c8" + }, + { + "url": "https://git.kernel.org/stable/c/b565d294e3d5aa809566a4d819835da11997d8b3" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35908" + }, + { + "url": "https://git.kernel.org/linus/417e91e856099e9b8a42a2520e2255e6afe024be(6.9-rc2)" + } + ], + "bom-ref": "vuln-675", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35908" + } + } + ], + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: get psock ref after taking rxlock to avoid leak\n\nAt the start of tls_sw_recvmsg, we take a reference on the psock, and\nthen call tls_rx_reader_lock. If that fails, we return directly\nwithout releasing the reference.\n\nInstead of adding a new label, just take the reference after locking\nhas succeeded, since we don't need it before.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35908", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35908" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d6b2fe2db1d0927b2d7df5c763eba55d0e1def3c" + }, + { + "url": "https://git.kernel.org/stable/c/48bfb4b03c5ff6e1fa1dc73fb915e150b0968c40" + }, + { + "url": "https://git.kernel.org/stable/c/5343f724c912c77541029123f47ecd3d2ea63bdd" + }, + { + "url": "https://git.kernel.org/stable/c/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35932" + }, + { + "url": "https://git.kernel.org/linus/5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-676", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35932" + } + } + ], + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: don't check if plane->state->fb == state->fb\n\nCurrently, when using non-blocking commits, we can see the following\nkernel warning:\n\n[ 110.908514] ------------[ cut here ]------------\n[ 110.908529] refcount_t: underflow; use-after-free.\n[ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0\n[ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6\n[ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32\n[ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)\n[ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0\n[ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0\n[ 110.909170] sp : ffffffc00913b9c0\n[ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60\n[ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480\n[ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78\n[ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000\n[ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004\n[ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003\n[ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00\n[ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572\n[ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000\n[ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001\n[ 110.909434] Call trace:\n[ 110.909441] refcount_dec_not_one+0xb8/0xc0\n[ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]\n[ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4]\n[ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]\n[ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4]\n[ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper]\n[ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]\n[ 110.911716] drm_atomic_commit+0xb0/0xdc [drm]\n[ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm]\n[ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm]\n[ 110.914091] drm_ioctl+0x24c/0x3b0 [drm]\n[ 110.914850] __arm64_sys_ioctl+0x9c/0xd4\n[ 110.914873] invoke_syscall+0x4c/0x114\n[ 110.914897] el0_svc_common+0xd0/0x118\n[ 110.914917] do_el0_svc+0x38/0xd0\n[ 110.914936] el0_svc+0x30/0x8c\n[ 110.914958] el0t_64_sync_handler+0x84/0xf0\n[ 110.914979] el0t_64_sync+0x18c/0x190\n[ 110.914996] ---[ end trace 0000000000000000 ]---\n\nThis happens because, although `prepare_fb` and `cleanup_fb` are\nperfectly balanced, we cannot guarantee consistency in the check\nplane->state->fb == state->fb. This means that sometimes we can increase\nthe refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The\nopposite can also be true.\n\nIn fact, the struct drm_plane .state shouldn't be accessed directly\nbut instead, the `drm_atomic_get_new_plane_state()` helper function should\nbe used. So, we could stick to this check, but using\n`drm_atomic_get_new_plane_state()`. But actually, this check is not re\n---truncated---", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35932", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35932" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/65c38f23d10ff79feea1e5d50b76dc7af383c1e6" + }, + { + "url": "https://git.kernel.org/stable/c/9e02973dbc6a91e40aa4f5d87b8c47446fbfce44" + }, + { + "url": "https://git.kernel.org/stable/c/91b020aaa1e59bfb669d34c968e3db3d5416bcee" + }, + { + "url": "https://git.kernel.org/stable/c/82831e3ff76ef09fb184eb93b79a3eb3fb284f1d" + }, + { + "url": "https://git.kernel.org/stable/c/8391b9b651cfdf80ab0f1dc4a489f9d67386e197" + }, + { + "url": "https://git.kernel.org/stable/c/02b08db594e8218cfbc0e4680d4331b457968a9b" + }, + { + "url": "https://git.kernel.org/stable/c/953f42934533c151f440cd32390044d2396b87aa" + }, + { + "url": "https://git.kernel.org/stable/c/5559cea2d5aa3018a5f00dd2aca3427ba09b386b" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26735" + }, + { + "url": "https://git.kernel.org/linus/5559cea2d5aa3018a5f00dd2aca3427ba09b386b(6.8-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6777-2" + } + ], + "bom-ref": "vuln-677", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26735" + } + } + ], + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix possible use-after-free and null-ptr-deref\n\nThe pernet operations structure for the subsystem must be registered\nbefore registering the generic netlink family.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26735", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26735" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:04:56Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1acbca933313aa866e39996904c9aca4d435c4cd" + }, + { + "url": "https://git.kernel.org/stable/c/92b0f04e937665bde5768f3fcc622dcce44413d8" + }, + { + "url": "https://git.kernel.org/stable/c/b61e3b7055ac6edee4be071c52f48c26472d2624" + }, + { + "url": "https://git.kernel.org/stable/c/10e4b5166df9ff7a2d5316138ca668b42d004422" + }, + { + "url": "https://git.kernel.org/stable/c/21c7c00dae55cb0e3810d5f9506b58f68475d41d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35801" + }, + { + "url": "https://git.kernel.org/linus/10e4b5166df9ff7a2d5316138ca668b42d004422(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-678", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35801" + } + } + ], + "created": "2024-05-17T14:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Keep xfd_state in sync with MSR_IA32_XFD\n\nCommit 672365477ae8 (\"x86/fpu: Update XFD state where required\") and\ncommit 8bf26758ca96 (\"x86/fpu: Add XFD state to fpstate\") introduced a\nper CPU variable xfd_state to keep the MSR_IA32_XFD value cached, in\norder to avoid unnecessary writes to the MSR.\n\nOn CPU hotplug MSR_IA32_XFD is reset to the init_fpstate.xfd, which\nwipes out any stale state. But the per CPU cached xfd value is not\nreset, which brings them out of sync.\n\nAs a consequence a subsequent xfd_update_state() might fail to update\nthe MSR which in turn can result in XRSTOR raising a #NM in kernel\nspace, which crashes the kernel.\n\nTo fix this, introduce xfd_set_state() to write xfd_state together\nwith MSR_IA32_XFD, and use it in all places that set MSR_IA32_XFD.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35801", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35801" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/f8dcafcb54632536684336161da8bdd52120f95e" + }, + { + "url": "https://git.kernel.org/stable/c/e821d50ab5b956ed0effa49faaf29912fd4106d9" + }, + { + "url": "https://git.kernel.org/stable/c/9a3881b1f07db1bb55cb0108e6f05cfd027eaf2e" + }, + { + "url": "https://git.kernel.org/stable/c/521f28eedd6b14228c46e3b81e3bf9b90c2818d8" + }, + { + "url": "https://git.kernel.org/linus/e821d50ab5b956ed0effa49faaf29912fd4106d9(6.8-rc1)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52584" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + } + ], + "bom-ref": "vuln-679", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52584" + } + } + ], + "created": "2024-03-06T07:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: mediatek: Fix UAF on device remove\n\nThe pmif driver data that contains the clocks is allocated along with\nspmi_controller.\nOn device remove, spmi_controller will be freed first, and then devres\n, including the clocks, will be cleanup.\nThis leads to UAF because putting the clocks will access the clocks in\nthe pmif driver data, which is already freed along with spmi_controller.\n\nThis can be reproduced by enabling DEBUG_TEST_DRIVER_REMOVE and\nbuilding the kernel with KASAN.\n\nFix the UAF issue by using unmanaged clk_bulk_get() and putting the\nclocks before freeing spmi_controller.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52584", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52584" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lore.kernel.org/lkml/5kn47peabxjrptkqa6dwtyus35ahf4pcj4qm4pumse33kxqpjw@mec4se5relrc/T/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2024-0340" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257406" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-053.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-061.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-3" + }, + { + "url": "https://git.kernel.org/linus/4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9(6.4-rc6)" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6686-5" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.10-2024-051.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-4" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6681-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-549.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6705-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6716-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0340" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2024-062.html" + } + ], + "bom-ref": "vuln-680", + "ratings": [ + { + "severity": "none", + "score": 0.00042, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0340" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + } + } + ], + "created": "2024-01-09T18:15:47Z", + "description": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-0340", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + }, + "cwes": [ + 200 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-01-16T18:49:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T15:55:59Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/17772bbe9cfa972ea1ff827319f6e1340de76566" + }, + { + "url": "https://git.kernel.org/stable/c/4aa554832b9dc9e66249df75b8f447d87853e12e" + }, + { + "url": "https://git.kernel.org/stable/c/fc99f4e2d2f1ce766c14e98463c2839194ae964f" + }, + { + "url": "https://git.kernel.org/stable/c/f19b1023a3758f40791ec166038d6411c8894ae3" + }, + { + "url": "https://git.kernel.org/stable/c/8f599ab6fabbca4c741107eade70722a98adfd9f" + }, + { + "url": "https://git.kernel.org/stable/c/778c6ad40256f1c03244fc06d7cdf71f6b5e7310" + }, + { + "url": "https://git.kernel.org/stable/c/142d87c958d9454c3cffa625fab56f3016e8f9f3" + }, + { + "url": "https://git.kernel.org/stable/c/4b7c4fc60d6a46350fbe54f5dc937aeaa02e675e" + }, + { + "url": "https://git.kernel.org/stable/c/723012cab779eee8228376754e22c6594229bf8f" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35821" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/723012cab779eee8228376754e22c6594229bf8f(6.9-rc1)" + } + ], + "bom-ref": "vuln-681", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35821" + } + } + ], + "created": "2024-05-17T14:15:17Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Set page uptodate in the correct place\n\nPage cache reads are lockless, so setting the freshly allocated page\nuptodate before we've overwritten it with the data it's supposed to have\nin it will allow a simultaneous reader to see old data. Move the call\nto SetPageUptodate into ubifs_write_end(), which is after we copied the\nnew data into the page.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-35821", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35821" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/ee8db6475cb15c8122855f72ad4cfa5375af6a7b" + }, + { + "url": "https://git.kernel.org/stable/c/aaab47f204aaf47838241d57bf8662c8840de60a" + }, + { + "url": "https://git.kernel.org/stable/c/847b68f58c212f0439c5a8101b3841f32caffccd" + }, + { + "url": "https://git.kernel.org/stable/c/50545eb6cd5f7ff852a01fa29b7372524ef948cc" + }, + { + "url": "https://git.kernel.org/stable/c/947c3f3d31ea185ddc8e7f198873f17d36deb24c" + }, + { + "url": "https://git.kernel.org/linus/aaab47f204aaf47838241d57bf8662c8840de60a(6.8-rc4)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52641" + } + ], + "bom-ref": "vuln-682", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52641" + } + } + ], + "created": "2024-04-03T17:15:47Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add NULL ptr dereference checking at the end of attr_allocate_frame()\n\nIt is preferable to exit through the out: label because\ninternal debugging functions are located there.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52641", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52641" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/d76c8d7ffe163c6bf2f1ef680b0539c2b3902b90" + }, + { + "url": "https://git.kernel.org/stable/c/5d1935ac02ca5aee364a449a35e2977ea84509b0" + }, + { + "url": "https://git.kernel.org/stable/c/dc3e0f55bec4410f3d74352c4a7c79f518088ee2" + }, + { + "url": "https://git.kernel.org/stable/c/6d2cbf517dcabc093159cf138ad5712c9c7fa954" + }, + { + "url": "https://git.kernel.org/stable/c/8b1413dbfe49646eda2c00c0f1144ee9d3368e0c" + }, + { + "url": "https://git.kernel.org/stable/c/cfbbb3199e71b63fc26cee0ebff327c47128a1e8" + }, + { + "url": "https://git.kernel.org/stable/c/b183fe8702e78bba3dcef8e7193cab6898abee07" + }, + { + "url": "https://git.kernel.org/stable/c/cd1f93ca97a9136989f3bd2bf90696732a2ed644" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6765-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6767-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + }, + { + "url": "https://git.kernel.org/linus/5d1935ac02ca5aee364a449a35e2977ea84509b0(6.8-rc1)" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52622" + } + ], + "bom-ref": "vuln-683", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52622" + } + } + ], + "created": "2024-03-26T18:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid online resizing failures due to oversized flex bg\n\nWhen we online resize an ext4 filesystem with a oversized flexbg_size,\n\n mkfs.ext4 -F -G 67108864 $dev -b 4096 100M\n mount $dev $dir\n resize2fs $dev 16G\n\nthe following WARN_ON is triggered:\n==================================================================\nWARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550\nModules linked in: sg(E)\nCPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314\nRIP: 0010:__alloc_pages+0x411/0x550\nCall Trace:\n \n __kmalloc_large_node+0xa2/0x200\n __kmalloc+0x16e/0x290\n ext4_resize_fs+0x481/0xd80\n __ext4_ioctl+0x1616/0x1d90\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0xf0/0x150\n do_syscall_64+0x3b/0x90\n==================================================================\n\nThis is because flexbg_size is too large and the size of the new_group_data\narray to be allocated exceeds MAX_ORDER. Currently, the minimum value of\nMAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding\nmaximum number of groups that can be allocated is:\n\n (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845\n\nAnd the value that is down-aligned to the power of 2 is 16384. Therefore,\nthis value is defined as MAX_RESIZE_BG, and the number of groups added\neach time does not exceed this value during resizing, and is added multiple\ntimes to complete the online resizing. The difference is that the metadata\nin a flex_bg may be more dispersed.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52622", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52622" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-11T01:22:50Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/6a9d552483d50953320b9d3b57abdee8d436f23f" + }, + { + "url": "https://git.kernel.org/stable/c/9f6087851ec6dce5b15f694aeaf3e8ec8243224e" + }, + { + "url": "https://git.kernel.org/stable/c/93d8109bf182510629bbefc8cd45296d2393987f" + }, + { + "url": "https://git.kernel.org/stable/c/d98210108e7b2ff64b332b0a3541c8ad6a0617b0" + }, + { + "url": "https://git.kernel.org/stable/c/caf2da1d4562de4e35eedec0be2b7f1ee25d83be" + }, + { + "url": "https://git.kernel.org/stable/c/93136132d1b5792bf44151e3494ae3691cd738e8" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://git.kernel.org/linus/6a9d552483d50953320b9d3b57abdee8d436f23f(6.8-rc5)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52642" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" + } + ], + "bom-ref": "vuln-684", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52642" + } + } + ], + "created": "2024-04-17T10:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: bpf attach/detach requires write permission\n\nNote that bpf attach/detach also requires CAP_NET_ADMIN.", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2023-52642", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52642" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/96c8751844171af4b3898fee3857ee180586f589" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34151" + "url": "https://git.kernel.org/stable/c/b7cc4ff787a572edf2c55caeffaa88cd801eb135" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-301.html" + "url": "https://git.kernel.org/stable/c/6887314f5356389fc219b8152e951ac084a10ef7" }, { - "url": "https://ubuntu.com/security/notices/USN-6200-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1844.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27062" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036999" + "url": "https://git.kernel.org/linus/b7cc4ff787a572edf2c55caeffaa88cd801eb135(6.8)" } ], - "bom-ref": "vuln-53", + "bom-ref": "vuln-685", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27062" } } ], - "created": "2023-05-30T22:15:11Z", - "description": "A vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).", + "created": "2024-05-01T13:15:50Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau: lock the client object tree.\n\nIt appears the client object tree has no locking unless I've missed\nsomething else. Fix races around adding/removing client objects,\nmostly vram bar mappings.\n\n 4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI\n[ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27\n[ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021\n[ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe\n[ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206\n[ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58\n[ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400\n[ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000\n[ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0\n[ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007\n[ 4562.099528] FS: 00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000\n[ 4562.099534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0\n[ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 4562.099544] Call Trace:\n[ 4562.099555] \n[ 4562.099573] ? die_addr+0x36/0x90\n[ 4562.099583] ? exc_general_protection+0x246/0x4a0\n[ 4562.099593] ? asm_exc_general_protection+0x26/0x30\n[ 4562.099600] ? nvkm_object_search+0x1d/0x70 [nouveau]\n[ 4562.099730] nvkm_ioctl+0xa1/0x250 [nouveau]\n[ 4562.099861] nvif_object_map_handle+0xc8/0x180 [nouveau]\n[ 4562.099986] nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]\n[ 4562.100156] ? dma_resv_test_signaled+0x26/0xb0\n[ 4562.100163] ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]\n[ 4562.100182] ? __mutex_unlock_slowpath+0x2a/0x270\n[ 4562.100189] nouveau_ttm_fault+0x69/0xb0 [nouveau]\n[ 4562.100356] __do_fault+0x32/0x150\n[ 4562.100362] do_fault+0x7c/0x560\n[ 4562.100369] __handle_mm_fault+0x800/0xc10\n[ 4562.100382] handle_mm_fault+0x17c/0x3e0\n[ 4562.100388] do_user_addr_fault+0x208/0x860\n[ 4562.100395] exc_page_fault+0x7f/0x200\n[ 4562.100402] asm_exc_page_fault+0x26/0x30\n[ 4562.100412] RIP: 0033:0x9b9870\n[ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7\n[ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246\n[ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000\n[ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066\n[ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000\n[ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff\n[ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000\n[ 4562.100446] \n[ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink \n---truncated---", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2023-34151", + "id": "CVE-2024-27062", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34151" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27062" }, - "cwes": [ - 190 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-22T11:15:08Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-26T13:57:20Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" - } - ] + "updated": "2024-05-01T19:50:25Z" }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254054" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" + "url": "https://git.kernel.org/stable/c/f7f0e784894dfcb265f0f9fa499103b0ca7eabde" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/06a093807eb7b5c5b29b6cff49f8174a4e702341" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/c0a40f2f8eba07416f695ffe2011bf3f8b0b6dc8" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6356" + "url": "https://git.kernel.org/stable/c/99a75d75007421d8e08ba139e24f77395cd08f62" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/28db0ae86cb91a4ab0e855cff779daead936b7d5" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35912" }, { - "url": "https://lore.kernel.org/linux-nvme/CAK5usQupQgYoyav2itYADv2XVooMptqqswW8cTkuoMkRpjapwQ@mail.gmail.com/T/" + "url": "https://git.kernel.org/linus/06a093807eb7b5c5b29b6cff49f8174a4e702341(6.9-rc2)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6356" } ], - "bom-ref": "vuln-54", + "bom-ref": "vuln-686", "ratings": [ { "severity": "none", - "score": 0.00144, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35912" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver and causing kernel panic and a denial of service.", + "created": "2024-05-19T09:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: rfi: fix potential response leaks\n\nIf the rx payload length check fails, or if kmemdup() fails,\nwe still need to free the command response. Fix that.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6356", + "id": "CVE-2024-35912", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6356" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35912" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:08Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/0954982db8283016bf38e9db2da5adf47a102e19" + "url": "https://git.kernel.org/stable/c/857ed800133ffcfcee28582090b63b0cbb8ba59d" }, { - "url": "https://git.kernel.org/stable/c/6b4a64bafd107e521c01eec3453ce94a3fb38529" + "url": "https://git.kernel.org/stable/c/63d814d93c5cce4c18284adc810028f28dca493f" }, { - "url": "https://git.kernel.org/stable/c/fbcf372c8eda2290470268e0afb5ab5d5f5d5fde" + "url": "https://git.kernel.org/stable/c/5bfe7bf9656ed2633718388f12b7c38b86414a04" + }, + { + "url": "https://git.kernel.org/stable/c/fb4e2b70a7194b209fc7320bbf33b375f7114bd5" + }, + { + "url": "https://git.kernel.org/stable/c/de1aaefa75be9d0ec19c9a3e0e2f9696de20c6ab" + }, + { + "url": "https://git.kernel.org/stable/c/51cefc9da400b953fee749c9e5d26cd4a2b5d758" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52452" + "url": "https://git.kernel.org/stable/c/d72dd6fcd7886d0523afbab8b4a4b22d17addd7d" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35852" + }, + { + "url": "https://git.kernel.org/linus/fb4e2b70a7194b209fc7320bbf33b375f7114bd5(6.9-rc6)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-55", + "bom-ref": "vuln-687", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35852" } } ], - "created": "2024-02-22T17:15:08Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix accesses to uninit stack slots\n\nPrivileged programs are supposed to be able to read uninitialized stack\nmemory (ever since 6715df8d5) but, before this patch, these accesses\nwere permitted inconsistently. In particular, accesses were permitted\nabove state->allocated_stack, but not below it. In other words, if the\nstack was already \"large enough\", the access was permitted, but\notherwise the access was rejected instead of being allowed to \"grow the\nstack\". This undesired rejection was happening in two places:\n- in check_stack_slot_within_bounds()\n- in check_stack_range_initialized()\nThis patch arranges for these accesses to be permitted. A bunch of tests\nthat were relying on the old rejection had to change; all of them were\nchanged to add also run unprivileged, in which case the old behavior\npersists. One tests couldn't be updated - global_func16 - because it\ncan't run unprivileged for other reasons.\n\nThis patch also fixes the tracking of the stack size for variable-offset\nreads. This second fix is bundled in the same commit as the first one\nbecause they're inter-related. Before this patch, writes to the stack\nusing registers containing a variable offset (as opposed to registers\nwith fixed, known values) were not properly contributing to the\nfunction's needed stack size. As a result, it was possible for a program\nto verify, but then to attempt to read out-of-bounds data at runtime\nbecause a too small stack had been allocated for it.\n\nEach function tracks the size of the stack it needs in\nbpf_subprog_info.stack_depth, which is maintained by\nupdate_stack_depth(). For regular memory accesses, check_mem_access()\nwas calling update_state_depth() but it was passing in only the fixed\npart of the offset register, ignoring the variable offset. This was\nincorrect; the minimum possible value of that register should be used\ninstead.\n\nThis tracking is now fixed by centralizing the tracking of stack size in\ngrow_stack_state(), and by lifting the calls to grow_stack_state() to\ncheck_stack_access_within_bounds() as suggested by Andrii. The code is\nnow simpler and more convincingly tracks the correct maximum stack size.\ncheck_stack_range_initialized() can now rely on enough stack having been\nallocated for the access; this helps with the fix for the first issue.\n\nA few tests were changed to also check the stack depth computation. The\none that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.", + "created": "2024-05-17T15:15:22Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work\n\nThe rehash delayed work is rescheduled with a delay if the number of\ncredits at end of the work is not negative as supposedly it means that\nthe migration ended. Otherwise, it is rescheduled immediately.\n\nAfter \"mlxsw: spectrum_acl_tcam: Fix possible use-after-free during\nrehash\" the above is no longer accurate as a non-negative number of\ncredits is no longer indicative of the migration being done. It can also\nhappen if the work encountered an error in which case the migration will\nresume the next time the work is scheduled.\n\nThe significance of the above is that it is possible for the work to be\npending and associated with hints that were allocated when the migration\nstarted. This leads to the hints being leaked [1] when the work is\ncanceled while pending as part of ACL region dismantle.\n\nFix by freeing the hints if hints are associated with a work that was\ncanceled while pending.\n\nBlame the original commit since the reliance on not having a pending\nwork associated with hints is fragile.\n\n[1]\nunreferenced object 0xffff88810e7c3000 (size 256):\n comm \"kworker/0:16\", pid 176, jiffies 4295460353\n hex dump (first 32 bytes):\n 00 30 95 11 81 88 ff ff 61 00 00 00 00 00 00 80 .0......a.......\n 00 00 61 00 40 00 00 00 00 00 00 00 04 00 00 00 ..a.@...........\n backtrace (crc 2544ddb9):\n [<00000000cf8cfab3>] kmalloc_trace+0x23f/0x2a0\n [<000000004d9a1ad9>] objagg_hints_get+0x42/0x390\n [<000000000b143cf3>] mlxsw_sp_acl_erp_rehash_hints_get+0xca/0x400\n [<0000000059bdb60a>] mlxsw_sp_acl_tcam_vregion_rehash_work+0x868/0x1160\n [<00000000e81fd734>] process_one_work+0x59c/0xf20\n [<00000000ceee9e81>] worker_thread+0x799/0x12c0\n [<00000000bda6fe39>] kthread+0x246/0x300\n [<0000000070056d23>] ret_from_fork+0x34/0x70\n [<00000000dea2b93e>] ret_from_fork_asm+0x1a/0x30", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-52452", + "id": "CVE-2024-35852", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52452" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35852" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-22T19:07:27Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/844f104790bd69c2e4dbb9ee3eba46fde1fcea7b" + "url": "https://git.kernel.org/stable/c/6e2276203ac9ff10fc76917ec9813c660f627369" }, { - "url": "https://git.kernel.org/stable/c/dbd909c20c11f0d29c0054d41e0d1f668a60e8c8" + "url": "https://git.kernel.org/stable/c/c432094aa7c9970f2fa10d2305d550d3810657ce" + }, + { + "url": "https://git.kernel.org/stable/c/9d508c897153ae8dd79303f7f035f078139f6b49" + }, + { + "url": "https://git.kernel.org/stable/c/f2a5e30d1e9a629de6179fa23923a318d5feb29e" + }, + { + "url": "https://git.kernel.org/stable/c/4fe4e5adc7d29d214c59b59f61db73dec505ca3d" + }, + { + "url": "https://git.kernel.org/stable/c/7b24760f3a3c7ae1a176d343136b6c25174b7b27" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26596" + "url": "https://git.kernel.org/linus/6e2276203ac9ff10fc76917ec9813c660f627369(6.8-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26771" } ], - "bom-ref": "vuln-56", + "bom-ref": "vuln-688", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26771" } } ], - "created": "2024-02-23T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events\n\nAfter the blamed commit, we started doing this dereference for every\nNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.\n\nstatic inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)\n{\n\tstruct dsa_user_priv *p = netdev_priv(dev);\n\n\treturn p->dp;\n}\n\nWhich is obviously bogus, because not all net_devices have a netdev_priv()\nof type struct dsa_user_priv. But struct dsa_user_priv is fairly small,\nand p->dp means dereferencing 8 bytes starting with offset 16. Most\ndrivers allocate that much private memory anyway, making our access not\nfault, and we discard the bogus data quickly afterwards, so this wasn't\ncaught.\n\nBut the dummy interface is somewhat special in that it calls\nalloc_netdev() with a priv size of 0. So every netdev_priv() dereference\nis invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event\nwith a VLAN as its new upper:\n\n$ ip link add dummy1 type dummy\n$ ip link add link dummy1 name dummy1.100 type vlan id 100\n[ 43.309174] ==================================================================\n[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8\n[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374\n[ 43.330058]\n[ 43.342436] Call trace:\n[ 43.366542] dsa_user_prechangeupper+0x30/0xe8\n[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8\n[ 43.375768] notifier_call_chain+0xa4/0x210\n[ 43.379985] raw_notifier_call_chain+0x24/0x38\n[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8\n[ 43.389120] netdev_upper_dev_link+0x70/0xa8\n[ 43.393424] register_vlan_dev+0x1bc/0x310\n[ 43.397554] vlan_newlink+0x210/0x248\n[ 43.401247] rtnl_newlink+0x9fc/0xe30\n[ 43.404942] rtnetlink_rcv_msg+0x378/0x580\n\nAvoid the kernel oops by dereferencing after the type check, as customary.", + "created": "2024-04-03T17:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: edma: Add some null pointer checks to the edma_probe\n\ndevm_kasprintf() returns a pointer to dynamically allocated memory\nwhich can be NULL upon failure. Ensure the allocation was successful\nby checking the pointer validity.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26596", + "id": "CVE-2024-26771", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26596" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26771" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T16:14:43Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22099" + "url": "https://git.kernel.org/stable/c/a3c8fa54e904b0ddb52a08cc2d8ac239054f61fd" + }, + { + "url": "https://git.kernel.org/stable/c/3773d65ae5154ed7df404b050fd7387a36ab5ef3" + }, + { + "url": "https://git.kernel.org/stable/c/cbebc55ceacef1fc0651e80e0103cc184552fc68" + }, + { + "url": "https://git.kernel.org/stable/c/a639441c880ac479495e5ab37e3c29f21ae5771b" + }, + { + "url": "https://git.kernel.org/linus/3773d65ae5154ed7df404b050fd7387a36ab5ef3(6.8-rc7)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27418" } ], - "bom-ref": "vuln-57", + "bom-ref": "vuln-689", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27418" } } ], - "created": "2024-01-25T07:15:08Z", - "description": "NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. This vulnerability is associated with program files /net/bluetooth/rfcomm/core.C.\n\nThis issue affects Linux kernel: v2.6.12-rc2.\n\n", + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: take ownership of skb in mctp_local_output\n\nCurrently, mctp_local_output only takes ownership of skb on success, and\nwe may leak an skb if mctp_local_output fails in specific states; the\nskb ownership isn't transferred until the actual output routing occurs.\n\nInstead, make mctp_local_output free the skb on all error paths up to\nthe route action, so it always consumes the passed skb.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-22099", + "id": "CVE-2024-27418", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22099" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27418" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-31T20:32:02Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/54PLF5J33IRSLSR4UU6LQSMXX6FI5AOQ/" - }, - { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255497" + "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" }, { - "url": "https://patchwork.kernel.org/project/linux-wireless/patch/20231208043433.271449-1-hdthky0@gmail.com/" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C25BK2YH5MZ6VNQXKF2NAJBTGXVEPKGC/" + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-7042" + "url": "https://access.redhat.com/security/cve/CVE-2023-0160" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7042" + "url": "https://lore.kernel.org/bpf/000000000000f1db9605f939720e@google.com/" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/commit/?h=ath-next&id=ad25ee36f00172f7d53242dc77c69fff7ced0755" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-0160" }, { - "url": "https://lore.kernel.org/all/20231208043433.271449-1-hdthky0@gmail.com/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-184.html" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git/log/?h=ath-next" + "url": "https://lore.kernel.org/all/20230406122622.109978-1-liuxin350@huawei.com/" } ], - "bom-ref": "vuln-58", + "bom-ref": "vuln-690", "ratings": [ { "severity": "none", "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-0160" } }, { @@ -15708,180 +58953,270 @@ "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" } } ], - "created": "2023-12-21T20:15:09Z", - "description": "A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. This issue could be exploited to trigger a denial of service.", + "created": "2023-07-18T17:15:11Z", + "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-7042", + "id": "CVE-2023-0160", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7042" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" }, "cwes": [ - 476 + 667, + 833 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-01-22T05:15:08Z" + "updated": "2023-11-07T03:59:46Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-15T08:32:01Z" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/627e28cbb65564e55008315d9e02fbb90478beda" + "url": "https://git.kernel.org/stable/c/20e21c3c0195d915f33bc7321ee6b362177bf5bf" }, { - "url": "https://git.kernel.org/stable/c/8bd3eee7720c14b59a206bd05b98d7586bccf99a" + "url": "https://git.kernel.org/stable/c/338580a7fb9b0930bb38098007e89cc0fc496bf7" }, { - "url": "https://git.kernel.org/stable/c/627339cccdc9166792ecf96bc3c9f711a60ce996" + "url": "https://git.kernel.org/stable/c/6d35654f03c35c273240d85ec67e3f2c3596c4e0" }, { - "url": "https://git.kernel.org/stable/c/b2479ab426cef7ab79a13005650eff956223ced2" + "url": "https://git.kernel.org/stable/c/55e565c42dce81a4e49c13262d5bc4eb4c2e588a" }, { - "url": "https://git.kernel.org/stable/c/d877550eaf2dc9090d782864c96939397a3c6835" + "url": "https://git.kernel.org/stable/c/74abc2fe09691f3d836d8a54d599ca71f1e4287b" }, { - "url": "https://git.kernel.org/linus/d877550eaf2dc9090d782864c96939397a3c6835(6.8-rc4)" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26860" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26603" + "url": "https://git.kernel.org/linus/55e565c42dce81a4e49c13262d5bc4eb4c2e588a(6.9-rc1)" } ], - "bom-ref": "vuln-59", + "bom-ref": "vuln-691", "ratings": [ { "severity": "none", "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26860" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: Stop relying on userspace for info to fault in xsave buffer\n\nBefore this change, the expected size of the user space buffer was\ntaken from fx_sw->xstate_size. fx_sw->xstate_size can be changed\nfrom user-space, so it is possible construct a sigreturn frame where:\n\n * fx_sw->xstate_size is smaller than the size required by valid bits in\n fx_sw->xfeatures.\n * user-space unmaps parts of the sigrame fpu buffer so that not all of\n the buffer required by xrstor is accessible.\n\nIn this case, xrstor tries to restore and accesses the unmapped area\nwhich results in a fault. But fault_in_readable succeeds because buf +\nfx_sw->xstate_size is within the still mapped area, so it goes back and\ntries xrstor again. It will spin in this loop forever.\n\nInstead, fault in the maximum size which can be touched by XRSTOR (taken\nfrom fpstate->user_size).\n\n[ dhansen: tweak subject / changelog ]", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-integrity: fix a memory leak when rechecking the data\n\nMemory for the \"checksums\" pointer will leak if the data is rechecked\nafter checksum failure (because the associated kfree won't happen due\nto 'goto skip_io').\n\nFix this by freeing the checksums memory before recheck, and just use\nthe \"checksum_onstack\" memory for storing checksum during recheck.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26603", + "id": "CVE-2024-26860", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26603" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26860" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-01T14:15:54Z", + "updated": "2024-04-17T12:48:07Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/aeedaee5ef5468caf59e2bb1265c2116e0c9a924" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T06:38:14Z" + "url": "https://git.kernel.org/stable/c/28a94271bd50e4cf498df0381f776f8ea40a289e" + }, + { + "url": "https://git.kernel.org/stable/c/955c1252930677762e0db2b6b9e36938c887445c" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26876" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/aeedaee5ef5468caf59e2bb1265c2116e0c9a924(6.9-rc1)" } - ] + ], + "bom-ref": "vuln-692", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26876" + } + } + ], + "created": "2024-04-17T11:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/bridge: adv7511: fix crash on irq during probe\n\nMoved IRQ registration down to end of adv7511_probe().\n\nIf an IRQ already is pending during adv7511_probe\n(before adv7511_cec_init) then cec_received_msg_ts\ncould crash using uninitialized data:\n\n Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5\n Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP\n Call trace:\n cec_received_msg_ts+0x48/0x990 [cec]\n adv7511_cec_irq_process+0x1cc/0x308 [adv7511]\n adv7511_irq_process+0xd8/0x120 [adv7511]\n adv7511_irq_handler+0x1c/0x30 [adv7511]\n irq_thread_fn+0x30/0xa0\n irq_thread+0x14c/0x238\n kthread+0x190/0x1a8", + "affects": [ + { + "ref": "comp-399" + } + ], + "id": "CVE-2024-26876", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26876" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-04-17T12:48:07Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/97830f3c3088638ff90b20dfba2eb4d487bf14d7" + "url": "https://git.kernel.org/stable/c/15641007df0f0d35fa28742b25c2a7db9dcd6895" }, { - "url": "https://git.kernel.org/stable/c/a423042052ec2bdbf1e552e621e6a768922363cc" + "url": "https://git.kernel.org/stable/c/43f798b9036491fb014b55dd61c4c5c3193267d0" }, { - "url": "https://git.kernel.org/stable/c/93b372c39c40cbf179e56621e6bc48240943af69" + "url": "https://git.kernel.org/stable/c/7070b274c7866a4c5036f8d54fcaf315c64ac33a" }, { - "url": "https://git.kernel.org/stable/c/dd64bb8329ce0ea27bc557e4160c2688835402ac" + "url": "https://git.kernel.org/stable/c/21e5fa4688e1a4d3db6b72216231b24232f75c1d" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/ca1f06e72dec41ae4f76e7b1a8a97265447b46ae" }, { - "url": "https://git.kernel.org/stable/c/90e09c016d72b91e76de25f71c7b93d94cc3c769" + "url": "https://git.kernel.org/stable/c/f06899582ccee09bd85d0696290e3eaca9aa042d" }, { - "url": "https://git.kernel.org/stable/c/42beab162dcee1e691ee4934292d51581c29df61" + "url": "https://git.kernel.org/stable/c/0971126c8164abe2004b8536b49690a0d6005b0a" }, { - "url": "https://git.kernel.org/stable/c/a7ae586f6f6024f490b8546c8c84670f96bb9b68" + "url": "https://git.kernel.org/stable/c/7a4b21250bf79eef26543d35bd390448646c536b" }, { - "url": "https://git.kernel.org/stable/c/82722b453dc2f967b172603e389ee7dc1b3137cc" + "url": "https://git.kernel.org/stable/c/d0e214acc59145ce25113f617311aa79dda39cb3" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26883" }, { - "url": "https://git.kernel.org/linus/97830f3c3088638ff90b20dfba2eb4d487bf14d7(6.8-rc3)" + "url": "https://git.kernel.org/linus/7a4b21250bf79eef26543d35bd390448646c536b(6.9-rc1)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26606" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-60", + "bom-ref": "vuln-693", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26883" + } + }, + { + "severity": "high", + "score": 7.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883" } } ], - "created": "2024-02-26T16:28:00Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: signal epoll threads of self-work\n\nIn (e)poll mode, threads often depend on I/O events to determine when\ndata is ready for consumption. Within binder, a thread may initiate a\ncommand via BINDER_WRITE_READ without a read buffer and then make use\nof epoll_wait() or similar to consume any responses afterwards.\n\nIt is then crucial that epoll threads are signaled via wakeup when they\nqueue their own work. Otherwise, they risk waiting indefinitely for an\nevent leaving their work unhandled. What is worse, subsequent commands\nwon't trigger a wakeup either as the thread has pending work.", + "created": "2024-04-17T11:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix stackmap overflow check on 32-bit arches\n\nThe stackmap code relies on roundup_pow_of_two() to compute the number\nof hash buckets, and contains an overflow check by checking if the\nresulting value is 0. However, on 32-bit arches, the roundup code itself\ncan overflow by doing a 32-bit left-shift of an unsigned long value,\nwhich is undefined behaviour, so it is not guaranteed to truncate\nneatly. This was triggered by syzbot on the DEVMAP_HASH type, which\ncontains the same check, copied from the hashtab code.\n\nThe commit in the fixes tag actually attempted to fix this, but the fix\ndid not account for the UB, so the fix only works on CPUs where an\noverflow does result in a neat truncation to zero, which is not\nguaranteed. Checking the value before rounding does not have this\nproblem.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26606", + "id": "CVE-2024-26883", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26606" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26883" }, + "cwes": [ + 119 + ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-04-29T20:03:48Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CA+UBctCZok5FSQ=LPRA+A-jocW=L8FuMVZ_7MNqhh483P5yN8A@mail.gmail.com/" + "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5@xs4all.nl/" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31082" + "url": "https://lore.kernel.org/lkml/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/T/" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-23848" } ], - "bom-ref": "vuln-61", + "bom-ref": "vuln-694", "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-23848" + } + }, { "severity": "medium", "score": 5.5, @@ -15889,1551 +59224,1702 @@ "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" - } - }, - { - "severity": "none", - "score": 0.00043, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" } } ], - "created": "2023-04-24T06:15:07Z", - "description": "An issue was discovered in drivers/tty/n_gsm.c in the Linux kernel 6.2. There is a sleeping function called from an invalid context in gsmld_write, which will block the kernel.", + "created": "2024-01-23T09:15:35Z", + "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-31082", + "id": "CVE-2024-23848", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31082" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" }, "cwes": [ - 763 + 416 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:14:12Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" - } - ] + "updated": "2024-01-30T02:04:25Z" }, { "advisories": [ { - "url": "https://patchwork.kernel.org/project/linux-raid/patch/20240112071017.16313-1-2045gemini@gmail.com/" + "url": "https://git.kernel.org/stable/c/0977f89722eceba165700ea384f075143f012085" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/c119f4ede3fa90a9463f50831761c28f989bfb20" }, { - "url": "https://lore.kernel.org/linux-raid/20240112071017.16313-1-2045gemini@gmail.com/T/" + "url": "https://git.kernel.org/stable/c/b80ba648714e6d790d69610cf14656be222d0248" + }, + { + "url": "https://git.kernel.org/stable/c/da21401372607c49972ea87a6edaafb36a17c325" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23307" + "url": "https://git.kernel.org/stable/c/3160d9734453a40db248487f8204830879c207f1" + }, + { + "url": "https://git.kernel.org/linus/c119f4ede3fa90a9463f50831761c28f989bfb20(6.9-rc6)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26980" } ], - "bom-ref": "vuln-62", + "bom-ref": "vuln-695", "ratings": [ - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26980" } } ], - "created": "2024-01-25T07:15:09Z", - "description": "Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.", + "created": "2024-05-01T06:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf\n\nIf ->ProtocolId is SMB2_TRANSFORM_PROTO_NUM, smb2 request size\nvalidation could be skipped. if request size is smaller than\nsizeof(struct smb2_query_info_req), slab-out-of-bounds read can happen in\nsmb2_allocate_rsp_buf(). This patch allocate response buffer after\ndecrypting transform request. smb3_decrypt_req() will validate transform\nrequest size and avoid slab-out-of-bound in smb2_allocate_rsp_buf().", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-23307", + "id": "CVE-2024-26980", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23307" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26980" }, - "cwes": [ - 190 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-31T20:38:12Z" + "updated": "2024-05-17T11:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + "url": "https://git.kernel.org/stable/c/0caff3e6390f840666b8dc1ecebf985c2ef3f1dd" }, { - "url": "https://www.openssl.org/news/secadv/20240125.txt" + "url": "https://git.kernel.org/stable/c/2aacd4de45477582993f8a8abb9505a06426bfb6" }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + "url": "https://git.kernel.org/stable/c/f2a904107ee2b647bb7794a1a82b67740d7c8a64" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://git.kernel.org/stable/c/718df1bc226c383dd803397d7f5d95557eb81ac7" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://git.kernel.org/stable/c/25a1c2d4b1fcf938356a9688a96a6456abd44b29" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + "url": "https://git.kernel.org/stable/c/07b20d0a3dc13fb1adff10b60021a4924498da58" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + "url": "https://git.kernel.org/stable/c/2e74b3fd6bf542349758f283676dff3660327c07" + }, + { + "url": "https://git.kernel.org/stable/c/cd957d1716ec979d8f5bf38fc659aeb9fdaa2474" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27396" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/f2a904107ee2b647bb7794a1a82b67740d7c8a64(6.9-rc6)" } ], - "bom-ref": "vuln-63", + "bom-ref": "vuln-696", "ratings": [ { "severity": "none", - "score": 0.00228, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27396" } } ], - "created": "2024-01-26T09:15:07Z", - "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "created": "2024-05-14T15:12:27Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gtp: Fix Use-After-Free in gtp_dellink\n\nSince call_rcu, which is called in the hlist_for_each_entry_rcu traversal\nof gtp_dellink, is not part of the RCU read critical section, it\nis possible that the RCU grace period will pass during the traversal and\nthe key will be free.\n\nTo prevent this, it should be changed to hlist_for_each_entry_safe.", "affects": [ { - "ref": "comp-103" + "ref": "comp-399" } ], - "id": "CVE-2024-0727", + "id": "CVE-2024-27396", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27396" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-08T10:15:13Z" + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/d0a1efe417c97a1e9b914056ee6b86f1ef75fe1f" + "url": "https://git.kernel.org/stable/c/00cf21ac526011a29fc708f8912da446fac19f7b" }, { - "url": "https://git.kernel.org/stable/c/efeb7dfea8ee10cdec11b6b6ba4e405edbe75809" + "url": "https://git.kernel.org/stable/c/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e" }, { - "url": "https://git.kernel.org/stable/c/817840d125a370626895df269c50c923b79b0a39" + "url": "https://git.kernel.org/stable/c/11aabd7487857b8e7d768fefb092f66dfde68492" + }, + { + "url": "https://git.kernel.org/stable/c/950d4d74d311a18baed6878dbfba8180d7e5dddd" + }, + { + "url": "https://git.kernel.org/stable/c/ddc547dd05a46720866c32022300f7376c40119f" + }, + { + "url": "https://git.kernel.org/stable/c/4b73473c050a612fb4317831371073eda07c3050" + }, + { + "url": "https://git.kernel.org/stable/c/537e3f49dbe88881a6f0752beaa596942d9efd64" + }, + { + "url": "https://git.kernel.org/stable/c/62a5dcd9bd3097e9813de62fa6f22815e84a0172" + }, + { + "url": "https://git.kernel.org/linus/fccfa646ef3628097d59f7d9c1a3e84d4b6bb45e(6.8-rc7)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26595" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27413" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-64", + "bom-ref": "vuln-697", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27413" } } ], - "created": "2024-02-23T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path\n\nWhen calling mlxsw_sp_acl_tcam_region_destroy() from an error path after\nfailing to attach the region to an ACL group, we hit a NULL pointer\ndereference upon 'region->group->tcam' [1].\n\nFix by retrieving the 'tcam' pointer using mlxsw_sp_acl_to_tcam().\n\n[1]\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n[...]\nRIP: 0010:mlxsw_sp_acl_tcam_region_destroy+0xa0/0xd0\n[...]\nCall Trace:\n mlxsw_sp_acl_tcam_vchunk_get+0x88b/0xa20\n mlxsw_sp_acl_tcam_ventry_add+0x25/0xe0\n mlxsw_sp_acl_rule_add+0x47/0x240\n mlxsw_sp_flower_replace+0x1a9/0x1d0\n tc_setup_cb_add+0xdc/0x1c0\n fl_hw_replace_filter+0x146/0x1f0\n fl_change+0xc17/0x1360\n tc_new_tfilter+0x472/0xb90\n rtnetlink_rcv_msg+0x313/0x3b0\n netlink_rcv_skb+0x58/0x100\n netlink_unicast+0x244/0x390\n netlink_sendmsg+0x1e4/0x440\n ____sys_sendmsg+0x164/0x260\n ___sys_sendmsg+0x9a/0xe0\n __sys_sendmsg+0x7a/0xc0\n do_syscall_64+0x40/0xe0\n entry_SYSCALL_64_after_hwframe+0x63/0x6b", + "created": "2024-05-17T12:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi/capsule-loader: fix incorrect allocation size\n\ngcc-14 notices that the allocation with sizeof(void) on 32-bit architectures\nis not enough for a 64-bit phys_addr_t:\n\ndrivers/firmware/efi/capsule-loader.c: In function 'efi_capsule_open':\ndrivers/firmware/efi/capsule-loader.c:295:24: error: allocation of insufficient size '4' for type 'phys_addr_t' {aka 'long long unsigned int'} with size '8' [-Werror=alloc-size]\n 295 | cap_info->phys = kzalloc(sizeof(void *), GFP_KERNEL);\n | ^\n\nUse the correct type instead here.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26595", + "id": "CVE-2024-27413", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26595" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27413" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T16:14:43Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://www.openssl.org/news/secadv/20240109.txt" + "url": "https://git.kernel.org/stable/c/b513d30d59bb383a6a5d6b533afcab2cee99a8f8" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://git.kernel.org/stable/c/7ac9e18f5d66087cd22751c5c5bf0090eb0038fe" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://git.kernel.org/stable/c/a992425d18e5f7c48931121993c6c69426f2a8fb" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26842" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/b513d30d59bb383a6a5d6b533afcab2cee99a8f8(6.8-rc4)" } ], - "bom-ref": "vuln-65", + "bom-ref": "vuln-698", "ratings": [ { "severity": "none", - "score": 0.00061, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26842" } } ], - "created": "2024-01-09T17:15:12Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "created": "2024-04-17T10:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: Fix shift issue in ufshcd_clear_cmd()\n\nWhen task_tag >= 32 (in MCQ mode) and sizeof(unsigned int) == 4, 1U <<\ntask_tag will out of bounds for a u32 mask. Fix this up to prevent\nSHIFT_ISSUE (bitwise shifts that are out of bounds for their data type).\n\n[name:debug_monitors&]Unexpected kernel BRK exception at EL1\n[name:traps&]Internal error: BRK handler: 00000000f2005514 [#1] PREEMPT SMP\n[name:mediatek_cpufreq_hw&]cpufreq stop DVFS log done\n[name:mrdump&]Kernel Offset: 0x1ba5800000 from 0xffffffc008000000\n[name:mrdump&]PHYS_OFFSET: 0x80000000\n[name:mrdump&]pstate: 22400005 (nzCv daif +PAN -UAO)\n[name:mrdump&]pc : [0xffffffdbaf52bb2c] ufshcd_clear_cmd+0x280/0x288\n[name:mrdump&]lr : [0xffffffdbaf52a774] ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n[name:mrdump&]sp : ffffffc0081471b0\n\nWorkqueue: ufs_eh_wq_0 ufshcd_err_handler\nCall trace:\n dump_backtrace+0xf8/0x144\n show_stack+0x18/0x24\n dump_stack_lvl+0x78/0x9c\n dump_stack+0x18/0x44\n mrdump_common_die+0x254/0x480 [mrdump]\n ipanic_die+0x20/0x30 [mrdump]\n notify_die+0x15c/0x204\n die+0x10c/0x5f8\n arm64_notify_die+0x74/0x13c\n do_debug_exception+0x164/0x26c\n el1_dbg+0x64/0x80\n el1h_64_sync_handler+0x3c/0x90\n el1h_64_sync+0x68/0x6c\n ufshcd_clear_cmd+0x280/0x288\n ufshcd_wait_for_dev_cmd+0x3e4/0x82c\n ufshcd_exec_dev_cmd+0x5bc/0x9ac\n ufshcd_verify_dev_init+0x84/0x1c8\n ufshcd_probe_hba+0x724/0x1ce0\n ufshcd_host_reset_and_restore+0x260/0x574\n ufshcd_reset_and_restore+0x138/0xbd0\n ufshcd_err_handler+0x1218/0x2f28\n process_one_work+0x5fc/0x1140\n worker_thread+0x7d8/0xe20\n kthread+0x25c/0x468\n ret_from_fork+0x10/0x20", "affects": [ { - "ref": "comp-103" + "ref": "comp-399" } ], - "id": "CVE-2023-6129", + "id": "CVE-2024-26842", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26842" }, - "cwes": [ - 787 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-16T13:15:09Z" + "updated": "2024-04-17T12:48:07Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/20b4ed034872b4d024b26e2bc1092c3f80e5db96" + "url": "https://git.kernel.org/stable/c/39001e3c42000e7c2038717af0d33c32319ad591" }, { - "url": "https://git.kernel.org/stable/c/d684763534b969cca1022e2a28645c7cc91f7fa5" + "url": "https://git.kernel.org/stable/c/ccd1108b16ab572d9bf635586b0925635dbd6bbc" }, { - "url": "https://git.kernel.org/stable/c/754c9bab77a1b895b97bd99d754403c505bc79df" + "url": "https://git.kernel.org/stable/c/98db42191329c679f4ca52bec0b319689e1ad8cb" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/4bafcc43baf7bcf93566394dbd15726b5b456b7a" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/767146637efc528b5e3d31297df115e85a2fd362" }, { - "url": "https://git.kernel.org/stable/c/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f" + "url": "https://git.kernel.org/stable/c/b3c0f553820516ad4b62a9390ecd28d6f73a7b13" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/80ee5054435a11c87c9a4f30f1ff750080c96416" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26582" + "url": "https://git.kernel.org/stable/c/014a807f1cc9c9d5173c1cd935835553b00d211c" }, { - "url": "https://git.kernel.org/linus/32b55c5ff9103b8508c1e04bfa5a08c64e7a925f(6.8-rc5)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26851" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/767146637efc528b5e3d31297df115e85a2fd362(6.8)" } ], - "bom-ref": "vuln-66", + "bom-ref": "vuln-699", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26851" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tls: fix use-after-free with partial reads and async decrypt\n\ntls_decrypt_sg doesn't take a reference on the pages from clear_skb,\nso the put_page() in tls_decrypt_done releases them, and we trigger\na use-after-free in process_rx_list when we try to read from the\npartially-read skb.", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: Add protection for bmp length out of range\n\nUBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts\nthat are out of bounds for their data type.\n\nvmlinux get_bitmap(b=75) + 712\n\nvmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956\n\nvmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216\n\nvmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812\n\nvmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216\n\nvmlinux DecodeRasMessage() + 304\n\nvmlinux ras_help() + 684\n\nvmlinux nf_confirm() + 188\n\n\nDue to abnormal data in skb->data, the extension bitmap length\nexceeds 32 when decoding ras message then uses the length to make\na shift operation. It will change into negative after several loop.\nUBSAN load could detect a negative shift as an undefined behaviour\nand reports exception.\nSo we add the protection to avoid the length exceeding 32. Or else\nit will return out of range error and stop decoding.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26582", + "id": "CVE-2024-26851", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26582" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26851" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z", + "updated": "2024-04-17T12:48:07Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2024-0841" + "url": "https://git.kernel.org/stable/c/14431815a4ae4bcd7c7a68b6a64c66c7712d27c9" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256490" + "url": "https://git.kernel.org/stable/c/74e97958121aa1f5854da6effba70143f051b0cd" }, { - "url": "https://lore.kernel.org/all/20240130210418.3771-1-osalvador@suse.de/T/" + "url": "https://git.kernel.org/stable/c/6c95336f5d8eb9ab79cd7306d71b6d0477363f8c" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0841" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35956" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/74e97958121aa1f5854da6effba70143f051b0cd(6.9-rc4)" } ], - "bom-ref": "vuln-67", + "bom-ref": "vuln-700", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35956" } } ], - "created": "2024-01-28T12:15:52Z", - "description": "A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.", + "created": "2024-05-20T10:15:10Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix qgroup prealloc rsv leak in subvolume operations\n\nCreate subvolume, create snapshot and delete subvolume all use\nbtrfs_subvolume_reserve_metadata() to reserve metadata for the changes\ndone to the parent subvolume's fs tree, which cannot be mediated in the\nnormal way via start_transaction. When quota groups (squota or qgroups)\nare enabled, this reserves qgroup metadata of type PREALLOC. Once the\noperation is associated to a transaction, we convert PREALLOC to\nPERTRANS, which gets cleared in bulk at the end of the transaction.\n\nHowever, the error paths of these three operations were not implementing\nthis lifecycle correctly. They unconditionally converted the PREALLOC to\nPERTRANS in a generic cleanup step regardless of errors or whether the\noperation was fully associated to a transaction or not. This resulted in\nerror paths occasionally converting this rsv to PERTRANS without calling\nrecord_root_in_trans successfully, which meant that unless that root got\nrecorded in the transaction by some other thread, the end of the\ntransaction would not free that root's PERTRANS, leaking it. Ultimately,\nthis resulted in hitting a WARN in CONFIG_BTRFS_DEBUG builds at unmount\nfor the leaked reservation.\n\nThe fix is to ensure that every qgroup PREALLOC reservation observes the\nfollowing properties:\n\n1. any failure before record_root_in_trans is called successfully\n results in freeing the PREALLOC reservation.\n2. after record_root_in_trans, we convert to PERTRANS, and now the\n transaction owns freeing the reservation.\n\nThis patch enforces those properties on the three operations. Without\nit, generic/269 with squotas enabled at mkfs time would fail in ~5-10\nruns on my system. With this patch, it ran successfully 1000 times in a\nrow.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-0841", + "id": "CVE-2024-35956", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0841" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35956" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-02T15:38:25Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/e327ed60bff4a991cd7a709c47c4f0c5b4a4fd57" + "url": "https://git.kernel.org/stable/c/b143e19dc28c3211f050f7848d87d9b0a170e10c" + }, + { + "url": "https://git.kernel.org/stable/c/f0a068de65d5b7358e9aff792716afa9333f3922" }, { - "url": "https://git.kernel.org/stable/c/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb" + "url": "https://git.kernel.org/stable/c/2a523f14a3f53b46ff0e1fafd215b0bc5f6783aa" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OX4EWCYDZRTOEMC2C6OF7ZACAP23SUB5/" + "url": "https://git.kernel.org/stable/c/2eb979fbb2479bcd7e049f2f9978b6590dd8a0e6" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZOU3745CWCDZ7EMKMXB2OEEIB5Q3IWM/" + "url": "https://git.kernel.org/stable/c/a82984b3c6a7e8c7937dba6e857ddf829d149417" }, { - "url": "https://git.kernel.org/stable/c/6db22d6c7a6dc914b12c0469b94eb639b6a8a146" + "url": "https://git.kernel.org/stable/c/237f3cf13b20db183d3706d997eedc3c49eacd44" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26585" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35976" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/e01e3934a1b2d122919f73bc6ddbe1cdafc4bbdb(6.8-rc5)" + "url": "https://git.kernel.org/linus/237f3cf13b20db183d3706d997eedc3c49eacd44(6.9-rc4)" } ], - "bom-ref": "vuln-68", + "bom-ref": "vuln-701", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35976" } } ], - "created": "2024-02-21T15:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: fix race between tx work scheduling and socket close\n\nSimilarly to previous commit, the submitting thread (recvmsg/sendmsg)\nmay exit as soon as the async crypto handler calls complete().\nReorder scheduling the work before calling complete().\nThis seems more logical in the first place, as it's\nthe inverse order of what the submitting thread will do.", + "created": "2024-05-20T10:15:12Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING\n\nsyzbot reported an illegal copy in xsk_setsockopt() [1]\n\nMake sure to validate setsockopt() @optlen parameter.\n\n[1]\n\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]\n BUG: KASAN: slab-out-of-bounds in xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\nRead of size 4 at addr ffff888028c6cde3 by task syz-executor.0/7549\n\nCPU: 0 PID: 7549 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0x169/0x550 mm/kasan/report.c:488\n kasan_report+0x143/0x180 mm/kasan/report.c:601\n copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]\n copy_from_sockptr include/linux/sockptr.h:55 [inline]\n xsk_setsockopt+0x909/0xa40 net/xdp/xsk.c:1420\n do_sock_setsockopt+0x3af/0x720 net/socket.c:2311\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\nRIP: 0033:0x7fb40587de69\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fb40665a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 00007fb4059abf80 RCX: 00007fb40587de69\nRDX: 0000000000000005 RSI: 000000000000011b RDI: 0000000000000006\nRBP: 00007fb4058ca47a R08: 0000000000000002 R09: 0000000000000000\nR10: 0000000020001980 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000000b R14: 00007fb4059abf80 R15: 00007fff57ee4d08\n \n\nAllocated by task 7549:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:370 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387\n kasan_kmalloc include/linux/kasan.h:211 [inline]\n __do_kmalloc_node mm/slub.c:3966 [inline]\n __kmalloc+0x233/0x4a0 mm/slub.c:3979\n kmalloc include/linux/slab.h:632 [inline]\n __cgroup_bpf_run_filter_setsockopt+0xd2f/0x1040 kernel/bpf/cgroup.c:1869\n do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293\n __sys_setsockopt+0x1ae/0x250 net/socket.c:2334\n __do_sys_setsockopt net/socket.c:2343 [inline]\n __se_sys_setsockopt net/socket.c:2340 [inline]\n __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340\n do_syscall_64+0xfb/0x240\n entry_SYSCALL_64_after_hwframe+0x6d/0x75\n\nThe buggy address belongs to the object at ffff888028c6cde0\n which belongs to the cache kmalloc-8 of size 8\nThe buggy address is located 1 bytes to the right of\n allocated 2-byte region [ffff888028c6cde0, ffff888028c6cde2)\n\nThe buggy address belongs to the physical page:\npage:ffffea0000a31b00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888028c6c9c0 pfn:0x28c6c\nanon flags: 0xfff00000000800(slab|node=0|zone=1|lastcpupid=0x7ff)\npage_type: 0xffffffff()\nraw: 00fff00000000800 ffff888014c41280 0000000000000000 dead000000000001\nraw: ffff888028c6c9c0 0000000080800057 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as allocated\npage last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 6648, tgid 6644 (syz-executor.0), ts 133906047828, free_ts 133859922223\n set_page_owner include/linux/page_owner.h:31 [inline]\n post_alloc_hook+0x1ea/0x210 mm/page_alloc.c:1533\n prep_new_page mm/page_alloc.c:\n---truncated---", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26585", + "id": "CVE-2024-35976", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26585" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35976" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-28T03:15:08Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] }, { "advisories": [ - { - "url": "https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg" - }, - { - "url": "https://lore.kernel.org/all/20240124063702.5642-1-richard@nod.at/" - }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/" + "url": "https://lore.kernel.org/all/20231222162931.6553-1-2045gemini@gmail.com/" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25739" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-24859" } ], - "bom-ref": "vuln-69", + "bom-ref": "vuln-702", "ratings": [ { "severity": "medium", - "score": 5.5, + "score": 4.8, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" } }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24859" } } ], - "created": "2024-02-12T03:15:32Z", - "description": "create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.", + "created": "2024-02-05T08:15:44Z", + "description": "A race condition was found in the Linux kernel's net/bluetooth in sniff_{min,max}_interval_set() function. This can result in a bluetooth sniffing exception issue, possibly leading denial of service.\n\n\n\n\n\n\n\n", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-25739", + "id": "CVE-2024-24859", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25739" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24859" }, "cwes": [ - 754 + 362 ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T21:13:34Z" + "updated": "2024-02-10T04:06:05Z" }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/5kn47peabxjrptkqa6dwtyus35ahf4pcj4qm4pumse33kxqpjw@mec4se5relrc/T/" + "url": "https://git.kernel.org/stable/c/4049a9f80513a6739c5677736a4c88f96df1b436" }, { - "url": "https://access.redhat.com/security/cve/CVE-2024-0340" + "url": "https://git.kernel.org/stable/c/bc845e2e42cae95172c04bf29807c480f51a2a83" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257406" + "url": "https://git.kernel.org/stable/c/1824f942527f784a19e01eac2d9679a21623d010" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/f1cf77bb870046a6111a604f7f7fe83d1c8c9610" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0340" + "url": "https://git.kernel.org/stable/c/31aaf17200c336fe258b70d39c40645ae19d0240" }, { - "url": "https://git.kernel.org/linus/4d8df0f5f79f747d75a7d356d9b9ea40a4e4c8a9(6.4-rc6)" + "url": "https://git.kernel.org/stable/c/49f067726ab01c87cf57566797a8a719badbbf08" + }, + { + "url": "https://git.kernel.org/stable/c/c67698325c68f8768db858f5c87c34823421746d" + }, + { + "url": "https://git.kernel.org/stable/c/04a2b6eff2ae1c19cb7f41e803bcbfaf94c06455" + }, + { + "url": "https://git.kernel.org/stable/c/9636951e4468f02c72cc75a82dc65d003077edbc" + }, + { + "url": "https://git.kernel.org/linus/9636951e4468f02c72cc75a82dc65d003077edbc(6.9-rc1)" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52644" } ], - "bom-ref": "vuln-70", + "bom-ref": "vuln-703", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52644" } } ], - "created": "2024-01-09T18:15:47Z", - "description": "A vulnerability was found in vhost_new_msg in drivers/vhost/vhost.c in the Linux kernel, which does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This issue can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.", + "created": "2024-04-17T11:15:08Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled\n\nWhen QoS is disabled, the queue priority value will not map to the correct\nieee80211 queue since there is only one queue. Stop/wake queue 0 when QoS\nis disabled to prevent trying to stop/wake a non-existent queue and failing\nto stop/wake the actual queue instantiated.\n\nLog of issue before change (with kernel parameter qos=0):\n [ +5.112651] ------------[ cut here ]------------\n [ +0.000005] WARNING: CPU: 7 PID: 25513 at net/mac80211/util.c:449 __ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000067] Modules linked in: b43(O) snd_seq_dummy snd_hrtimer snd_seq snd_seq_device nft_chain_nat xt_MASQUERADE nf_nat xfrm_user xfrm_algo xt_addrtype overlay ccm af_packet amdgpu snd_hda_codec_cirrus snd_hda_codec_generic ledtrig_audio drm_exec amdxcp gpu_sched xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_rpfilter ipt_rpfilter xt_pkttype xt_LOG nf_log_syslog xt_tcpudp nft_compat nf_tables nfnetlink sch_fq_codel btusb uinput iTCO_wdt ctr btrtl intel_pmc_bxt i915 intel_rapl_msr mei_hdcp mei_pxp joydev at24 watchdog btintel atkbd libps2 serio radeon btbcm vivaldi_fmap btmtk intel_rapl_common snd_hda_codec_hdmi bluetooth uvcvideo nls_iso8859_1 applesmc nls_cp437 x86_pkg_temp_thermal snd_hda_intel intel_powerclamp vfat videobuf2_vmalloc coretemp fat snd_intel_dspcfg crc32_pclmul uvc polyval_clmulni snd_intel_sdw_acpi loop videobuf2_memops snd_hda_codec tun drm_suballoc_helper polyval_generic drm_ttm_helper drm_buddy tap ecdh_generic videobuf2_v4l2 gf128mul macvlan ttm ghash_clmulni_intel ecc tg3\n [ +0.000044] videodev bridge snd_hda_core rapl crc16 drm_display_helper cec mousedev snd_hwdep evdev intel_cstate bcm5974 hid_appleir videobuf2_common stp mac_hid libphy snd_pcm drm_kms_helper acpi_als mei_me intel_uncore llc mc snd_timer intel_gtt industrialio_triggered_buffer apple_mfi_fastcharge i2c_i801 mei snd lpc_ich agpgart ptp i2c_smbus thunderbolt apple_gmux i2c_algo_bit kfifo_buf video industrialio soundcore pps_core wmi tiny_power_button sbs sbshc button ac cordic bcma mac80211 cfg80211 ssb rfkill libarc4 kvm_intel kvm drm irqbypass fuse backlight firmware_class efi_pstore configfs efivarfs dmi_sysfs ip_tables x_tables autofs4 dm_crypt cbc encrypted_keys trusted asn1_encoder tee tpm rng_core input_leds hid_apple led_class hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci libahci libata uhci_hcd ehci_pci ehci_hcd crct10dif_pclmul crct10dif_common sha512_ssse3 sha512_generic sha256_ssse3 sha1_ssse3 aesni_intel usbcore scsi_mod libaes crypto_simd cryptd scsi_common\n [ +0.000055] usb_common rtc_cmos btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq dm_snapshot dm_bufio dm_mod dax [last unloaded: b43(O)]\n [ +0.000009] CPU: 7 PID: 25513 Comm: irq/17-b43 Tainted: G W O 6.6.7 #1-NixOS\n [ +0.000003] Hardware name: Apple Inc. MacBookPro8,3/Mac-942459F5819B171B, BIOS 87.0.0.0.0 06/13/2019\n [ +0.000001] RIP: 0010:__ieee80211_wake_queue+0xd5/0x180 [mac80211]\n [ +0.000046] Code: 00 45 85 e4 0f 85 9b 00 00 00 48 8d bd 40 09 00 00 f0 48 0f ba ad 48 09 00 00 00 72 0f 5b 5d 41 5c 41 5d 41 5e e9 cb 6d 3c d0 <0f> 0b 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc 48 8d b4 16 94 00 00\n [ +0.000002] RSP: 0018:ffffc90003c77d60 EFLAGS: 00010097\n [ +0.000001] RAX: 0000000000000001 RBX: 0000000000000002 RCX: 0000000000000000\n [ +0.000001] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff88820b924900\n [ +0.000002] RBP: ffff88820b924900 R08: ffffc90003c77d90 R09: 000000000003bfd0\n [ +0.000001] R10: ffff88820b924900 R11: ffffc90003c77c68 R12: 0000000000000000\n [ +0.000001] R13: 0000000000000000 R14: ffffc90003c77d90 R15: ffffffffc0fa6f40\n [ +0.000001] FS: 0000000000000000(0000) GS:ffff88846fb80000(0000) knlGS:0000000000000000\n [ +0.000001] CS: 0010 DS: 0\n---truncated---", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-0340", + "id": "CVE-2023-52644", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0340" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52644" }, - "cwes": [ - 200 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-16T18:49:46Z" + "updated": "2024-04-17T12:48:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5@xs4all.nl/" + "url": "https://git.kernel.org/stable/c/e2d45f467096e931044f0ab7634499879d851a5c" }, { - "url": "https://lore.kernel.org/lkml/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/T/" + "url": "https://git.kernel.org/stable/c/291cca35818bd52a407bc37ab45a15816039e363" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/5224afbc30c3ca9ba23e752f0f138729b2c48dd8" + }, + { + "url": "https://git.kernel.org/stable/c/edcf1a3f182ecf8b6b805f0ce90570ea98c5f6bf" + }, + { + "url": "https://git.kernel.org/stable/c/552705a3650bbf46a22b1adedc1b04181490fc36" + }, + { + "url": "https://git.kernel.org/stable/c/b2d6f9a5b1cf968f1eaa71085ceeb09c2cb276b1" + }, + { + "url": "https://git.kernel.org/stable/c/406b0241d0eb598a0b330ab20ae325537d8d8163" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23848" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26643" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-71", + "bom-ref": "vuln-704", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" - } - }, { "severity": "none", - "score": 0.00043, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26643" } } ], - "created": "2024-01-23T09:15:35Z", - "description": "In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c.", + "created": "2024-03-21T11:15:28Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout\n\nWhile the rhashtable set gc runs asynchronously, a race allows it to\ncollect elements from anonymous sets with timeouts while it is being\nreleased from the commit path.\n\nMingi Cho originally reported this issue in a different path in 6.1.x\nwith a pipapo set with low timeouts which is not possible upstream since\n7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set\nelement timeout\").\n\nFix this by setting on the dead flag for anonymous sets to skip async gc\nin this case.\n\nAccording to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on\ntransaction abort\"), Florian plans to accelerate abort path by releasing\nobjects via workqueue, therefore, this sets on the dead flag for abort\npath too.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-23848", + "id": "CVE-2024-26643", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23848" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26643" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-30T02:04:25Z" + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216702" + "url": "https://git.kernel.org/stable/c/e4cbc857d75d4e22a1f75446e7480b1f305d8d60" }, { - "url": "https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz@163.com/" + "url": "https://git.kernel.org/stable/c/e30b52a2ea3d1e0aaee68096957cf90a2f4ec5af" + }, + { + "url": "https://git.kernel.org/stable/c/edff092a59260bf0b0a2eba219cb3da6372c2f9f" + }, + { + "url": "https://git.kernel.org/stable/c/e4ce01c25ccbea02a09a5291c21749b1fc358e39" + }, + { + "url": "https://git.kernel.org/stable/c/7aa33854477d9c346f5560a1a1fcb3fe7783e2a8" + }, + { + "url": "https://git.kernel.org/stable/c/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16" + }, + { + "url": "https://git.kernel.org/stable/c/6e2902ecc77e9760a9fc447f56d598383e2372d2" + }, + { + "url": "https://git.kernel.org/stable/c/fd3486a893778770557649fe28afa5e463d4ed07" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6741-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6742-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52603" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6743-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6740-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6688-1" + }, + { + "url": "https://git.kernel.org/linus/27e56f59bab5ddafbcfe69ad7a4a6ea1279c1b16(6.8-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47233" + "url": "https://ubuntu.com/security/notices/USN-6743-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6739-1" } ], - "bom-ref": "vuln-72", + "bom-ref": "vuln-705", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52603" } } ], - "created": "2023-11-03T21:15:17Z", - "description": "The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this \"could be exploited in a real world scenario.\" This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.", + "created": "2024-03-06T07:15:11Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nUBSAN: array-index-out-of-bounds in dtSplitRoot\n\nSyzkaller reported the following issue:\n\noop0: detected capacity change from 0 to 32768\n\nUBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1971:9\nindex -2 is out of range for type 'struct dtslot [128]'\nCPU: 0 PID: 3613 Comm: syz-executor270 Not tainted 6.0.0-syzkaller-09423-g493ffd6605b2 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nCall Trace:\n \n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106\n ubsan_epilogue lib/ubsan.c:151 [inline]\n __ubsan_handle_out_of_bounds+0xdb/0x130 lib/ubsan.c:283\n dtSplitRoot+0x8d8/0x1900 fs/jfs/jfs_dtree.c:1971\n dtSplitUp fs/jfs/jfs_dtree.c:985 [inline]\n dtInsert+0x1189/0x6b80 fs/jfs/jfs_dtree.c:863\n jfs_mkdir+0x757/0xb00 fs/jfs/namei.c:270\n vfs_mkdir+0x3b3/0x590 fs/namei.c:4013\n do_mkdirat+0x279/0x550 fs/namei.c:4038\n __do_sys_mkdirat fs/namei.c:4053 [inline]\n __se_sys_mkdirat fs/namei.c:4051 [inline]\n __x64_sys_mkdirat+0x85/0x90 fs/namei.c:4051\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7fcdc0113fd9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffeb8bc67d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000102\nRAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcdc0113fd9\nRDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003\nRBP: 00007fcdc00d37a0 R08: 0000000000000000 R09: 00007fcdc00d37a0\nR10: 00005555559a72c0 R11: 0000000000000246 R12: 00000000f8008000\nR13: 0000000000000000 R14: 00083878000000f8 R15: 0000000000000000\n \n\nThe issue is caused when the value of fsi becomes less than -1.\nThe check to break the loop when fsi value becomes -1 is present\nbut syzbot was able to produce value less than -1 which cause the error.\nThis patch simply add the change for the values less than 0.\n\nThe patch is tested via syzbot.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-47233", + "id": "CVE-2023-52603", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47233" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52603" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-14T16:00:39Z" + "updated": "2024-03-06T15:18:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/" + "url": "https://git.kernel.org/stable/c/e288285d47784fdcf7c81be56df7d65c6f10c58b" + }, + { + "url": "https://git.kernel.org/stable/c/f14cee7a882cb79528f17a2335f53e9fd1848467" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/" + "url": "https://git.kernel.org/stable/c/b7deb675d674f44e0ddbab87fee8f9f098925e73" }, { - "url": "https://cwe.mitre.org/data/definitions/776.html" + "url": "https://git.kernel.org/stable/c/825d63164a2e6bacb059a9afb5605425b485413f" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-524.html" + "url": "https://git.kernel.org/linus/e288285d47784fdcf7c81be56df7d65c6f10c58b(6.9-rc2)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52426" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26930" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063240" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-73", + "bom-ref": "vuln-706", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" - } - }, { "severity": "none", - "score": 0.00051, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26930" } } ], - "created": "2024-02-04T20:15:46Z", - "description": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.", + "created": "2024-05-01T06:15:07Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix double free of the ha->vp_map pointer\n\nCoverity scan reported potential risk of double free of the pointer\nha->vp_map. ha->vp_map was freed in qla2x00_mem_alloc(), and again freed\nin function qla2x00_mem_free(ha).\n\nAssign NULL to vp_map and kfree take care of NULL.", "affects": [ { - "ref": "comp-390" + "ref": "comp-399" } ], - "id": "CVE-2023-52426", + "id": "CVE-2024-26930", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26930" }, - "cwes": [ - 776 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:27:48Z" + "updated": "2024-05-01T13:02:20Z" }, { "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0723" + "url": "https://git.kernel.org/stable/c/f3f98d7d84b31828004545e29fd7262b9f444139" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254053" + "url": "https://git.kernel.org/stable/c/cda4672da1c26835dcbd7aec2bfed954eda9b5ef" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0724" + "url": "https://git.kernel.org/stable/c/ae20db45e482303a20e56f2db667a9d9c54ac7e7" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0725" + "url": "https://git.kernel.org/stable/c/8180d0c27b93a6eb60da1b08ea079e3926328214" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6535" + "url": "https://git.kernel.org/stable/c/7958c1bf5b03c6f1f58e724dbdec93f8f60b96fc" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0881" + "url": "https://git.kernel.org/stable/c/70e329b440762390258a6fe8c0de93c9fdd56c77" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0897" + "url": "https://ubuntu.com/security/notices/USN-6766-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26689" }, { - "url": "https://lore.kernel.org/linux-nvme/89a927a6-2baf-434a-b1d5-50fb99beca73@grimberg.me/T/" + "url": "https://git.kernel.org/linus/cda4672da1c26835dcbd7aec2bfed954eda9b5ef(6.8-rc4)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6535" + "url": "https://ubuntu.com/security/notices/USN-6766-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6766-2" } ], - "bom-ref": "vuln-74", + "bom-ref": "vuln-707", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535" - } - }, { "severity": "none", - "score": 0.00144, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26689" } } ], - "created": "2024-02-07T21:15:08Z", - "description": "A flaw was found in the Linux kernel's NVMe driver. This issue may allow an unauthenticated malicious actor to send a set of crafted TCP packages when using NVMe over TCP, leading the NVMe driver to a NULL pointer dereference in the NVMe driver, causing kernel panic and a denial of service.", + "created": "2024-04-03T15:15:52Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: prevent use-after-free in encode_cap_msg()\n\nIn fs/ceph/caps.c, in encode_cap_msg(), \"use after free\" error was\ncaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This\nimplies before the refcount could be increment here, it was freed.\n\nIn same file, in \"handle_cap_grant()\" refcount is decremented by this\nline - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race\noccurred and resource was freed by the latter line before the former\nline could increment it.\n\nencode_cap_msg() is called by __send_cap() and __send_cap() is called by\nceph_check_caps() after calling __prep_cap(). __prep_cap() is where\narg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where\nthe refcount must be increased to prevent \"use after free\" error.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6535", + "id": "CVE-2024-26689", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6535" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26689" }, - "cwes": [ - 476 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-20T15:15:09Z" + "updated": "2024-04-03T17:24:18Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CABcoxUayum5oOqFMMqAeWuS8+EzojquSOSyDA3J_2omY=2EeAg@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/3a63cee1a5e14a3e52c19142c61dd5fcb524f6dc" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159764" + "url": "https://git.kernel.org/stable/c/e58047553a4e859dafc8d1d901e1de77c9dd922d" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed17aa92dc56" + "url": "https://git.kernel.org/stable/c/fddc19631c51d9c17d43e9f822a7bc403af88d54" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-0160" + "url": "https://git.kernel.org/stable/c/689efe22e9b5b7d9d523119a9a5c3c17107a0772" }, { - "url": "https://lore.kernel.org/bpf/000000000000f1db9605f939720e@google.com/" + "url": "https://git.kernel.org/stable/c/30189e54ba80e3209d34cfeea87b848f6ae025e6" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-184.html" + "url": "https://git.kernel.org/stable/c/73db209dcd4ae026021234d40cfcb2fb5b564b86" + }, + { + "url": "https://git.kernel.org/stable/c/8bdbcfaf3eac42f98e5486b3d7e130fa287811f6" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0160" + "url": "https://git.kernel.org/stable/c/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf" + }, + { + "url": "https://git.kernel.org/linus/2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf(6.9-rc6)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lore.kernel.org/all/20230406122622.109978-1-liuxin350@huawei.com/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35849" } ], - "bom-ref": "vuln-75", + "bom-ref": "vuln-708", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" - } - }, { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35849" } } ], - "created": "2023-07-18T17:15:11Z", - "description": "A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.", + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix information leak in btrfs_ioctl_logical_to_ino()\n\nSyzbot reported the following information leak for in\nbtrfs_ioctl_logical_to_ino():\n\n BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n instrument_copy_to_user include/linux/instrumented.h:114 [inline]\n _copy_to_user+0xbc/0x110 lib/usercopy.c:40\n copy_to_user include/linux/uaccess.h:191 [inline]\n btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Uninit was created at:\n __kmalloc_large_node+0x231/0x370 mm/slub.c:3921\n __do_kmalloc_node mm/slub.c:3954 [inline]\n __kmalloc_node+0xb07/0x1060 mm/slub.c:3973\n kmalloc_node include/linux/slab.h:648 [inline]\n kvmalloc_node+0xc0/0x2d0 mm/util.c:634\n kvmalloc include/linux/slab.h:766 [inline]\n init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779\n btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480\n btrfs_ioctl+0x714/0x1260\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:904 [inline]\n __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890\n __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890\n x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n Bytes 40-65535 of 65536 are uninitialized\n Memory access of size 65536 starts at ffff888045a40000\n\nThis happens, because we're copying a 'struct btrfs_data_container' back\nto user-space. This btrfs_data_container is allocated in\n'init_data_container()' via kvmalloc(), which does not zero-fill the\nmemory.\n\nFix this by using kvzalloc() which zeroes out the memory on allocation.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-0160", + "id": "CVE-2024-35849", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0160" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35849" }, - "cwes": [ - 667, - 833 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T03:59:46Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/linus/97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + "url": "https://git.kernel.org/stable/c/810fa7d5e5202fcfb22720304b755f1bdfd4c174" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0597" + "url": "https://git.kernel.org/stable/c/33a1b6bfef6def2068c8703403759024ce17053e" }, { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=97e3d26b5e5f371b3ee223d94dd123e6c442ba80" + "url": "https://git.kernel.org/stable/c/10bfd453da64a057bcfd1a49fb6b271c48653cdb" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:6901" + "url": "https://git.kernel.org/stable/c/9d4ffb5b9d879a75e4f7460e8b10e756b4dfb132" }, { - "url": "https://lore.kernel.org/lkml/Yz/mfJ1gjgshF19t@hirez.programming.kicks-ass.net/" + "url": "https://git.kernel.org/stable/c/1b0998fdd85776775d975d0024bca227597e836a" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-2" + "url": "https://git.kernel.org/stable/c/44112bc5c74e64f28f5a9127dc34066c7a09bd0f" }, { - "url": "https://ubuntu.com/security/notices/USN-6235-1" + "url": "https://git.kernel.org/stable/c/8a54834c03c30e549c33d5da0975f3e1454ec906" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6462-1" + "url": "https://git.kernel.org/linus/10bfd453da64a057bcfd1a49fb6b271c48653cdb(6.8-rc7)" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-3" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27417" + } + ], + "bom-ref": "vuln-709", + "ratings": [ { - "url": "https://ubuntu.com/security/notices/USN-6462-2" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27417" + } + } + ], + "created": "2024-05-17T12:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix potential \"struct net\" leak in inet6_rtm_getaddr()\n\nIt seems that if userspace provides a correct IFA_TARGET_NETNSID value\nbut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()\nreturns -EINVAL with an elevated \"struct net\" refcount.", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6206-1" + "ref": "comp-399" + } + ], + "id": "CVE-2024-27417", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27417" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.kernel.org/stable/c/1c9be13846c0b2abc2480602f8ef421360e1ad9e" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-0597" + "url": "https://git.kernel.org/stable/c/ef982fc41055fcebb361a92288d3225783d12913" }, { - "url": "https://ubuntu.com/security/notices/USN-6300-1" + "url": "https://git.kernel.org/stable/c/0158216805ca7e498d07de38840d2732166ae5fa" }, { - "url": "https://ubuntu.com/security/notices/USN-6311-1" + "url": "https://git.kernel.org/stable/c/01f82de440f2ab07c259b7573371e1c42e5565db" }, { - "url": "https://ubuntu.com/security/notices/USN-6332-1" + "url": "https://git.kernel.org/stable/c/e279bf8e51893e1fe160b3d8126ef2dd00f661e1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/4b45829440b1b208948b39cc71f77a37a2536734" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7077" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26747" }, { - "url": "https://ubuntu.com/security/notices/USN-6347-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:6583" + "url": "https://git.kernel.org/linus/1c9be13846c0b2abc2480602f8ef421360e1ad9e(6.8-rc6)" } ], - "bom-ref": "vuln-76", + "bom-ref": "vuln-710", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26747" } } ], - "created": "2023-02-23T20:15:12Z", - "description": "A flaw possibility of memory leak in the Linux kernel cpu_entry_area mapping of X86 CPU data to memory was found in the way user can guess location of exception stack(s) or other important data. A local user could use this flaw to get access to some important data with expected location in memory.", + "created": "2024-04-03T17:15:51Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: roles: fix NULL pointer issue when put module's reference\n\nIn current design, usb role class driver will get usb_role_switch parent's\nmodule reference after the user get usb_role_switch device and put the\nreference after the user put the usb_role_switch device. However, the\nparent device of usb_role_switch may be removed before the user put the\nusb_role_switch. If so, then, NULL pointer issue will be met when the user\nput the parent module's reference.\n\nThis will save the module pointer in structure of usb_role_switch. Then,\nwe don't need to find module by iterating long relations.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-0597", + "id": "CVE-2024-26747", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0597" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26747" }, - "cwes": [ - 401, - 200 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-07-28T15:15:09Z", + "updated": "2024-04-03T17:24:18Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/20240207132416.1488485-1-aconole@redhat.com/" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2024-1151" + "url": "https://git.kernel.org/stable/c/395ca1031acf89d8ecb26127c544a71688d96f35" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK/" + "url": "https://git.kernel.org/stable/c/601429cca96b4af3be44172c3b64e4228515dbe1" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262241" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35931" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2/" + "url": "https://git.kernel.org/linus/601429cca96b4af3be44172c3b64e4228515dbe1(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=bd128f62c365(selftests)" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1151" } ], - "bom-ref": "vuln-77", + "bom-ref": "vuln-711", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35931" } } ], - "created": "2024-02-11T15:15:07Z", - "description": "A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.", + "created": "2024-05-19T11:15:49Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Skip do PCI error slot reset during RAS recovery\n\nWhy:\n The PCI error slot reset maybe triggered after inject ue to UMC multi times, this\n caused system hang.\n [ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, trying to resume\n [ 557.373718] [drm] PCIE GART of 512M enabled.\n [ 557.373722] [drm] PTB located at 0x0000031FED700000\n [ 557.373788] [drm] VRAM is lost due to GPU reset!\n [ 557.373789] [drm] PSP is resuming...\n [ 557.547012] mlx5_core 0000:55:00.0: mlx5_pci_err_detected Device state = 1 pci_status: 0. Exit, result = 3, need reset\n [ 557.547067] [drm] PCI error: detected callback, state(1)!!\n [ 557.547069] [drm] No support for XGMI hive yet...\n [ 557.548125] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 0. Enter\n [ 557.607763] mlx5_core 0000:55:00.0: wait vital counter value 0x16b5b after 1 iterations\n [ 557.607777] mlx5_core 0000:55:00.0: mlx5_pci_slot_reset Device state = 1 pci_status: 1. Exit, err = 0, result = 5, recovered\n [ 557.610492] [drm] PCI error: slot reset callback!!\n ...\n [ 560.689382] amdgpu 0000:3f:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689546] amdgpu 0000:5a:00.0: amdgpu: GPU reset(2) succeeded!\n [ 560.689562] general protection fault, probably for non-canonical address 0x5f080b54534f611f: 0000 [#1] SMP NOPTI\n [ 560.701008] CPU: 16 PID: 2361 Comm: kworker/u448:9 Tainted: G OE 5.15.0-91-generic #101-Ubuntu\n [ 560.712057] Hardware name: Microsoft C278A/C278A, BIOS C2789.5.BS.1C11.AG.1 11/08/2023\n [ 560.720959] Workqueue: amdgpu-reset-hive amdgpu_ras_do_recovery [amdgpu]\n [ 560.728887] RIP: 0010:amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.736891] Code: ff 41 89 c6 e9 1b ff ff ff 44 0f b6 45 b0 e9 4f ff ff ff be 01 00 00 00 4c 89 e7 e8 76 c9 8b ff 44 0f b6 45 b0 e9 3c fd ff ff <48> 83 ba 18 02 00 00 00 0f 84 6a f8 ff ff 48 8d 7a 78 be 01 00 00\n [ 560.757967] RSP: 0018:ffa0000032e53d80 EFLAGS: 00010202\n [ 560.763848] RAX: ffa00000001dfd10 RBX: ffa0000000197090 RCX: ffa0000032e53db0\n [ 560.771856] RDX: 5f080b54534f5f07 RSI: 0000000000000000 RDI: ff11000128100010\n [ 560.779867] RBP: ffa0000032e53df0 R08: 0000000000000000 R09: ffffffffffe77f08\n [ 560.787879] R10: 0000000000ffff0a R11: 0000000000000001 R12: 0000000000000000\n [ 560.795889] R13: ffa0000032e53e00 R14: 0000000000000000 R15: 0000000000000000\n [ 560.803889] FS: 0000000000000000(0000) GS:ff11007e7e800000(0000) knlGS:0000000000000000\n [ 560.812973] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [ 560.819422] CR2: 000055a04c118e68 CR3: 0000000007410005 CR4: 0000000000771ee0\n [ 560.827433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n [ 560.835433] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n [ 560.843444] PKRU: 55555554\n [ 560.846480] Call Trace:\n [ 560.849225] \n [ 560.851580] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.856488] ? show_trace_log_lvl+0x1d6/0x2ea\n [ 560.861379] ? amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.867778] ? show_regs.part.0+0x23/0x29\n [ 560.872293] ? __die_body.cold+0x8/0xd\n [ 560.876502] ? die_addr+0x3e/0x60\n [ 560.880238] ? exc_general_protection+0x1c5/0x410\n [ 560.885532] ? asm_exc_general_protection+0x27/0x30\n [ 560.891025] ? amdgpu_device_gpu_recover.cold+0xbf1/0xcf5 [amdgpu]\n [ 560.898323] amdgpu_ras_do_recovery+0x1b2/0x210 [amdgpu]\n [ 560.904520] process_one_work+0x228/0x3d0\nHow:\n In RAS recovery, mode-1 reset is issued from RAS fatal error handling and expected\n all the nodes in a hive to be reset. no need to issue another mode-1 during this procedure.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-1151", + "id": "CVE-2024-35931", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1151" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35931" }, - "cwes": [ - 121 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-22T04:15:08Z" + "updated": "2024-05-20T13:00:04Z" }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2227726" + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-4010" + "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.12" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc00bcaa589914096edef7fb87ca5cee4a166b5c" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1578" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-019.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2020-36694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2021:1739" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4010" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-78", + "bom-ref": "vuln-712", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-36694" } }, { "severity": "medium", - "score": 4.6, + "score": 6.7, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" } } ], - "created": "2023-07-31T17:15:10Z", - "description": "A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service.", + "created": "2023-05-21T23:15:08Z", + "description": "An issue was discovered in netfilter in the Linux kernel before 5.10. There can be a use-after-free in the packet processing context, because the per-CPU sequence count is mishandled during concurrent iptables rules replacement. This could be exploited with the CAP_NET_ADMIN capability in an unprivileged namespace. NOTE: cc00bca was reverted in 5.12.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-4010", + "id": "CVE-2020-36694", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4010" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36694" }, "cwes": [ - 835 + 416 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2023-11-07T04:22:02Z" + "updated": "2023-06-22T15:15:09Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T13:16:19Z" + } + ] }, { "advisories": [ { - "url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/" + "url": "https://git.kernel.org/stable/c/e4308bc22b9d46cf33165c9dfaeebcf29cd56f04" }, { - "url": "https://ubuntu.com/security/notices/USN-6520-1" + "url": "https://git.kernel.org/stable/c/610f175d2e16fb2436ba7974b990563002c20d07" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-2" + "url": "https://git.kernel.org/stable/c/976df695f579bbb2914114b4e9974fe4ed1eb813" }, { - "url": "https://ubuntu.com/security/notices/USN-6464-1" + "url": "https://git.kernel.org/stable/c/40406dfbc060503d2e0a9e637e98493c54997b3d" }, { - "url": "https://ubuntu.com/security/notices/USN-6440-1" + "url": "https://git.kernel.org/linus/e4308bc22b9d46cf33165c9dfaeebcf29cd56f04(6.9-rc6)" }, { - "url": "https://ubuntu.com/security/notices/USN-6465-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35992" }, { - "url": "https://ubuntu.com/security/notices/USN-6462-1" - }, + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-713", + "ratings": [ { - "url": "https://ubuntu.com/security/notices/USN-6440-3" - }, + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35992" + } + } + ], + "created": "2024-05-20T10:15:13Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: marvell: a3700-comphy: Fix out of bounds read\n\nThere is an out of bounds read access of 'gbe_phy_init_fix[fix_idx].addr'\nevery iteration after 'fix_idx' reaches 'ARRAY_SIZE(gbe_phy_init_fix)'.\n\nMake sure 'gbe_phy_init[addr]' is used when all elements of\n'gbe_phy_init_fix' array are handled.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6462-2" - }, + "ref": "comp-399" + } + ], + "id": "CVE-2024-35992", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35992" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-20T13:00:04Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6466-1" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.90-1" + } + ] + }, + { + "advisories": [ { - "url": "https://ubuntu.com/security/notices/USN-6465-2" + "url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736" }, { - "url": "https://ubuntu.com/security/notices/USN-6465-3" + "url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941" }, { - "url": "https://ubuntu.com/security/notices/USN-6439-2" + "url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664" }, { - "url": "https://ubuntu.com/security/notices/USN-6439-1" + "url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31083" + "url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c" }, { - "url": "https://git.kernel.org/bluetooth/bluetooth-next/c/ff1b86784849" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26803" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6516-1" } ], - "bom-ref": "vuln-79", + "bom-ref": "vuln-714", "ratings": [ { "severity": "none", - "score": 0.00043, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 4.7, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26803" } } ], - "created": "2023-04-24T06:15:07Z", - "description": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", + "created": "2024-04-04T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-31083", + "id": "CVE-2024-26803", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26803" }, - "cwes": [ - 362, - 476 - ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2023-11-07T04:14:13Z", + "updated": "2024-04-04T12:48:22Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/b734f7a47aeb32a5ba298e4ccc16bb0c52b6dbf7" + "url": "https://git.kernel.org/stable/c/35fe0e0b5c00bef7dde74842a2564c43856fbce4" }, { - "url": "https://git.kernel.org/stable/c/60c0c230c6f046da536d3df8b39a20b9a9fd6af0" + "url": "https://git.kernel.org/stable/c/d12245080cb259d82b34699f6cd4ec11bdb688bd" }, { - "url": "https://git.kernel.org/stable/c/6eb14441f10602fa1cf691da9d685718b68b78a9" + "url": "https://git.kernel.org/stable/c/3391b157780bbedf8ef9f202cbf10ee90bf6b0f8" }, { - "url": "https://git.kernel.org/stable/c/2bab493a5624444ec6e648ad0d55a362bcb4c003" + "url": "https://git.kernel.org/stable/c/3001e7aa43d6691db2a878b0745b854bf12ddd19" }, { - "url": "https://git.kernel.org/stable/c/10e9cb39313627f2eae4cd70c4b742074e998fd8" + "url": "https://git.kernel.org/stable/c/3d010c8031e39f5fa1e8b13ada77e0321091011f" }, { - "url": "https://git.kernel.org/stable/c/1296c110c5a0b45a8fcf58e7d18bc5da61a565cb" + "url": "https://git.kernel.org/stable/c/d49ae15a5767d4e9ef8bbb79e42df1bfebc94670" }, { - "url": "https://git.kernel.org/stable/c/4cee42fcf54fec46b344681e7cc4f234bb22f85a" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35884" }, { - "url": "https://git.kernel.org/linus/60c0c230c6f046da536d3df8b39a20b9a9fd6af0(6.8-rc4)" + "url": "https://git.kernel.org/linus/3d010c8031e39f5fa1e8b13ada77e0321091011f(6.9-rc3)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26581" } ], - "bom-ref": "vuln-80", + "bom-ref": "vuln-715", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35884" } } ], - "created": "2024-02-20T13:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_rbtree: skip end interval element from gc\n\nrbtree lazy gc on insert might collect an end interval element that has\nbeen just added in this transactions, skip end interval elements that\nare not yet active.", + "created": "2024-05-19T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: do not accept non-tunnel GSO skbs landing in a tunnel\n\nWhen rx-udp-gro-forwarding is enabled UDP packets might be GROed when\nbeing forwarded. If such packets might land in a tunnel this can cause\nvarious issues and udp_gro_receive makes sure this isn't the case by\nlooking for a matching socket. This is performed in\nudp4/6_gro_lookup_skb but only in the current netns. This is an issue\nwith tunneled packets when the endpoint is in another netns. In such\ncases the packets will be GROed at the UDP level, which leads to various\nissues later on. The same thing can happen with rx-gro-list.\n\nWe saw this with geneve packets being GROed at the UDP level. In such\ncase gso_size is set; later the packet goes through the geneve rx path,\nthe geneve header is pulled, the offset are adjusted and frag_list skbs\nare not adjusted with regard to geneve. When those skbs hit\nskb_fragment, it will misbehave. Different outcomes are possible\ndepending on what the GROed skbs look like; from corrupted packets to\nkernel crashes.\n\nOne example is a BUG_ON[1] triggered in skb_segment while processing the\nfrag_list. Because gso_size is wrong (geneve header was pulled)\nskb_segment thinks there is \"geneve header size\" of data in frag_list,\nalthough it's in fact the next packet. The BUG_ON itself has nothing to\ndo with the issue. This is only one of the potential issues.\n\nLooking up for a matching socket in udp_gro_receive is fragile: the\nlookup could be extended to all netns (not speaking about performances)\nbut nothing prevents those packets from being modified in between and we\ncould still not find a matching socket. It's OK to keep the current\nlogic there as it should cover most cases but we also need to make sure\nwe handle tunnel packets being GROed too early.\n\nThis is done by extending the checks in udp_unexpected_gso: GSO packets\nlacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must\nbe segmented.\n\n[1] kernel BUG at net/core/skbuff.c:4408!\n RIP: 0010:skb_segment+0xd2a/0xf70\n __udp_gso_segment+0xaa/0x560", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26581", + "id": "CVE-2024-35884", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26581" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35884" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-23T09:15:22Z" + "updated": "2024-05-20T13:00:04Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://access.redhat.com/security/cve/CVE-2023-3428" + "url": "https://git.kernel.org/stable/c/2f6d721e14b69d6e1251f69fa238b48e8374e25f" }, { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218369" + "url": "https://git.kernel.org/stable/c/569c198c9e2093fd29cc071856a4e548fda506bc" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-249.html" + "url": "https://git.kernel.org/stable/c/f0bf89e84c3afb79d7a3a9e4bc853ad6a3245c0a" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3428" + "url": "https://git.kernel.org/stable/c/fa3ac8b1a227d9b470b87972494293348b5839ee" }, { - "url": "https://ubuntu.com/security/notices/USN-6200-1" + "url": "https://git.kernel.org/stable/c/889846dfc8ee2cf31148a44bfd2faeb2faadc685" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/fc0aed88afbf6f606205129a7466eebdf528e3f3" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2123.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35844" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1781.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://git.kernel.org/linus/2f6d721e14b69d6e1251f69fa238b48e8374e25f(6.9-rc1)" } ], - "bom-ref": "vuln-81", + "bom-ref": "vuln-716", "ratings": [ - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428" - } - }, { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35844" } } ], - "created": "2023-10-04T19:15:10Z", - "description": "A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.", + "created": "2024-05-17T15:15:21Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: compress: fix reserve_cblocks counting error when out of space\n\nWhen a file only needs one direct_node, performing the following\noperations will cause the file to be unrepairable:\n\nunisoc # ./f2fs_io compress test.apk\nunisoc #df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.2M 100% /data\n\nunisoc # ./f2fs_io release_cblocks test.apk\n924\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 4.8M 100% /data\n\nunisoc # dd if=/dev/random of=file4 bs=1M count=3\n3145728 bytes (3.0 M) copied, 0.025 s, 120 M/s\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\n\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n0\n\nThis is because the file has only one direct_node. After returning\nto -ENOSPC, reserved_blocks += ret will not be executed. As a result,\nthe reserved_blocks at this time is still 0, which is not the real\nnumber of reserved blocks. Therefore, fsck cannot be set to repair\nthe file.\n\nAfter this patch, the fsck flag will be set to fix this problem.\n\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 1.8M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\nF2FS_IOC_RESERVE_COMPRESS_BLOCKS failed: No space left on device\n\nadb reboot then fsck will be executed\nunisoc # df -h | grep dm-48\n/dev/block/dm-48 112G 112G 11M 100% /data\nunisoc # ./f2fs_io reserve_cblocks test.apk\n924", "affects": [ { - "ref": "comp-215" + "ref": "comp-399" } ], - "id": "CVE-2023-3428", + "id": "CVE-2024-35844", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35844" }, - "cwes": [ - 787, - 122 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-07T04:18:43Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-215", - "value": "8:6.9.11.60+dfsg-1.6+deb12u1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" } ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/eed24b816e50c6cd18cbee0ff0d7218c8fced199" + "url": "https://git.kernel.org/stable/c/9a87375bb586515c0af63d5dcdcd58ec4acf20a6" }, { - "url": "https://git.kernel.org/stable/c/823ba1d2106019ddf195287ba53057aee33cf724" + "url": "https://git.kernel.org/stable/c/900b81caf00c89417172afe0e7e49ac4eb110f4b" }, { - "url": "https://git.kernel.org/stable/c/118a8cf504d7dfa519562d000f423ee3ca75d2c4" + "url": "https://git.kernel.org/stable/c/d86ad8c3e152349454b82f37007ff6ba45f26989" }, { - "url": "https://git.kernel.org/stable/c/47467e04816cb297905c0f09bc2d11ef865942d9" + "url": "https://git.kernel.org/stable/c/6347348c6aba52dda0b33296684cbb627bdc6970" + }, + { + "url": "https://git.kernel.org/stable/c/bbe068b24409ef740657215605284fc7cdddd491" + }, + { + "url": "https://git.kernel.org/stable/c/7cc94dd36e48879e76ae7a8daea4ff322b7d9674" + }, + { + "url": "https://git.kernel.org/stable/c/47d8aafcfe313511a98f165a54d0adceb34e54b1" + }, + { + "url": "https://git.kernel.org/stable/c/d534198311c345e4b062c4b88bb609efb8bd91d5" + }, + { + "url": "https://git.kernel.org/stable/c/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf" + }, + { + "url": "https://git.kernel.org/linus/9d5286d4e7f68beab450deddbb6a32edd5ecf4bf(6.9-rc1)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26590" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35809" } ], - "bom-ref": "vuln-82", + "bom-ref": "vuln-717", "ratings": [ { "severity": "none", - "score": 0.00045, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35809" } } ], - "created": "2024-02-22T17:15:09Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inconsistent per-file compression format\n\nEROFS can select compression algorithms on a per-file basis, and each\nper-file compression algorithm needs to be marked in the on-disk\nsuperblock for initialization.\n\nHowever, syzkaller can generate inconsistent crafted images that use\nan unsupported algorithmtype for specific inodes, e.g. use MicroLZMA\nalgorithmtype even it's not set in `sbi->available_compr_algs`. This\ncan lead to an unexpected \"BUG: kernel NULL pointer dereference\" if\nthe corresponding decompressor isn't built-in.\n\nFix this by checking against `sbi->available_compr_algs` for each\nm_algorithmformat request. Incorrect !erofs_sb_has_compr_cfgs preset\nbitmap is now fixed together since it was harmless previously.", + "created": "2024-05-17T14:15:14Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI/PM: Drain runtime-idle callbacks before driver removal\n\nA race condition between the .runtime_idle() callback and the .remove()\ncallback in the rtsx_pcr PCI driver leads to a kernel crash due to an\nunhandled page fault [1].\n\nThe problem is that rtsx_pci_runtime_idle() is not expected to be running\nafter pm_runtime_get_sync() has been called, but the latter doesn't really\nguarantee that. It only guarantees that the suspend and resume callbacks\nwill not be running when it returns.\n\nHowever, if a .runtime_idle() callback is already running when\npm_runtime_get_sync() is called, the latter will notice that the runtime PM\nstatus of the device is RPM_ACTIVE and it will return right away without\nwaiting for the former to complete. In fact, it cannot wait for\n.runtime_idle() to complete because it may be called from that callback (it\narguably does not make much sense to do that, but it is not strictly\nprohibited).\n\nThus in general, whoever is providing a .runtime_idle() callback needs\nto protect it from running in parallel with whatever code runs after\npm_runtime_get_sync(). [Note that .runtime_idle() will not start after\npm_runtime_get_sync() has returned, but it may continue running then if it\nhas started earlier.]\n\nOne way to address that race condition is to call pm_runtime_barrier()\nafter pm_runtime_get_sync() (not before it, because a nonzero value of the\nruntime PM usage counter is necessary to prevent runtime PM callbacks from\nbeing invoked) to wait for the .runtime_idle() callback to complete should\nit be running at that point. A suitable place for doing that is in\npci_device_remove() which calls pm_runtime_get_sync() before removing the\ndriver, so it may as well call pm_runtime_barrier() subsequently, which\nwill prevent the race in question from occurring, not just in the rtsx_pcr\ndriver, but in any PCI drivers providing .runtime_idle() callbacks.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26590", + "id": "CVE-2024-35809", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26590" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35809" }, "analysis": { "state": "in_triage" }, - "updated": "2024-03-01T14:15:54Z" + "updated": "2024-05-17T18:35:35Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] }, { "advisories": [ { - "url": "https://git.kernel.org/stable/c/78327acd4cdc4a1601af718b781eece577b6b7d4" + "url": "https://git.kernel.org/stable/c/119cae5ea3f9e35cdada8e572cc067f072fa825a" }, { - "url": "https://git.kernel.org/stable/c/c1317822e2de80e78f137d3a2d99febab1b80326" + "url": "https://git.kernel.org/stable/c/acc653e8a3aaab1b7103f98645f2cce7be89e3d3" }, { - "url": "https://git.kernel.org/stable/c/c9b528c35795b711331ed36dc3dbee90d5812d4e" + "url": "https://git.kernel.org/stable/c/5731369af2de21695fe7c1c91fe134fabe5b33b8" }, { - "url": "https://git.kernel.org/stable/c/6b0d48647935e4b8c7b75d1eccb9043fcd4ee581" + "url": "https://git.kernel.org/stable/c/775ed3549819f814a6ecef5726d2b4c23f249b77" }, { - "url": "https://git.kernel.org/stable/c/94ebf71bddbcd4ab1ce43ae32c6cb66396d2d51a" + "url": "https://git.kernel.org/stable/c/eda02a0bed550f07a8283d3e1f25b90a38e151ed" }, { - "url": "https://git.kernel.org/stable/c/ea42d6cffb0dd27a417f410b9d0011e9859328cb" + "url": "https://git.kernel.org/stable/c/a47d68d777b41862757b7e3051f2d46d6e25f87b" + }, + { + "url": "https://git.kernel.org/stable/c/d1261bde59a3a087ab0c81181821e194278d9264" + }, + { + "url": "https://git.kernel.org/stable/c/dca1d93fe42fb9c42b66f61714fbdc55c87eb002" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26601" + "url": "https://git.kernel.org/linus/119cae5ea3f9e35cdada8e572cc067f072fa825a(6.8)" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://git.kernel.org/linus/c9b528c35795b711331ed36dc3dbee90d5812d4e(6.8-rc3)" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27428" } ], - "bom-ref": "vuln-83", + "bom-ref": "vuln-718", "ratings": [ { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-27428" } } ], - "created": "2024-02-26T16:27:59Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: regenerate buddy after block freeing failed if under fc replay\n\nThis mostly reverts commit 6bd97bf273bd (\"ext4: remove redundant\nmb_regenerate_buddy()\") and reintroduces mb_regenerate_buddy(). Based on\ncode in mb_free_blocks(), fast commit replay can end up marking as free\nblocks that are already marked as such. This causes corruption of the\nbuddy bitmap so we need to regenerate it in that case.", + "created": "2024-05-17T12:15:15Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix data-races around sysctl_netrom_network_ttl_initialiser\n\nWe need to protect the reader reading the sysctl value because the\nvalue can be changed concurrently.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26601", + "id": "CVE-2024-27428", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26601" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27428" }, "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-01T14:15:54Z", + "updated": "2024-05-17T18:35:35Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T04:51:17Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" } ] }, { "advisories": [ { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24855" + "url": "https://lore.kernel.org/all/CA+UBctC3p49aTgzbVgkSZ2+TQcqq4fPDO7yZitFT5uBPDeCO2g@mail.gmail.com/" + }, + { + "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9c33663af9ad115f90c076a1828129a3fbadea98" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1210780" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6520-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2394" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6464-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6440-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6462-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6466-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6465-3" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6439-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6439-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-31083" + }, + { + "url": "https://git.kernel.org/bluetooth/bluetooth-next/c/ff1b86784849" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6516-1" } ], - "bom-ref": "vuln-84", + "bom-ref": "vuln-719", "ratings": [ { "severity": "medium", @@ -17442,219 +60928,230 @@ "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" } }, { "severity": "none", - "score": 0.00043, + "score": 0.00042, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-31083" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.\n\n\n\n\n", + "created": "2023-04-24T06:15:07Z", + "description": "An issue was discovered in drivers/bluetooth/hci_ldisc.c in the Linux kernel 6.2. In hci_uart_tty_ioctl, there is a race condition between HCIUARTSETPROTO and HCIUARTGETPROTO. HCI_UART_PROTO_SET is set before hu->proto is set. A NULL pointer dereference may occur.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24855", + "id": "CVE-2023-31083", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24855" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31083" }, "cwes": [ 362, 476 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-10T04:06:40Z" - }, - { - "advisories": [ - { - "url": "https://git.kernel.org/stable/c/0430bfcd46657d9116a26cd377f112cbc40826a4" - }, + "updated": "2024-03-25T01:15:54Z", + "properties": [ { - "url": "https://git.kernel.org/stable/c/14ef61594a5a286ae0d493b8acbf9eac46fd04c4" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://git.kernel.org/stable/c/486218c11e8d1c8f515a3bdd70d62203609d4b6b" - }, + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-17T04:12:02Z" + } + ] + }, + { + "advisories": [ { - "url": "https://git.kernel.org/stable/c/7104ba0f1958adb250319e68a15eff89ec4fd36d" + "url": "https://git.kernel.org/stable/c/b602f098f716723fa5c6c96a486e0afba83b7b94" }, { - "url": "https://git.kernel.org/stable/c/396e17af6761b3cc9e6e4ca94b4de7f642bfece1" + "url": "https://git.kernel.org/stable/c/752312f6a79440086ac0f9b08d7776870037323c" }, { - "url": "https://git.kernel.org/stable/c/be3b82e4871ba00e9b5d0ede92d396d579d7b3b3" + "url": "https://git.kernel.org/stable/c/1556c242e64cdffe58736aa650b0b395854fe4d4" }, { - "url": "https://git.kernel.org/stable/c/8cc889b9dea0579726be9520fcc766077890b462" + "url": "https://git.kernel.org/stable/c/2a9de42e8d3c82c6990d226198602be44f43f340" }, { - "url": "https://git.kernel.org/stable/c/8398d8d735ee93a04fb9e9f490e8cacd737e3bf5" + "url": "https://ubuntu.com/security/notices/USN-6765-1" }, { - "url": "https://git.kernel.org/linus/7104ba0f1958adb250319e68a15eff89ec4fd36d(6.8-rc3)" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26600" + "url": "https://git.kernel.org/linus/2a9de42e8d3c82c6990d226198602be44f43f340(6.8-rc1)" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-52632" } ], - "bom-ref": "vuln-85", + "bom-ref": "vuln-720", "ratings": [ { "severity": "none", - "score": 0.00044, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-52632" } } ], - "created": "2024-02-26T16:27:59Z", - "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nphy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP\n\nIf the external phy working together with phy-omap-usb2 does not implement\nsend_srp(), we may still attempt to call it. This can happen on an idle\nEthernet gadget triggering a wakeup for example:\n\nconfigfs-gadget.g1 gadget.0: ECM Suspend\nconfigfs-gadget.g1 gadget.0: Port suspended. Triggering wakeup\n...\nUnable to handle kernel NULL pointer dereference at virtual address\n00000000 when execute\n...\nPC is at 0x0\nLR is at musb_gadget_wakeup+0x1d4/0x254 [musb_hdrc]\n...\nmusb_gadget_wakeup [musb_hdrc] from usb_gadget_wakeup+0x1c/0x3c [udc_core]\nusb_gadget_wakeup [udc_core] from eth_start_xmit+0x3b0/0x3d4 [u_ether]\neth_start_xmit [u_ether] from dev_hard_start_xmit+0x94/0x24c\ndev_hard_start_xmit from sch_direct_xmit+0x104/0x2e4\nsch_direct_xmit from __dev_queue_xmit+0x334/0xd88\n__dev_queue_xmit from arp_solicit+0xf0/0x268\narp_solicit from neigh_probe+0x54/0x7c\nneigh_probe from __neigh_event_send+0x22c/0x47c\n__neigh_event_send from neigh_resolve_output+0x14c/0x1c0\nneigh_resolve_output from ip_finish_output2+0x1c8/0x628\nip_finish_output2 from ip_send_skb+0x40/0xd8\nip_send_skb from udp_send_skb+0x124/0x340\nudp_send_skb from udp_sendmsg+0x780/0x984\nudp_sendmsg from __sys_sendto+0xd8/0x158\n__sys_sendto from ret_fast_syscall+0x0/0x58\n\nLet's fix the issue by checking for send_srp() and set_vbus() before\ncalling them. For USB peripheral only cases these both could be NULL.", + "created": "2024-04-02T07:15:41Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Fix lock dependency warning with srcu\n\n======================================================\nWARNING: possible circular locking dependency detected\n6.5.0-kfd-yangp #2289 Not tainted\n------------------------------------------------------\nkworker/0:2/996 is trying to acquire lock:\n (srcu){.+.+}-{0:0}, at: __synchronize_srcu+0x5/0x1a0\n\nbut task is already holding lock:\n ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}, at:\n\tprocess_one_work+0x211/0x560\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-> #3 ((work_completion)(&svms->deferred_list_work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n svm_range_list_lock_and_flush_work+0x3d/0x110 [amdgpu]\n svm_range_set_attr+0xd6/0x14c0 [amdgpu]\n kfd_ioctl+0x1d1/0x630 [amdgpu]\n __x64_sys_ioctl+0x88/0xc0\n\n-> #2 (&info->lock#2){+.+.}-{3:3}:\n __mutex_lock+0x99/0xc70\n amdgpu_amdkfd_gpuvm_restore_process_bos+0x54/0x740 [amdgpu]\n restore_process_helper+0x22/0x80 [amdgpu]\n restore_process_worker+0x2d/0xa0 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\n-> #1 ((work_completion)(&(&process->restore_work)->work)){+.+.}-{0:0}:\n __flush_work+0x88/0x4f0\n __cancel_work_timer+0x12c/0x1c0\n kfd_process_notifier_release_internal+0x37/0x1f0 [amdgpu]\n __mmu_notifier_release+0xad/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n do_exit+0x322/0xb90\n do_group_exit+0x37/0xa0\n __x64_sys_exit_group+0x18/0x20\n do_syscall_64+0x38/0x80\n\n-> #0 (srcu){.+.+}-{0:0}:\n __lock_acquire+0x1521/0x2510\n lock_sync+0x5f/0x90\n __synchronize_srcu+0x4f/0x1a0\n __mmu_notifier_release+0x128/0x240\n exit_mmap+0x6a/0x3a0\n mmput+0x6a/0x120\n svm_range_deferred_list_work+0x19f/0x350 [amdgpu]\n process_one_work+0x29b/0x560\n worker_thread+0x3d/0x3d0\n\nother info that might help us debug this:\nChain exists of:\n srcu --> &info->lock#2 --> (work_completion)(&svms->deferred_list_work)\n\nPossible unsafe locking scenario:\n\n CPU0 CPU1\n ---- ----\n lock((work_completion)(&svms->deferred_list_work));\n lock(&info->lock#2);\n\t\t\tlock((work_completion)(&svms->deferred_list_work));\n sync(srcu);", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-26600", + "id": "CVE-2023-52632", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26600" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52632" }, "analysis": { "state": "in_triage" }, - "updated": "2024-02-26T16:32:25Z" + "updated": "2024-04-02T12:50:42Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.82-1" + } + ] }, { "advisories": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256786" + "url": "https://git.kernel.org/stable/c/b0ad381fa7690244802aed119b478b4bdafc31dd" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-6270" + "url": "https://git.kernel.org/stable/c/ded566b4637f1b6b4c9ba74e7d0b8493e93f19cf" + }, + { + "url": "https://git.kernel.org/stable/c/89bca7fe6382d61e88c67a0b0e7bce315986fb8b" + }, + { + "url": "https://git.kernel.org/linus/b0ad381fa7690244802aed119b478b4bdafc31dd(6.8-rc6)" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6270" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-35784" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-86", + "bom-ref": "vuln-721", "ratings": [ { "severity": "none", - "score": 0.00042, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "high", - "score": 7.0, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35784" } } ], - "created": "2024-01-04T17:15:08Z", - "description": "A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.", + "created": "2024-05-17T13:15:58Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix deadlock with fiemap and extent locking\n\nWhile working on the patchset to remove extent locking I got a lockdep\nsplat with fiemap and pagefaulting with my new extent lock replacement\nlock.\n\nThis deadlock exists with our normal code, we just don't have lockdep\nannotations with the extent locking so we've never noticed it.\n\nSince we're copying the fiemap extent to user space on every iteration\nwe have the chance of pagefaulting. Because we hold the extent lock for\nthe entire range we could mkwrite into a range in the file that we have\nmmap'ed. This would deadlock with the following stack trace\n\n[<0>] lock_extent+0x28d/0x2f0\n[<0>] btrfs_page_mkwrite+0x273/0x8a0\n[<0>] do_page_mkwrite+0x50/0xb0\n[<0>] do_fault+0xc1/0x7b0\n[<0>] __handle_mm_fault+0x2fa/0x460\n[<0>] handle_mm_fault+0xa4/0x330\n[<0>] do_user_addr_fault+0x1f4/0x800\n[<0>] exc_page_fault+0x7c/0x1e0\n[<0>] asm_exc_page_fault+0x26/0x30\n[<0>] rep_movs_alternative+0x33/0x70\n[<0>] _copy_to_user+0x49/0x70\n[<0>] fiemap_fill_next_extent+0xc8/0x120\n[<0>] emit_fiemap_extent+0x4d/0xa0\n[<0>] extent_fiemap+0x7f8/0xad0\n[<0>] btrfs_fiemap+0x49/0x80\n[<0>] __x64_sys_ioctl+0x3e1/0xb50\n[<0>] do_syscall_64+0x94/0x1a0\n[<0>] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n\nI wrote an fstest to reproduce this deadlock without my replacement lock\nand verified that the deadlock exists with our existing locking.\n\nTo fix this simply don't take the extent lock for the entire duration of\nthe fiemap. This is safe in general because we keep track of where we\nare when we're searching the tree, so if an ordered extent updates in\nthe middle of our fiemap call we'll still emit the correct extents\nbecause we know what offset we were on before.\n\nThe only place we maintain the lock is searching delalloc. Since the\ndelalloc stuff can change during writeback we want to lock the extent\nrange so we have a consistent view of delalloc at the time we're\nchecking to see if we need to set the delalloc flag.\n\nWith this patch applied we no longer deadlock with my testcase.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2023-6270", + "id": "CVE-2024-35784", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6270" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35784" }, - "cwes": [ - 416 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-01-10T15:59:25Z" + "updated": "2024-05-17T18:35:35Z" }, { "advisories": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + "url": "https://git.kernel.org/stable/c/083e750c9f5f4c3bf61161330fb84d7c8e8bb417" }, { - "url": "https://lore.kernel.org/all/20231222161317.6255-1-2045gemini@gmail.com/T/" + "url": "https://git.kernel.org/stable/c/ee0bd4ad780dfbb60355b99f25063357ab488267" + }, + { + "url": "https://git.kernel.org/stable/c/de87511fb0404d23b6da5f4660383b6ed095e28d" + }, + { + "url": "https://git.kernel.org/stable/c/6ec0d88166dac43f29e96801c0927d514f17add9" + }, + { + "url": "https://git.kernel.org/stable/c/250219c6a556f8c69c5910fca05a59037e24147d" + }, + { + "url": "https://git.kernel.org/stable/c/a563fc18583ca4f42e2fdd0c70c7c618288e7ede" + }, + { + "url": "https://git.kernel.org/stable/c/7447d911af699a15f8d050dfcb7c680a86f87012" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-26814" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24858" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" } ], - "bom-ref": "vuln-87", + "bom-ref": "vuln-722", "ratings": [ - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" - } - }, { "severity": "none", "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26814" } } ], - "created": "2024-02-05T08:15:44Z", - "description": "A race condition was found in the Linux kernel's net/bluetooth in {conn,adv}_{min,max}_interval_set() function. This can result in I2cap connection or broadcast abnormality issue, possibly leading to denial of service.\n\n\n\n\n", + "created": "2024-04-05T09:15:09Z", + "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/fsl-mc: Block calling interrupt handler without trigger\n\nThe eventfd_ctx trigger pointer of the vfio_fsl_mc_irq object is\ninitially NULL and may become NULL if the user sets the trigger\neventfd to -1. The interrupt handler itself is guaranteed that\ntrigger is always valid between request_irq() and free_irq(), but\nthe loopback testing mechanisms to invoke the handler function\nneed to test the trigger. The triggering and setting ioctl paths\nboth make use of igate and are therefore mutually exclusive.\n\nThe vfio-fsl-mc driver does not make use of irqfds, nor does it\nsupport any sort of masking operations, therefore unlike vfio-pci\nand vfio-platform, the flow can remain essentially unchanged.", "affects": [ { "ref": "comp-399" } ], - "id": "CVE-2024-24858", + "id": "CVE-2024-26814", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24858" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26814" }, - "cwes": [ - 362 - ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-10T04:06:20Z" + "updated": "2024-04-13T12:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", + "value": "0:6.1.85-1" + } + ] } ] } diff --git a/entrypoint/tests/test_data/scans/php:latest.json.scan b/entrypoint/tests/test_data/scans/php:latest.json.scan index 60c10fe..049813b 100644 --- a/entrypoint/tests/test_data/scans/php:latest.json.scan +++ b/entrypoint/tests/test_data/scans/php:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "7" } ], - "timestamp": "2024-03-05T15:15:12.500Z" + "timestamp": "2024-05-22T15:41:05.576Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -88,7 +92,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -101,7 +105,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -129,7 +133,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -142,7 +146,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -155,7 +159,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -168,7 +172,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -181,7 +185,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -194,7 +198,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -207,7 +211,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -217,13 +221,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -235,7 +233,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -263,7 +261,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -276,7 +274,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -289,7 +287,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -304,7 +302,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -317,7 +315,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -330,7 +328,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -343,7 +341,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -371,7 +369,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -384,7 +382,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -397,7 +395,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -410,7 +408,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -438,7 +436,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -451,7 +449,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -466,7 +464,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -507,7 +505,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -559,7 +557,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -574,7 +572,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -587,7 +585,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -602,7 +600,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -615,7 +613,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -637,7 +635,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -678,7 +676,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -706,7 +704,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -734,7 +732,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -747,7 +745,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -760,7 +758,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -775,7 +773,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -788,7 +786,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -801,7 +799,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -836,7 +834,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -864,7 +862,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -892,7 +890,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -920,7 +918,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -933,7 +931,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -946,7 +944,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -959,7 +957,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -974,7 +972,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -987,7 +985,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1002,7 +1000,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1015,7 +1013,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1028,7 +1026,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1043,7 +1041,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1056,7 +1054,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1071,7 +1069,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1084,7 +1082,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1112,7 +1110,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1151,7 +1149,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1179,7 +1177,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1220,7 +1218,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1233,7 +1231,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1248,7 +1246,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1261,7 +1259,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1302,7 +1300,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1330,7 +1328,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1358,7 +1356,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1371,7 +1369,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1381,13 +1379,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -1399,7 +1391,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1427,7 +1419,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1455,7 +1447,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1483,7 +1475,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1496,7 +1488,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1509,7 +1501,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1522,7 +1514,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1537,7 +1529,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1550,7 +1542,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1563,7 +1555,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1576,7 +1568,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1591,7 +1583,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1619,7 +1611,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1647,7 +1639,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1660,7 +1652,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1673,7 +1665,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1699,7 +1691,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1712,7 +1704,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1725,179 +1717,221 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:1b1512e4-5756-40a7-939e-e8cbac621fa4", + "serialNumber": "urn:uuid:fda8089a-4fe1-46a1-901e-abcb2952fef4", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" - }, - { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" }, { - "url": "https://kb.isc.org/docs/cve-2023-50387" + "url": "https://ubuntu.com/security/notices/USN-6762-1" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://ubuntu.com/security/notices/USN-6737-1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://access.redhat.com/errata/RHSA-2024:2722" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" - }, + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-1", + "ratings": [ { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" - }, + "ref": "comp-99" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6633-1" - }, + "ref": "comp-99" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-1", + "bom-ref": "vuln-3", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } - }, { "severity": "none", - "score": 0.0366, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-43" + "ref": "comp-99" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-33600", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" }, "cwes": [ - 770 + 476 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:2.36-9+deb12u7" } ] }, @@ -1917,12 +1951,9 @@ }, { "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-4", "ratings": [ { "severity": "medium", @@ -1938,10 +1969,10 @@ "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" } } ], @@ -1971,107 +2002,639 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-18T04:18:41Z" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-5", + "ratings": [ { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, + "ref": "comp-99" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://ubuntu.com/security/notices/USN-6719-2" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://ubuntu.com/security/notices/USN-6719-1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-6", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" - }, + "ref": "comp-8" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-8", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" }, { "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, { "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, + { + "url": "https://support.microsoft.com/help/5034770" + }, { "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-43" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ + { + "ref": "comp-99" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-99", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-9", "ratings": [ { "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } } ], @@ -2090,7 +2653,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2098,7 +2661,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "value": "2024-05-20T06:17:55Z" } ] } diff --git a/entrypoint/tests/test_data/scans/postgres:latest.json.scan b/entrypoint/tests/test_data/scans/postgres:latest.json.scan index 9a928d8..06221ab 100644 --- a/entrypoint/tests/test_data/scans/postgres:latest.json.scan +++ b/entrypoint/tests/test_data/scans/postgres:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "9" } ], - "timestamp": "2024-03-05T15:15:13.810Z" + "timestamp": "2024-05-22T15:41:06.886Z" }, "components": [ { @@ -58,7 +62,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -86,7 +90,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -99,7 +103,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -112,7 +116,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -122,13 +126,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -140,7 +138,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -153,7 +151,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -168,7 +166,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -196,7 +194,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -209,7 +207,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -235,7 +233,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -263,7 +261,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -289,7 +287,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -304,7 +302,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -332,7 +330,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -360,7 +358,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -401,7 +399,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -414,7 +412,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -427,7 +425,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -440,7 +438,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -453,7 +451,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -466,7 +464,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -479,7 +477,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -489,13 +487,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "bom-ref": "comp-36", @@ -520,7 +512,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -548,7 +540,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -574,7 +566,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -589,7 +581,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -602,7 +594,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -615,7 +607,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -628,7 +620,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -656,7 +648,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -669,7 +661,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -682,7 +674,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -704,7 +696,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -717,7 +709,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -745,7 +737,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -758,7 +750,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -773,7 +765,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -786,7 +778,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -814,7 +806,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -827,7 +819,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -840,7 +832,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -853,7 +845,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -866,7 +858,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -879,7 +871,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -892,7 +884,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -905,7 +897,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -918,7 +910,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -931,7 +923,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -944,7 +936,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -972,7 +964,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1000,7 +992,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1013,7 +1005,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1041,7 +1033,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1069,7 +1061,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1097,7 +1089,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1125,7 +1117,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1138,7 +1130,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1151,7 +1143,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1166,7 +1158,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1179,7 +1171,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1194,7 +1186,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1207,7 +1199,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1233,7 +1225,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1246,7 +1238,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1274,7 +1266,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1287,7 +1279,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1300,7 +1292,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1315,7 +1307,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1328,7 +1320,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1343,7 +1335,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1356,7 +1348,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1369,7 +1361,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1397,7 +1389,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1425,7 +1417,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1438,7 +1430,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1453,7 +1445,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1466,7 +1458,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1479,7 +1471,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1494,7 +1486,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1520,7 +1512,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1530,13 +1522,7 @@ "name": "less", "purl": "pkg:deb/debian/less@590-2?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "590-2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "590-2" }, { "components": [ @@ -1548,7 +1534,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1576,7 +1562,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1604,7 +1590,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1617,7 +1603,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1630,7 +1616,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1643,7 +1629,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1669,7 +1655,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1684,7 +1670,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1725,7 +1711,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1753,7 +1739,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1766,7 +1752,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1781,7 +1767,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1794,7 +1780,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1822,7 +1808,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1835,7 +1821,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1861,7 +1847,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1876,7 +1862,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1904,7 +1890,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1932,7 +1918,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1945,7 +1931,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1967,7 +1953,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1980,7 +1966,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1993,7 +1979,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2008,7 +1994,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2034,7 +2020,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2049,7 +2035,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2062,7 +2048,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2077,7 +2063,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2105,7 +2091,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2118,7 +2104,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2131,7 +2117,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2144,7 +2130,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2185,7 +2171,7 @@ "value": "/usr/local/bin/gosu" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2208,7 +2194,7 @@ ] } ], - "serialNumber": "urn:uuid:60d6c1db-ead7-47c4-866e-871432b2905f", + "serialNumber": "urn:uuid:be17d2c0-3696-4838-b74c-719cca8a450a", "bomFormat": "CycloneDX", "vulnerabilities": [ { @@ -2265,19 +2251,58 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://ubuntu.com/security/notices/USN-6657-1" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://ubuntu.com/security/notices/USN-6657-2" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" }, { "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" @@ -2286,161 +2311,138 @@ "url": "https://access.redhat.com/errata/RHSA-2024:0965" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:1334" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://ubuntu.com/security/notices/USN-6723-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2821" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://ubuntu.com/security/notices/USN-6642-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" - } - ], - "bom-ref": "vuln-1", - "ratings": [ + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { - "severity": "none", - "score": 0.0366, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", - "affects": [ + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, { - "ref": "comp-141" - } - ], - "id": "CVE-2023-50387", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - }, - "cwes": [ - 770 - ], - "analysis": { - "state": "exploitable" - }, - "updated": "2024-03-04T03:15:06Z", - "properties": [ + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "url": "https://access.redhat.com/errata/RHSA-2024:1522" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" - } - ] - }, - { - "advisories": [ + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://access.redhat.com/errata/RHSA-2024:2890" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://access.redhat.com/errata/RHSA-2024:2721" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-1", "ratings": [ { - "severity": "medium", - "score": 4.8, + "severity": "high", + "score": 7.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" } }, { "severity": "none", - "score": 0.00046, + "score": 0.0366, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "affects": [ { - "ref": "comp-47" + "ref": "comp-141" } ], - "id": "CVE-2023-4039", + "id": "CVE-2023-50387", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" }, "cwes": [ - 693 + 770 ], "analysis": { "state": "exploitable" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2448,7 +2450,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-18T05:37:06Z" } ] }, @@ -2506,11 +2508,38 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, { "url": "https://ubuntu.com/security/notices/USN-6642-1" }, @@ -2518,37 +2547,100 @@ "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:2696" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://access.redhat.com/errata/RHSA-2024:1782" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://access.redhat.com/errata/RHSA-2024:1543" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://access.redhat.com/errata/RHSA-2024:1545" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1522" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-2", "ratings": [ { "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } } ], @@ -2567,7 +2659,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2575,7 +2667,589 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-3", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-4" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-4", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-32487" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068938" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6756-1" + } + ], + "bom-ref": "vuln-4", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32487" + } + } + ], + "created": "2024-04-13T15:15:52Z", + "description": "less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.", + "affects": [ + { + "ref": "comp-112" + } + ], + "id": "CVE-2024-32487", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32487" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:24Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-112", + "value": "0:590-2.1~deb12u2" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ + { + "ref": "comp-4" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-4", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://access.redhat.com/errata/RHSA-2024:1989" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1924.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6664-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1692" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2022-48624" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1875" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2485.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-123.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1610" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064293" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-48624" + } + } + ], + "created": "2024-02-19T01:15:48Z", + "description": "close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.", + "affects": [ + { + "ref": "comp-112" + } + ], + "id": "CVE-2022-48624", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48624" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-02-20T19:50:53Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-112", + "value": "0:590-2.1~deb12u2" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-4" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-4", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-4" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-4", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-4" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-4", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-10", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-47" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" + }, + { + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-28" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-28", + "value": "0:2.38.1-5+deb12u1" } ] } diff --git a/entrypoint/tests/test_data/scans/python:latest.json.scan b/entrypoint/tests/test_data/scans/python:latest.json.scan index e06ee67..b0f7d54 100644 --- a/entrypoint/tests/test_data/scans/python:latest.json.scan +++ b/entrypoint/tests/test_data/scans/python:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "11" } ], - "timestamp": "2024-03-05T15:15:15.262Z" + "timestamp": "2024-05-22T15:41:08.254Z" }, "components": [ { @@ -113,7 +117,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -126,7 +130,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -141,7 +145,7 @@ "version": "1.52.0-1%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -151,13 +155,7 @@ "name": "nghttp2", "purl": "pkg:deb/debian/nghttp2@1.52.0-1%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "1.52.0-1%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.52.0-1%2Bdeb12u1" }, { "components": [ @@ -169,7 +167,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -182,7 +180,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -197,7 +195,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -225,7 +223,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -238,7 +236,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -251,7 +249,7 @@ "version": "6.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -266,7 +264,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -279,7 +277,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -292,7 +290,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -314,7 +312,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -327,7 +325,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -342,7 +340,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -355,7 +353,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -368,7 +366,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -383,7 +381,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -411,7 +409,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -424,7 +422,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -439,7 +437,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -452,7 +450,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -480,7 +478,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -506,7 +504,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -521,7 +519,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -534,7 +532,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -547,7 +545,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -560,7 +558,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -601,7 +599,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -629,7 +627,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -657,7 +655,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -670,7 +668,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -683,7 +681,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -711,7 +709,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -739,7 +737,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -752,7 +750,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -765,7 +763,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -778,7 +776,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -806,7 +804,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -819,7 +817,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -834,7 +832,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -847,7 +845,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -875,7 +873,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -888,7 +886,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -901,7 +899,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -914,7 +912,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -942,7 +940,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -962,7 +960,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -975,7 +973,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1016,7 +1014,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1029,7 +1027,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1044,7 +1042,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1057,7 +1055,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1070,7 +1068,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1085,7 +1083,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1098,7 +1096,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1111,7 +1109,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1124,7 +1122,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1137,7 +1135,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1150,7 +1148,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1163,7 +1161,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1173,13 +1171,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -1191,7 +1183,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1201,13 +1193,7 @@ "name": "curl", "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "7.88.1-10%2Bdeb12u5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "7.88.1-10%2Bdeb12u5" }, { "components": [ @@ -1219,7 +1205,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1232,7 +1218,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1247,7 +1233,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1275,7 +1261,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1303,7 +1289,7 @@ "version": "1.10.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1329,7 +1315,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1357,7 +1343,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1370,7 +1356,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1396,7 +1382,7 @@ "version": "20230311", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1424,7 +1410,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1437,7 +1423,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1465,7 +1451,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1491,7 +1477,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1506,7 +1492,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1534,7 +1520,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1562,7 +1548,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1590,7 +1576,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1603,7 +1589,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1616,7 +1602,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1629,7 +1615,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1642,7 +1628,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1655,7 +1641,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1668,7 +1654,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1681,7 +1667,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1694,7 +1680,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1707,7 +1693,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1720,7 +1706,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1748,7 +1734,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1776,7 +1762,7 @@ "version": "2.4%2B20151223.gitfa8646d.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1817,7 +1803,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1830,7 +1816,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1845,7 +1831,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1873,7 +1859,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1901,7 +1887,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1929,7 +1915,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1942,7 +1928,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1957,7 +1943,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1985,7 +1971,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2013,7 +1999,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2026,7 +2012,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2039,7 +2025,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2052,7 +2038,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2080,7 +2066,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2093,7 +2079,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2121,7 +2107,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2134,7 +2120,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2154,7 +2140,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2169,7 +2155,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2195,7 +2181,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2210,7 +2196,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2238,7 +2224,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2251,7 +2237,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2266,7 +2252,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2279,7 +2265,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2307,7 +2293,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2320,7 +2306,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2330,13 +2316,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -2348,7 +2328,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2374,7 +2354,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2389,7 +2369,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2402,7 +2382,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2417,7 +2397,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2469,7 +2449,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2482,7 +2462,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2497,7 +2477,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2510,7 +2490,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2525,7 +2505,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2538,15 +2518,72 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:cc17f846-994e-47ed-a898-35d2ab3ba206", + "serialNumber": "urn:uuid:21324020-8af4-473d-9d55-f842c3d6c92c", "bomFormat": "CycloneDX", "vulnerabilities": [ + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-1", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-168" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-168", + "value": "0:2.36-9+deb12u7" + } + ] + }, { "advisories": [ { @@ -2559,13 +2596,13 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://kb.isc.org/docs/cve-2023-50868" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://datatracker.ietf.org/doc/html/rfc5155" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" @@ -2576,9 +2613,6 @@ { "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, - { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, { "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, @@ -2588,11 +2622,14 @@ { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" @@ -2601,204 +2638,127 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" - }, - { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" }, - { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" - }, { "url": "https://ubuntu.com/security/notices/USN-6657-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://ubuntu.com/security/notices/USN-6657-2" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" - }, - { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, - { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6633-1" - }, - { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" - } - ], - "bom-ref": "vuln-1", - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } + "url": "https://ubuntu.com/security/notices/USN-6642-1" }, { - "severity": "none", - "score": 0.0366, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", - "affects": [ - { - "ref": "comp-154" - } - ], - "id": "CVE-2023-50387", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - }, - "cwes": [ - 770 - ], - "analysis": { - "state": "exploitable" - }, - "updated": "2024-03-04T03:15:06Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" - } - ] - }, - { - "advisories": [ - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://access.redhat.com/errata/RHSA-2024:2696" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://access.redhat.com/errata/RHSA-2024:1782" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:1543" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://access.redhat.com/errata/RHSA-2024:1545" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/errata/RHSA-2024:1522" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://access.redhat.com/errata/RHSA-2024:1544" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://access.redhat.com/errata/RHSA-2024:1789" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://access.redhat.com/errata/RHSA-2024:1800" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2890" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://access.redhat.com/errata/RHSA-2024:2551" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://access.redhat.com/errata/RHSA-2024:1781" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0965" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://ubuntu.com/security/notices/USN-6633-1" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2720" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1334" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://ubuntu.com/security/notices/USN-6723-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://access.redhat.com/errata/RHSA-2024:2821" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2721" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" } ], "bom-ref": "vuln-2", @@ -2807,10 +2767,10 @@ "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" } } ], @@ -2829,7 +2789,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2837,303 +2797,1240 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "value": "2024-05-20T06:17:55Z" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" }, { - "url": "https://www.openssl.org/news/secadv/20231106.txt" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" + "url": "https://www.isc.org/blogs/2024-bind-security-release/" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + "url": "https://kb.isc.org/docs/cve-2023-50387" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-3", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-154" + } + ], + "id": "CVE-2023-50387", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + } + ], + "bom-ref": "vuln-4", + "ratings": [ + { + "severity": "none", + "score": 0.00194, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + } + } + ], + "created": "2024-01-09T17:15:12Z", + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "affects": [ + { + "ref": "comp-67" + } + ], + "id": "CVE-2023-6129", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2402845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-2" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" + } + } + ], + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "affects": [ + { + "ref": "comp-8" + } + ], + "id": "CVE-2024-28182", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" + }, + { + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" + }, + { + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-2" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ + { + "ref": "comp-78" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-78", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" }, { "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + } + }, + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" + } + } + ], + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "affects": [ + { + "ref": "comp-67" + } + ], + "id": "CVE-2023-5678", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-168" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-168", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" + } + ], + "bom-ref": "vuln-10", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" + } + } + ], + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-67" + } + ], + "id": "CVE-2023-6237", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-11", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-67" + "ref": "comp-168" } ], - "id": "CVE-2023-5678", + "id": "CVE-2024-33601", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" }, "cwes": [ - 754 + 617 ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z" + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-168", + "value": "0:2.36-9+deb12u7" + } + ] }, { "advisories": [ { - "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" }, { - "url": "https://www.openssl.org/news/secadv/20240125.txt" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + "url": "https://hackerone.com/reports/2384833" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://ubuntu.com/security/notices/USN-6718-3" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" } ], - "bom-ref": "vuln-4", + "bom-ref": "vuln-12", "ratings": [ { "severity": "none", - "score": 0.00228, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z" + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-13", + "ratings": [ { "severity": "medium", - "score": 5.5, + "score": 4.8, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" } } ], - "created": "2024-01-26T09:15:07Z", - "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", "affects": [ { - "ref": "comp-67" + "ref": "comp-17" } ], - "id": "CVE-2024-0727", + "id": "CVE-2023-4039", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" }, + "cwes": [ + 693 + ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-08T10:15:13Z" + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] }, { "advisories": [ { - "url": "https://www.openssl.org/news/secadv/20240109.txt" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" } ], - "bom-ref": "vuln-5", + "bom-ref": "vuln-14", "ratings": [ { "severity": "none", - "score": 0.00061, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" } } ], - "created": "2024-01-09T17:15:12Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", "affects": [ { - "ref": "comp-67" + "ref": "comp-168" } ], - "id": "CVE-2023-6129", + "id": "CVE-2024-2961", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" }, "cwes": [ 787 ], "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-16T13:15:09Z" + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-168", + "value": "0:2.36-9+deb12u6" + } + ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://www.openssl.org/news/secadv/20240125.txt" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" } ], - "bom-ref": "vuln-6", + "bom-ref": "vuln-15", "ratings": [ + { + "severity": "none", + "score": 0.00228, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" + } + }, { "severity": "medium", - "score": 4.8, + "score": 5.5, "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" } + } + ], + "created": "2024-01-26T09:15:07Z", + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "affects": [ + { + "ref": "comp-67" + } + ], + "id": "CVE-2024-0727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:13Z" + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-16", + "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", "affects": [ { - "ref": "comp-17" + "ref": "comp-168" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-33599", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" }, "cwes": [ - 693 + 121 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-168", + "value": "0:2.36-9+deb12u7" } ] } diff --git a/entrypoint/tests/test_data/scans/redis:latest.json.scan b/entrypoint/tests/test_data/scans/redis:latest.json.scan index 591eb99..ad92b63 100644 --- a/entrypoint/tests/test_data/scans/redis:latest.json.scan +++ b/entrypoint/tests/test_data/scans/redis:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "7" } ], - "timestamp": "2024-03-05T15:15:16.699Z" + "timestamp": "2024-05-22T15:41:09.700Z" }, "components": [ { @@ -60,7 +64,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -88,7 +92,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -101,7 +105,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -114,7 +118,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -127,7 +131,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -179,7 +183,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -194,7 +198,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -235,7 +239,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -261,7 +265,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -274,7 +278,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -287,7 +291,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -315,7 +319,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -328,7 +332,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -343,7 +347,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -371,7 +375,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -397,7 +401,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -412,7 +416,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -440,7 +444,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -468,7 +472,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -481,7 +485,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -496,7 +500,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -524,7 +528,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -537,7 +541,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -547,13 +551,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -565,7 +563,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -593,7 +591,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -606,7 +604,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -619,7 +617,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -634,7 +632,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -647,7 +645,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -682,7 +680,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -695,7 +693,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -708,7 +706,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -728,7 +726,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -743,7 +741,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -771,7 +769,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -799,7 +797,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -840,7 +838,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -853,7 +851,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -881,7 +879,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -894,7 +892,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -922,7 +920,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -935,7 +933,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -948,7 +946,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -961,7 +959,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1002,7 +1000,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1043,7 +1041,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1071,7 +1069,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1097,7 +1095,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1112,7 +1110,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1125,7 +1123,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1138,7 +1136,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1151,7 +1149,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1164,7 +1162,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1177,7 +1175,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1190,7 +1188,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1200,13 +1198,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "bom-ref": "comp-89", @@ -1216,7 +1208,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1231,7 +1223,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1244,7 +1236,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1259,7 +1251,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1272,7 +1264,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1285,7 +1277,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1300,7 +1292,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1326,7 +1318,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1339,7 +1331,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1354,7 +1346,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1367,7 +1359,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1382,7 +1374,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1395,7 +1387,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1410,7 +1402,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1423,7 +1415,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1451,7 +1443,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1464,7 +1456,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1479,7 +1471,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1507,7 +1499,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1535,7 +1527,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1563,7 +1555,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1576,7 +1568,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1591,7 +1583,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1604,7 +1596,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1617,7 +1609,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1645,7 +1637,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1673,7 +1665,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1686,7 +1678,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1699,7 +1691,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1725,7 +1717,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1753,7 +1745,7 @@ "value": "/usr/local/bin/gosu" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1776,133 +1768,202 @@ ] } ], - "serialNumber": "urn:uuid:a84fb626-206b-4b68-b8d9-fcc47b5a884a", + "serialNumber": "urn:uuid:7a4d951e-6b17-4a36-8a61-6bbfcfd67b40", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://ubuntu.com/security/notices/USN-6719-2" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://ubuntu.com/security/notices/USN-6719-1" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" + } + ], + "bom-ref": "vuln-1", + "ratings": [ { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" + } + } + ], + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", + "affects": [ { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" - }, + "ref": "comp-81" + } + ], + "id": "CVE-2024-28085", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:16Z", + "properties": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-81", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, + "ref": "comp-49" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" - }, + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-1", + "bom-ref": "vuln-3", "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", "affects": [ { - "ref": "comp-45" + "ref": "comp-37" } ], - "id": "CVE-2023-50868", + "id": "CVE-2024-33599", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" }, + "cwes": [ + 121 + ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-37", + "value": "0:2.36-9+deb12u7" } ] }, @@ -1960,95 +2021,185 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://ubuntu.com/security/notices/USN-6657-1" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://ubuntu.com/security/notices/USN-6657-2" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:1782" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://access.redhat.com/errata/RHSA-2024:1543" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1545" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1544" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://access.redhat.com/errata/RHSA-2024:1789" }, { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2551" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + "url": "https://access.redhat.com/errata/RHSA-2024:1781" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" - } - ], - "bom-ref": "vuln-2", - "ratings": [ + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } + "url": "https://access.redhat.com/errata/RHSA-2024:1334" }, { - "severity": "none", - "score": 0.0366, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", - "affects": [ + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, { - "ref": "comp-45" - } + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://support.microsoft.com/help/5034770" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + } + ], + "bom-ref": "vuln-4", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, + { + "severity": "none", + "score": 0.0366, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "affects": [ + { + "ref": "comp-45" + } ], "id": "CVE-2023-50387", "source": { @@ -2061,7 +2212,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2069,73 +2220,428 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "value": "2024-05-18T05:37:06Z" } ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://ubuntu.com/security/notices/USN-6737-2" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-5", "ratings": [ { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-37" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-37", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-37" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-37", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-7", + "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-49" + "ref": "comp-37" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-33601", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" }, "cwes": [ - 693 + 617 ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-37", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-45" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, "analysis": { "state": "exploitable" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2143,7 +2649,64 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-37" + } + ], + "id": "CVE-2024-33600", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" + }, + "cwes": [ + 476 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-37", + "value": "0:2.36-9+deb12u7" } ] } diff --git a/entrypoint/tests/test_data/scans/ruby:latest.json.scan b/entrypoint/tests/test_data/scans/ruby:latest.json.scan index c99c0c3..9607df3 100644 --- a/entrypoint/tests/test_data/scans/ruby:latest.json.scan +++ b/entrypoint/tests/test_data/scans/ruby:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -21,14 +21,18 @@ }, { "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "5" + "value": "4" }, { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "15" } ], - "timestamp": "2024-03-05T15:15:18.132Z" + "timestamp": "2024-05-22T15:41:11.119Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -75,7 +79,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -88,7 +92,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -103,7 +107,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -116,7 +120,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -144,7 +148,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -172,7 +176,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -185,7 +189,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -200,7 +204,7 @@ "version": "2.4%2B20151223.gitfa8646d.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -228,7 +232,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -250,7 +254,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -263,7 +267,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -283,7 +287,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -298,7 +302,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -326,7 +330,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -354,7 +358,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -367,7 +371,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -382,7 +386,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -410,7 +414,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -423,7 +427,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -436,7 +440,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -449,7 +453,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -475,7 +479,7 @@ "version": "6.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -490,7 +494,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -503,7 +507,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -516,7 +520,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -529,7 +533,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -583,7 +587,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -596,7 +600,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -611,7 +615,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -624,7 +628,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -639,7 +643,7 @@ "version": "1.10.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -667,7 +671,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -680,7 +684,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -693,7 +697,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -721,7 +725,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -734,7 +738,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -744,13 +748,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "bom-ref": "comp-55", @@ -760,7 +758,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -775,7 +773,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -788,7 +786,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -803,7 +801,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -816,7 +814,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -855,7 +853,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -868,7 +866,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -883,7 +881,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -896,7 +894,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -911,7 +909,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -924,7 +922,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -939,7 +937,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -967,7 +965,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -995,7 +993,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1008,7 +1006,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1023,7 +1021,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1051,7 +1049,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1064,7 +1062,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1079,7 +1077,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1092,7 +1090,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1107,7 +1105,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1135,7 +1133,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1163,7 +1161,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1191,7 +1189,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1204,7 +1202,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1219,7 +1217,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1247,7 +1245,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1275,7 +1273,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1288,7 +1286,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1301,7 +1299,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1314,7 +1312,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1342,7 +1340,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1355,7 +1353,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1368,7 +1366,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1383,7 +1381,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1396,7 +1394,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1424,7 +1422,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1437,7 +1435,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1450,7 +1448,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1463,7 +1461,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1476,7 +1474,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1489,7 +1487,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1502,7 +1500,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1515,7 +1513,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1528,7 +1526,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1541,7 +1539,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1554,7 +1552,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1580,7 +1578,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1595,7 +1593,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1623,7 +1621,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1651,7 +1649,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1664,7 +1662,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1679,7 +1677,7 @@ "version": "1.52.0-1%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1689,13 +1687,7 @@ "name": "nghttp2", "purl": "pkg:deb/debian/nghttp2@1.52.0-1%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "1.52.0-1%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.52.0-1%2Bdeb12u1" }, { "components": [ @@ -1707,7 +1699,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1735,7 +1727,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1745,13 +1737,7 @@ "name": "curl", "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "7.88.1-10%2Bdeb12u5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "7.88.1-10%2Bdeb12u5" }, { "bom-ref": "comp-128", @@ -1776,7 +1762,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1789,7 +1775,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1802,7 +1788,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1815,7 +1801,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1843,7 +1829,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1871,7 +1857,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1899,7 +1885,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1912,7 +1898,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1927,7 +1913,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1940,7 +1926,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1953,7 +1939,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1966,7 +1952,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1994,7 +1980,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2020,7 +2006,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2035,7 +2021,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2048,7 +2034,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2061,7 +2047,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2074,7 +2060,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2087,7 +2073,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2100,7 +2086,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2113,7 +2099,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2123,13 +2109,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -2141,7 +2121,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2154,7 +2134,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2167,7 +2147,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2202,7 +2182,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2230,7 +2210,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2269,7 +2249,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2295,7 +2275,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2310,7 +2290,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2323,7 +2303,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2351,7 +2331,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2377,7 +2357,7 @@ "version": "20230311", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2403,7 +2383,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2431,7 +2411,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2444,7 +2424,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2457,7 +2437,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2470,7 +2450,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2504,7 +2484,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/typeprof-0.21.9/Gemfile.lock" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2521,7 +2501,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rbs-3.4.0/Gemfile.lock" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2538,7 +2518,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/securerandom-0.3.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2555,7 +2535,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/benchmark-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2589,7 +2569,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/racc-1.7.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2606,7 +2586,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/resolv-replace-0.1.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2623,7 +2603,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/zlib-3.1.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2640,7 +2620,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/prism-0.19.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2657,7 +2637,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/resolv-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2672,10 +2652,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/rexml-3.2.6.gemspec" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -2691,7 +2667,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/ruby2_keywords-0.0.5.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2708,7 +2684,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/net-ftp-0.3.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2742,7 +2718,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/bigdecimal-3.1.5.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2759,7 +2735,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/nkf-0.1.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2776,7 +2752,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/getoptlong-0.2.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2793,7 +2769,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/open3-0.2.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2810,7 +2786,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/syslog-0.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2827,7 +2803,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/matrix-0.4.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2844,7 +2820,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/error_highlight-0.6.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2861,7 +2837,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/rbs-3.4.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2895,7 +2871,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/net-http-0.4.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2912,7 +2888,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/rinda-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2929,7 +2905,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/weakref-0.1.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2946,7 +2922,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/prime-0.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2980,7 +2956,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/debug-1.9.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2997,7 +2973,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/io-console-0.7.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3014,7 +2990,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/tempfile-0.2.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3031,7 +3007,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/fiddle-1.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3048,7 +3024,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/erb-4.0.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3065,7 +3041,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/reline-0.4.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3082,7 +3058,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/drb-2.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3099,7 +3075,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/yaml-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3116,7 +3092,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/pathname-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3133,7 +3109,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/ipaddr-1.2.6.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3150,7 +3126,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/pp-0.5.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3167,7 +3143,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/ostruct-0.6.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3184,7 +3160,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/digest-3.1.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3201,7 +3177,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/did_you_mean-1.6.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3235,7 +3211,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/rss-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3252,7 +3228,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/tsort-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3303,7 +3279,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/un-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3320,7 +3296,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/delegate-0.3.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3337,8 +3313,8 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/stringio-3.1.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." } ] }, @@ -3371,7 +3347,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/strscan-3.0.7.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3388,7 +3364,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/singleton-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3405,7 +3381,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/test-unit-3.6.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3439,7 +3415,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/logger-1.6.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3456,7 +3432,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/net-imap-0.4.9.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3473,7 +3449,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/power_assert-2.0.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3490,7 +3466,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/io-wait-0.3.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3507,7 +3483,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/base64-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3524,7 +3500,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/net-pop-0.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3541,7 +3517,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/english-0.8.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3558,7 +3534,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/open-uri-0.4.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3575,7 +3551,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/pstore-0.1.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3592,7 +3568,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/fcntl-1.1.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3609,7 +3585,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/readline-0.0.4.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3626,7 +3602,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/abbrev-0.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3641,10 +3617,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/rdoc-6.6.2.gemspec" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -3660,7 +3632,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/net-smtp-0.4.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3677,7 +3649,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/observer-0.1.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3694,7 +3666,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/prettyprint-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3728,7 +3700,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/forwardable-1.3.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3745,7 +3717,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/set-1.1.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3762,7 +3734,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/typeprof-0.21.9.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3779,7 +3751,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/minitest-5.20.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3796,7 +3768,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/timeout-0.4.1.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3813,7 +3785,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/optparse-0.4.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3843,7 +3815,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/etc-1.4.3.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3860,7 +3832,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/syntax_suggest-2.0.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3877,7 +3849,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/csv-3.2.8.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3894,7 +3866,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/shellwords-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3911,7 +3883,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/net-protocol-0.2.2.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3928,7 +3900,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/mutex_m-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3945,7 +3917,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/find-0.2.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3962,7 +3934,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/irb-1.11.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3979,7 +3951,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/specifications/default/io-nonblock-0.3.0.gemspec" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -3996,7 +3968,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/shellwords-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4013,7 +3985,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/un-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4047,7 +4019,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/syntax_suggest-2.0.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4064,7 +4036,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/pp-0.5.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4081,7 +4053,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/io-wait-0.3.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4098,7 +4070,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/singleton-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4115,7 +4087,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rinda-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4132,7 +4104,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/securerandom-0.3.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4149,7 +4121,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/test-unit-3.6.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4166,7 +4138,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/irb-1.11.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4200,7 +4172,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/forwardable-1.3.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4217,7 +4189,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/fcntl-1.1.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4234,7 +4206,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/ipaddr-1.2.6" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4251,7 +4223,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/open3-0.2.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4268,7 +4240,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/debug-1.9.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4285,7 +4257,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/minitest-5.20.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4302,7 +4274,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/syslog-0.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4319,7 +4291,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rbs-3.4.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4336,7 +4308,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/pstore-0.1.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4353,7 +4325,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/yaml-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4370,7 +4342,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/getoptlong-0.2.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4387,7 +4359,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/prime-0.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4404,7 +4376,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/ostruct-0.6.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4438,7 +4410,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/prism-0.19.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4455,7 +4427,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/matrix-0.4.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4472,7 +4444,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/open-uri-0.4.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4489,7 +4461,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/resolv-replace-0.1.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4523,7 +4495,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/drb-2.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4540,7 +4512,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-pop-0.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4557,7 +4529,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/set-1.1.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4574,7 +4546,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-ftp-0.3.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4591,7 +4563,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/io-console-0.7.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4625,7 +4597,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-protocol-0.2.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4642,7 +4614,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/prettyprint-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4659,7 +4631,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/benchmark-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4676,7 +4648,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/csv-3.2.8" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4693,7 +4665,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/readline-0.0.4" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4710,7 +4682,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/fiddle-1.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4744,7 +4716,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/digest-3.1.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4761,7 +4733,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/ruby2_keywords-0.0.5" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4778,7 +4750,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/error_highlight-0.6.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4795,7 +4767,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/power_assert-2.0.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4812,7 +4784,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rss-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4829,7 +4801,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/english-0.8.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4846,7 +4818,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/typeprof-0.21.9" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4863,7 +4835,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/reline-0.4.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4878,10 +4850,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rdoc-6.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -4897,7 +4865,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/tempfile-0.2.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4931,7 +4899,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-imap-0.4.9" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4948,7 +4916,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/tsort-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4965,7 +4933,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-smtp-0.4.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4982,7 +4950,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/zlib-3.1.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -4999,7 +4967,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/bigdecimal-3.1.5" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5029,7 +4997,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/etc-1.4.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5046,7 +5014,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/io-nonblock-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5063,7 +5031,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/logger-1.6.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5080,7 +5048,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/timeout-0.4.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5097,7 +5065,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/strscan-3.0.7" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5114,7 +5082,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/observer-0.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5129,10 +5097,6 @@ { "name": "amazon:inspector:sbom_scanner:path", "value": "/usr/local/lib/ruby/gems/3.3.0/gems/rexml-3.2.6" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." } ] }, @@ -5148,7 +5112,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/base64-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5165,7 +5129,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/did_you_mean-1.6.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5199,7 +5163,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/net-http-0.4.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5233,7 +5197,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/pathname-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5250,7 +5214,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/weakref-0.1.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5267,7 +5231,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/mutex_m-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5284,7 +5248,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/optparse-0.4.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5318,8 +5282,8 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/stringio-3.1.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." + "name": "amazon:inspector:sbom_scanner:info", + "value": "Component scanned: no vulnerabilities found." } ] }, @@ -5335,7 +5299,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/find-0.2.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5352,7 +5316,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/delegate-0.3.1" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5369,7 +5333,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/resolv-0.3.0" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5386,7 +5350,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/abbrev-0.1.2" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5403,7 +5367,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/erb-4.0.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5420,7 +5384,7 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/nkf-0.1.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -5437,460 +5401,1525 @@ "value": "/usr/local/lib/ruby/gems/3.3.0/gems/racc-1.7.3" }, { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] } ], - "serialNumber": "urn:uuid:eaf3667c-c6f1-4134-9244-7376fe471bf6", + "serialNumber": "urn:uuid:0572c6c9-8e98-453a-aa60-160fdd96b859", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee" - }, - { - "url": "https://www.openssl.org/news/secadv/20231024.txt" - }, - { - "url": "https://www.debian.org/security/2023/dsa-5532" - }, - { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-406.html" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6450-1" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0310" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5363" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0500" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], "bom-ref": "vuln-1", - "references": [ - { - "id": "SNYK-RUBY-OPENSSL-6036190", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6036190" - } - } - ], "ratings": [ { "severity": "none", - "score": 0.00115, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" } - }, + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" - } - } - ], - "created": "2023-10-25T18:17:43Z", - "description": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.", - "affects": [ - { - "ref": "comp-331" - }, - { - "ref": "comp-261" + "ref": "comp-52" } ], - "id": "CVE-2023-5363", + "id": "CVE-2024-33601", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" }, + "cwes": [ + 617 + ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-02-01T17:15:08Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T14:06:54Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-52", + "value": "0:2.36-9+deb12u7" } ] }, { "advisories": [ { - "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" - }, - { - "url": "https://www.openssl.org/news/secadv/20240125.txt" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + "url": "https://ubuntu.com/security/notices/USN-6719-2" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + "url": "https://ubuntu.com/security/notices/USN-6719-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" } ], "bom-ref": "vuln-2", - "references": [ - { - "id": "SNYK-RUBY-OPENSSL-6210216", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6210216" - } - } - ], "ratings": [ { "severity": "none", - "score": 0.00228, + "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" } } ], - "created": "2024-01-26T09:15:07Z", - "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "affects": [ { - "ref": "comp-331" - }, - { - "ref": "comp-15" - }, - { - "ref": "comp-261" + "ref": "comp-148" } ], - "id": "CVE-2024-0727", + "id": "CVE-2024-28085", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" }, "analysis": { - "state": "in_triage" + "state": "exploitable" }, - "updated": "2024-02-08T10:15:13Z" - }, - { - "advisories": [ + "updated": "2024-05-01T18:15:16Z", + "properties": [ { - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258502" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://www.openssl.org/news/secadv/20240115.txt" - } - ], - "bom-ref": "vuln-3", - "created": "2024-01-16T10:17:00Z", - "description": "## Overview\n[openssl](https://rubygems.org/gems/openssl) is a package that wraps the OpenSSL library.\n\nAffected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `EVP_PKEY_public_check` function. When the function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An attacker can cause a denial of service by supplying a specially crafted RSA key that triggers extensive computation.\n## Remediation\nThere is no fixed version for `openssl`.\n## References\n- [GitHub Commit](https://github.com/openssl/openssl/commit/0b0f7abfb37350794a4b8960fafc292cd5d1b84d)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a)\n- [GitHub Commit](https://github.com/openssl/openssl/commit/a830f551557d3d66a84bbb18a5b889c640c36294)\n- [GitHub Commit](https://github.com/pyca/cryptography/commit/4b5be7b0032ade70e09a43f9d857708e36170bbc)\n- [OpenSSL Advisory](https://www.openssl.org/news/secadv/20240115.txt)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=2258502)", - "affects": [ - { - "ref": "comp-331" + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" }, { - "ref": "comp-261" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-148", + "value": "0:2.38.1-5+deb12u1" } - ], - "id": "SNYK-RUBY-OPENSSL-6157246", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6157246" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2024-01-31T11:32:00Z" + ] }, { "advisories": [ { - "url": "https://www.openssl.org/news/secadv/20240109.txt" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" - } - ], - "bom-ref": "vuln-4", - "references": [ + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, { - "id": "SNYK-RUBY-OPENSSL-6149517", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-OPENSSL-6149517" - } + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], + "bom-ref": "vuln-3", "ratings": [ { "severity": "none", - "score": 0.00061, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" } } ], - "created": "2024-01-09T17:15:12Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", "affects": [ { - "ref": "comp-331" - }, - { - "ref": "comp-15" - }, - { - "ref": "comp-261" + "ref": "comp-52" } ], - "id": "CVE-2023-6129", + "id": "CVE-2024-33599", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" }, "cwes": [ - 787 + 121 ], "analysis": { "state": "in_triage" }, - "updated": "2024-02-16T13:15:09Z" + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-52", + "value": "0:2.36-9+deb12u7" + } + ] }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://access.redhat.com/errata/RHSA-2024:2910" } ], - "bom-ref": "vuln-5", + "bom-ref": "vuln-4", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" - } - }, { "severity": "none", - "score": 0.00046, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", "affects": [ { - "ref": "comp-156" + "ref": "comp-122" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-28182", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" }, "cwes": [ - 693 + 770 ], "analysis": { "state": "exploitable" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-01T18:15:17Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + } + ], + "bom-ref": "vuln-5", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-17" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T06:17:55Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-6", + "references": [ + { + "id": "GHSA-vg3r-rm7w-2xgh", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-vg3r-rm7w-2xgh" + } + } + ], + "created": "2024-05-16T16:15:09Z", + "description": " REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this vulnerability. As a workaround, don't parse untrusted XMLs.", + "affects": [ + { + "ref": "comp-193" + }, + { + "ref": "comp-338" + } + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176" + }, + "cwes": [ + 400, + 770 + ], + "analysis": { + "state": "in_triage" + }, + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35176" + } + } + ], + "id": "CVE-2024-35176", + "updated": "2024-05-17T18:36:31Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-193", + "value": "3.2.7.0" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-338", + "value": "3.2.7.0" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee" + }, + { + "url": "https://www.openssl.org/news/secadv/20231024.txt" + }, + { + "url": "https://www.debian.org/security/2023/dsa-5532" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-406.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6450-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5363" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0310" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0500" + } + ], + "bom-ref": "vuln-7", + "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + } + }, + { + "severity": "none", + "score": 0.00115, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5363" + } + } + ], + "created": "2023-10-25T18:17:43Z", + "description": "Issue summary: A bug has been identified in the processing of key and\ninitialisation vector (IV) lengths. This can lead to potential truncation\nor overruns during the initialisation of some symmetric ciphers.\n\nImpact summary: A truncation in the IV can result in non-uniqueness,\nwhich could result in loss of confidentiality for some cipher modes.\n\nWhen calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or\nEVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after\nthe key and IV have been established. Any alterations to the key length,\nvia the \"keylen\" parameter or the IV length, via the \"ivlen\" parameter,\nwithin the OSSL_PARAM array will not take effect as intended, potentially\ncausing truncation or overreading of these values. The following ciphers\nand cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.\n\nFor the CCM, GCM and OCB cipher modes, truncation of the IV can result in\nloss of confidentiality. For example, when following NIST's SP 800-38D\nsection 8.2.1 guidance for constructing a deterministic IV for AES in\nGCM mode, truncation of the counter portion could lead to IV reuse.\n\nBoth truncations and overruns of the key and overruns of the IV will\nproduce incorrect results and could, in some cases, trigger a memory\nexception. However, these issues are not currently assessed as security\ncritical.\n\nChanging the key and/or IV lengths is not considered to be a common operation\nand the vulnerable API was recently introduced. Furthermore it is likely that\napplication developers will have spotted this problem during testing since\ndecryption would fail unless both peers in the communication were similarly\nvulnerable. For these reasons we expect the probability of an application being\nvulnerable to this to be quite low. However if an application is vulnerable then\nthis issue is considered very serious. For these reasons we have assessed this\nissue as Moderate severity overall.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because\nthe issue lies outside of the FIPS provider boundary.\n\nOpenSSL 3.1 and 3.0 are vulnerable to this issue.", + "affects": [ + { + "ref": "comp-331" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2023-5363", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5363" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-01T17:15:08Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T13:06:32Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" + }, + { + "url": "https://hackerone.com/reports/2384833" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-3" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6718-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" + } + ], + "bom-ref": "vuln-8", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", + "affects": [ + { + "ref": "comp-126" + } + ], + "id": "CVE-2024-2004", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T17:15:32Z" + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240109.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" + } + ], + "bom-ref": "vuln-9", + "ratings": [ + { + "severity": "none", + "score": 0.00194, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" + } + }, + { + "severity": "medium", + "score": 6.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + } + } + ], + "created": "2024-01-09T17:15:12Z", + "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications running\non PowerPC CPU based platforms if the CPU provides vector instructions.\n\nImpact summary: If an attacker can influence whether the POLY1305 MAC\nalgorithm is used, the application state might be corrupted with various\napplication dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL for\nPowerPC CPUs restores the contents of vector registers in a different order\nthan they are saved. Thus the contents of some of these vector registers\nare corrupted when returning to the caller. The vulnerable code is used only\non newer PowerPC processors supporting the PowerISA 2.07 instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However unless the compiler uses the vector registers for storing\npointers, the most likely consequence, if any, would be an incorrect result\nof some application dependent calculations or a crash leading to a denial of\nservice.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3. If this cipher is enabled on the server a malicious\nclient can influence whether this AEAD cipher is used. This implies that\nTLS server applications using OpenSSL can be potentially impacted. However\nwe are currently not aware of any concrete application that would be affected\nby this issue therefore we consider this a Low severity security issue.", + "affects": [ + { + "ref": "comp-331" + }, + { + "ref": "comp-15" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2023-6129", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db119dfc951e207271a326640" + }, + { + "url": "https://www.openssl.org/news/secadv/20240408.txt" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2539.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068658" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2511" + } + ], + "bom-ref": "vuln-10", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2511" + } + } + ], + "created": "2024-04-08T14:15:07Z", + "description": "Issue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\n\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\n\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\n\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.", + "affects": [ + { + "ref": "comp-331" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2024-2511", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-03T13:15:21Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-21T01:00:19Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240516.txt" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-4603" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4603" + } + } + ], + "created": "2024-05-16T16:15:10Z", + "description": "Issue summary: Checking excessively long DSA keys or parameters may be very\nslow.\n\nImpact summary: Applications that use the functions EVP_PKEY_param_check()\nor EVP_PKEY_public_check() to check a DSA public key or DSA parameters may\nexperience long delays. Where the key or parameters that are being checked\nhave been obtained from an untrusted source this may lead to a Denial of\nService.\n\nThe functions EVP_PKEY_param_check() or EVP_PKEY_public_check() perform\nvarious checks on DSA parameters. Some of those computations take a long time\nif the modulus (`p` parameter) is too large.\n\nTrying to use a very large modulus is slow and OpenSSL will not allow using\npublic keys with a modulus which is over 10,000 bits in length for signature\nverification. However the key and parameter check functions do not limit\nthe modulus size when performing the checks.\n\nAn application that calls EVP_PKEY_param_check() or EVP_PKEY_public_check()\nand supplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nThese functions are not called by OpenSSL itself on untrusted DSA keys so\nonly applications that directly call these functions may be vulnerable.\n\nAlso vulnerable are the OpenSSL pkey and pkeyparam command line applications\nwhen using the `-check` option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-331" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2024-4603", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4603" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-17T18:36:31Z" + }, + { + "advisories": [ + { + "url": "https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/" + }, + { + "url": "https://hackerone.com/reports/1187477" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-27281" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067802" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-27281" + } + ], + "bom-ref": "vuln-12", + "references": [ + { + "id": "GHSA-592j-995h-p23j", + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories/GHSA-592j-995h-p23j" + } + } + ], + "created": "2024-05-14T15:11:57Z", + "description": "An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.", + "affects": [ + { + "ref": "comp-323" + }, + { + "ref": "comp-250" + } + ], + "id": "CVE-2024-27281", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27281" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-14T16:13:02Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-323", + "value": "6.6.3.1" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-250", + "value": "6.6.3.1" + } + ] + }, + { + "advisories": [ + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539" + }, + { + "url": "https://www.openssl.org/news/secadv/20240125.txt" + }, + { + "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + } + ], + "bom-ref": "vuln-13", + "ratings": [ + { + "severity": "none", + "score": 0.00228, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" + } + }, + { + "severity": "medium", + "score": 5.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + } + } + ], + "created": "2024-01-26T09:15:07Z", + "description": "Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\n\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\n\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\n\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\n\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\n\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.", + "affects": [ + { + "ref": "comp-331" + }, + { + "ref": "comp-15" + }, + { + "ref": "comp-261" + } + ], + "id": "CVE-2024-0727", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:13Z" + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + } + ], + "bom-ref": "vuln-14", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + } + }, + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" + } + } + ], + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "affects": [ + { + "ref": "comp-15" + } + ], + "id": "CVE-2023-5678", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-15", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-52" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-04T01:15:06Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-52", + "value": "0:2.36-9+deb12u6" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-16", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-52" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-52", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" }, { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" - } - ] - }, - { - "advisories": [ + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + "url": "https://access.redhat.com/errata/RHSA-2024:1545" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + "url": "https://access.redhat.com/errata/RHSA-2024:1544" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + "url": "https://access.redhat.com/errata/RHSA-2024:1789" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" + "url": "https://access.redhat.com/errata/RHSA-2024:2551" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/errata/RHSA-2024:1781" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" }, { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" }, { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" }, { - "url": "https://kb.isc.org/docs/cve-2023-50387" + "url": "https://access.redhat.com/errata/RHSA-2024:0965" }, { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://access.redhat.com/errata/RHSA-2024:1334" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://ubuntu.com/security/notices/USN-6723-1" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://access.redhat.com/errata/RHSA-2024:2587" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://access.redhat.com/errata/RHSA-2024:2821" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://access.redhat.com/errata/RHSA-2024:1335" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://access.redhat.com/errata/RHSA-2024:1648" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + "url": "https://access.redhat.com/errata/RHSA-2024:1801" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://access.redhat.com/errata/RHSA-2024:1647" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://ubuntu.com/security/notices/USN-6642-1" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://ubuntu.com/security/notices/USN-6665-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://access.redhat.com/errata/RHSA-2024:1804" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:1803" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://access.redhat.com/errata/RHSA-2024:2696" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://access.redhat.com/errata/RHSA-2024:1522" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://access.redhat.com/errata/RHSA-2024:1800" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2890" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" }, { "url": "https://ubuntu.com/security/notices/USN-6633-1" @@ -5899,22 +6928,22 @@ "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://access.redhat.com/errata/RHSA-2024:2720" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://support.microsoft.com/help/5034770" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://access.redhat.com/errata/RHSA-2024:2721" } ], - "bom-ref": "vuln-6", + "bom-ref": "vuln-17", "ratings": [ { "severity": "high", @@ -5930,10 +6959,10 @@ "severity": "none", "score": 0.0366, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" } } ], @@ -5955,7 +6984,7 @@ "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -5963,233 +6992,263 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "value": "2024-05-18T05:37:06Z" } ] }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" - }, - { - "url": "https://kb.isc.org/docs/cve-2023-50868" - }, - { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" - }, - { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" - }, - { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" }, { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" - }, + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-18", + "ratings": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" - }, + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ { - "url": "https://ubuntu.com/security/notices/USN-6665-1" - }, + "ref": "comp-156" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ { - "url": "https://ubuntu.com/security/notices/USN-6633-1" + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" - }, + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-7", + "bom-ref": "vuln-19", "ratings": [ { "severity": "none", - "score": 0.00046, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-17" + "ref": "comp-52" } ], - "id": "CVE-2023-50868", + "id": "CVE-2024-33600", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" }, + "cwes": [ + 476 + ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-52", + "value": "0:2.36-9+deb12u7" } ] }, { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" }, { - "url": "https://www.openssl.org/news/secadv/20231106.txt" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + "url": "https://hackerone.com/reports/2402845" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + "url": "https://ubuntu.com/security/notices/USN-6718-3" }, { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" }, { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2694" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" + "url": "https://access.redhat.com/errata/RHSA-2024:2693" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + "url": "https://ubuntu.com/security/notices/USN-6718-1" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://ubuntu.com/security/notices/USN-6718-2" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-20", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ + { + "ref": "comp-126" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2447" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" } ], - "bom-ref": "vuln-8", + "bom-ref": "vuln-21", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00045, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", "affects": [ + { + "ref": "comp-331" + }, { "ref": "comp-15" + }, + { + "ref": "comp-261" } ], - "id": "CVE-2023-5678", + "id": "CVE-2023-6237", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z" + "updated": "2024-05-01T18:15:12Z" } ] } diff --git a/entrypoint/tests/test_data/scans/rust:latest.json.scan b/entrypoint/tests/test_data/scans/rust:latest.json.scan index c5c3251..6815864 100644 --- a/entrypoint/tests/test_data/scans/rust:latest.json.scan +++ b/entrypoint/tests/test_data/scans/rust:latest.json.scan @@ -6,7 +6,7 @@ "services": [ { "name": "Amazon Inspector Scan SBOM API", - "version": "890de878+01ca3cc5" + "version": "77f08c14+799c166d+fb1e16f3" } ] }, @@ -26,9 +26,13 @@ { "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", "value": "0" + }, + { + "name": "amazon:inspector:sbom_scanner:other_vulnerabilities", + "value": "11" } ], - "timestamp": "2024-03-05T15:15:19.727Z" + "timestamp": "2024-05-22T15:41:12.586Z" }, "components": [ { @@ -47,7 +51,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -60,7 +64,7 @@ "version": "0.8.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -73,7 +77,7 @@ "version": "3.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -88,7 +92,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -101,7 +105,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -114,7 +118,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -127,7 +131,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -140,7 +144,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -153,7 +157,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -166,7 +170,7 @@ "version": "2.38.1-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -176,13 +180,7 @@ "name": "util-linux", "purl": "pkg:deb/debian/util-linux@2.38.1-5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.38.1-5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.38.1-5" }, { "components": [ @@ -194,7 +192,7 @@ "version": "2.3.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -222,7 +220,7 @@ "version": "5.4.1-0.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -250,7 +248,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -263,7 +261,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -278,7 +276,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -291,7 +289,7 @@ "version": "252.22-1%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -313,7 +311,7 @@ "version": "7.88.1-10%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -323,13 +321,7 @@ "name": "curl", "purl": "pkg:deb/debian/curl@7.88.1-10%2Bdeb12u5?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "7.88.1-10%2Bdeb12u5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "7.88.1-10%2Bdeb12u5" }, { "bom-ref": "comp-24", @@ -352,7 +344,7 @@ "version": "3.23%2Bnmu1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -365,7 +357,7 @@ "version": "1.65.2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -380,7 +372,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -393,7 +385,7 @@ "version": "2.5.5-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -408,7 +400,7 @@ "version": "1.0.9-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -436,7 +428,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -449,7 +441,7 @@ "version": "3.0.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -475,7 +467,7 @@ "version": "1.3.4.20200120-3.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -488,7 +480,7 @@ "version": "6.4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -501,7 +493,7 @@ "version": "3.134", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -516,7 +508,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -529,7 +521,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -542,7 +534,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -555,7 +547,7 @@ "version": "1.47.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -596,7 +588,7 @@ "version": "6.2.1%2Bdfsg1-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -637,7 +629,7 @@ "version": "2.3.1-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -665,7 +657,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -678,7 +670,7 @@ "version": "3.06-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -706,7 +698,7 @@ "version": "5.3.28%2Bdfsg2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -734,7 +726,7 @@ "version": "1.10.0-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -760,7 +752,7 @@ "version": "5.7-0.5%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -775,7 +767,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -788,7 +780,7 @@ "version": "0.270", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -803,7 +795,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -816,7 +808,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -829,7 +821,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -842,7 +834,7 @@ "version": "6.4-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -870,7 +862,7 @@ "version": "3.0.11-1%7Edeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -892,7 +884,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -905,7 +897,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -918,7 +910,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -931,7 +923,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -944,7 +936,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -957,7 +949,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -970,7 +962,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -983,7 +975,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -996,7 +988,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1009,7 +1001,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1022,7 +1014,7 @@ "version": "2.2.40-1.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1050,7 +1042,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1078,7 +1070,7 @@ "version": "1.5.4%2Bdfsg2-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1106,7 +1098,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1119,7 +1111,7 @@ "version": "1.2.1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1134,7 +1126,7 @@ "version": "5.36.0-7%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1160,7 +1152,7 @@ "version": "0.5.12-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1175,7 +1167,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1188,7 +1180,7 @@ "version": "2.36-9%2Bdeb12u4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1198,13 +1190,7 @@ "name": "glibc", "purl": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u4?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "2.36-9%2Bdeb12u4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "2.36-9%2Bdeb12u4" }, { "components": [ @@ -1216,7 +1202,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1229,7 +1215,7 @@ "version": "0.8.3-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1244,7 +1230,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1257,7 +1243,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1270,7 +1256,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1283,7 +1269,7 @@ "version": "1.20.1-2%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1311,7 +1297,7 @@ "version": "10.42-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1339,7 +1325,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1352,7 +1338,7 @@ "version": "1.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1367,7 +1353,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1380,7 +1366,7 @@ "version": "1.6-3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1395,7 +1381,7 @@ "version": "0.24.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1421,7 +1407,7 @@ "version": "12.4%2Bdeb12u5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1436,7 +1422,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1449,7 +1435,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1462,7 +1448,7 @@ "version": "12.2.0-14", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1484,7 +1470,7 @@ "version": "4.4.33-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1512,7 +1498,7 @@ "version": "3.7.9-2%2Bdeb12u2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1540,7 +1526,7 @@ "version": "2.5.13%2Bdfsg-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1568,7 +1554,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1581,7 +1567,7 @@ "version": "1.0.4-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1596,7 +1582,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1609,7 +1595,7 @@ "version": "4.13%2Bdfsg1-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1637,7 +1623,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1650,7 +1636,7 @@ "version": "0.27.0-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1676,7 +1662,7 @@ "version": "1.5.82", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1691,7 +1677,7 @@ "version": "1.0.8-5", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1732,7 +1718,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1745,7 +1731,7 @@ "version": "0.21.2-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1758,7 +1744,7 @@ "version": "3.8-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1786,7 +1772,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1799,7 +1785,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1812,7 +1798,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1825,7 +1811,7 @@ "version": "1.5.2-6%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1853,7 +1839,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1866,7 +1852,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1879,7 +1865,7 @@ "version": "3.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1894,7 +1880,7 @@ "version": "3.40.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1935,7 +1921,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1948,7 +1934,7 @@ "version": "1.6.3-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1974,7 +1960,7 @@ "version": "2024a-0%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -1989,7 +1975,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2002,7 +1988,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2015,7 +2001,7 @@ "version": "8.2-1.3", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2030,7 +2016,7 @@ "version": "2.4%2B20151223.gitfa8646d.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2058,7 +2044,7 @@ "version": "2.6.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2084,7 +2070,7 @@ "version": "2023.3%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2125,7 +2111,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2138,7 +2124,7 @@ "version": "2.5.1-4", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2153,7 +2139,7 @@ "version": "3.4.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2181,7 +2167,7 @@ "version": "2.5.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2209,7 +2195,7 @@ "version": "3.4-2.1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2237,7 +2223,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2250,7 +2236,7 @@ "version": "37%7Edeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2265,7 +2251,7 @@ "version": "1.2.13.dfsg-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2291,7 +2277,7 @@ "version": "20230311", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2306,7 +2292,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2319,7 +2305,7 @@ "version": "1.46-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2334,7 +2320,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2347,7 +2333,7 @@ "version": "3.8.1-2", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2375,7 +2361,7 @@ "version": "1.9.4-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2403,7 +2389,7 @@ "version": "1.52.0-1%2Bdeb12u1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2413,13 +2399,7 @@ "name": "nghttp2", "purl": "pkg:deb/debian/nghttp2@1.52.0-1%2Bdeb12u1?arch=amd64&distro=bookworm&epoch=0", "type": "application", - "version": "1.52.0-1%2Bdeb12u1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] + "version": "1.52.0-1%2Bdeb12u1" }, { "components": [ @@ -2431,7 +2411,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2444,7 +2424,7 @@ "version": "2.1.28%2Bdfsg-10", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2470,7 +2450,7 @@ "version": "4.9-1", "properties": [ { - "name": "amazon:inspector:sbom_scanner:warning", + "name": "amazon:inspector:sbom_scanner:info", "value": "Component skipped: no rules found." } ] @@ -2493,270 +2473,255 @@ ] } ], - "serialNumber": "urn:uuid:7573c586-98cc-4610-a253-92389e343b15", + "serialNumber": "urn:uuid:22d0c703-19c4-4186-8309-a395e4b9b1fb", "bomFormat": "CycloneDX", "vulnerabilities": [ { "advisories": [ { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" - }, - { - "url": "https://www.openssl.org/news/secadv/20231106.txt" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:7877" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5678" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" }, { - "url": "https://ubuntu.com/security/notices/USN-6632-1" + "url": "https://hackerone.com/reports/2384833" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + "url": "https://ubuntu.com/security/notices/USN-6718-3" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0208" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" }, { - "url": "https://ubuntu.com/security/notices/USN-6622-1" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" }, { - "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + "url": "https://access.redhat.com/errata/RHSA-2024:2694" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + "url": "https://access.redhat.com/errata/RHSA-2024:2693" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0154" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + "url": "https://ubuntu.com/security/notices/USN-6718-1" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2004" } ], "bom-ref": "vuln-1", "ratings": [ { "severity": "none", - "score": 0.00079, + "score": 0.00044, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2004" } } ], - "created": "2023-11-06T16:15:42Z", - "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "created": "2024-03-27T08:15:41Z", + "description": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.", "affects": [ { - "ref": "comp-63" + "ref": "comp-22" } ], - "id": "CVE-2023-5678", + "id": "CVE-2024-2004", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2004" }, - "cwes": [ - 754 - ], "analysis": { "state": "in_triage" }, - "updated": "2023-11-30T22:15:09Z" + "updated": "2024-05-01T17:15:32Z" }, { "advisories": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" - }, - { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" - }, - { - "url": "https://access.redhat.com/security/cve/CVE-2023-50387" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" - }, - { - "url": "https://www.isc.org/blogs/2024-bind-security-release/" - }, - { - "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" - }, - { - "url": "https://kb.isc.org/docs/cve-2023-50387" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33599" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" - }, + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-2", + "ratings": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" - }, + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33599" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Stack-based buffer overflow in netgroup cache\n\nIf the Name Service Cache Daemon's (nscd) fixed size cache is exhausted\nby client requests then a subsequent client request for netgroup data\nmay result in a stack-based buffer overflow. This flaw was introduced\nin glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n", + "affects": [ { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" - }, + "ref": "comp-86" + } + ], + "id": "CVE-2024-33599", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33599" + }, + "cwes": [ + 121 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" - }, + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2D44YLAUFJU6BZ4XFG2FYV7SBKXB5IZ6/" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GMD6UYKCCRCYETWQZUJ65ZRFULT6SHLI/" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + "url": "https://hackerone.com/reports/2402845" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://ubuntu.com/security/notices/USN-6718-3" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2526.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-596.html" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0977" + "url": "https://access.redhat.com/errata/RHSA-2024:2694" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" + "url": "https://access.redhat.com/errata/RHSA-2024:2693" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://ubuntu.com/security/notices/USN-6642-1" + "url": "https://ubuntu.com/security/notices/USN-6718-1" }, { - "url": "https://ubuntu.com/security/notices/USN-6665-1" + "url": "https://ubuntu.com/security/notices/USN-6718-2" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" - }, + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2398" + } + ], + "bom-ref": "vuln-3", + "ratings": [ { - "url": "https://ubuntu.com/security/notices/USN-6633-1" - }, + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2398" + } + } + ], + "created": "2024-03-27T08:15:41Z", + "description": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.", + "affects": [ { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" - }, + "ref": "comp-22" + } + ], + "id": "CVE-2024-2398", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2398" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-03T13:15:21Z" + }, + { + "advisories": [ { - "url": "https://access.redhat.com/errata/RHSA-2024:0981" + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006" }, { - "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33600" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" }, { - "url": "https://support.microsoft.com/help/5034770" + "url": "https://access.redhat.com/errata/RHSA-2024:2799" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50387" + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" } ], - "bom-ref": "vuln-2", + "bom-ref": "vuln-4", "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" - } - }, { "severity": "none", - "score": 0.0366, + "score": 0.00043, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33600" } } ], - "created": "2024-02-14T16:15:45Z", - "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", + "created": "2024-05-06T20:15:11Z", + "description": "nscd: Null pointer crashes after notfound response\n\nIf the Name Service Cache Daemon's (nscd) cache fails to add a not-found\nnetgroup response to the cache, the client request can result in a null\npointer dereference. This flaw was introduced in glibc 2.15 when the\ncache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", "affects": [ { - "ref": "comp-19" + "ref": "comp-86" } ], - "id": "CVE-2023-50387", + "id": "CVE-2024-33600", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33600" }, "cwes": [ - 770 + 476 ], "analysis": { - "state": "exploitable" + "state": "in_triage" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-07T13:39:32Z", "properties": [ { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T23:09:00Z" + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:2.36-9+deb12u7" } ] }, @@ -2772,13 +2737,13 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" }, { - "url": "https://kb.isc.org/docs/cve-2023-50868" + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219823" }, { - "url": "https://datatracker.ietf.org/doc/html/rfc5155" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + "url": "https://access.redhat.com/security/cve/CVE-2023-50387" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" @@ -2789,6 +2754,9 @@ { "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" }, + { + "url": "https://kb.isc.org/docs/cve-2023-50387" + }, { "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" }, @@ -2799,13 +2767,10 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" }, { - "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" }, { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" - }, - { - "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" @@ -2814,68 +2779,289 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0965" + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034767" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0977" }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034768" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034769" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034809" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034830" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034831" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50387" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, { "url": "https://ubuntu.com/security/notices/USN-6642-1" }, { "url": "https://ubuntu.com/security/notices/USN-6665-1" }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034770" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, { "url": "https://ubuntu.com/security/notices/USN-6633-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50868" + "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5034819" }, { - "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + "url": "https://access.redhat.com/errata/RHSA-2024:2720" }, { "url": "https://access.redhat.com/errata/RHSA-2024:0981" }, { - "url": "https://access.redhat.com/errata/RHSA-2024:0982" + "url": "https://support.microsoft.com/help/5034770" }, { - "url": "https://ubuntu.com/security/notices/USN-6657-1" + "url": "https://access.redhat.com/errata/RHSA-2024:0982" }, { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + "url": "https://access.redhat.com/errata/RHSA-2024:2721" } ], - "bom-ref": "vuln-3", + "bom-ref": "vuln-5", "ratings": [ + { + "severity": "high", + "score": 7.5, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + } + }, { "severity": "none", - "score": 0.00046, + "score": 0.0366, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50387" } } ], "created": "2024-02-14T16:15:45Z", - "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "description": "Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the \"KeyTrap\" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.", "affects": [ { "ref": "comp-19" } ], - "id": "CVE-2023-50868", + "id": "CVE-2023-50387", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50387" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" }, + "updated": "2024-03-07T17:15:11Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T05:37:06Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/" + }, + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6762-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2521.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-589.html" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069191" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2722" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-2961" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1930.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6737-2" + } + ], + "bom-ref": "vuln-6", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2961" + } + } + ], + "created": "2024-04-17T18:15:15Z", + "description": "The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.\n", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-2961", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2961" + }, + "cwes": [ + 787 + ], "analysis": { "state": "exploitable" }, - "updated": "2024-03-04T03:15:06Z", + "updated": "2024-05-04T01:15:06Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -2883,7 +3069,11 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T07:21:06Z" + "value": "2024-05-20T21:13:25Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:2.36-9+deb12u6" } ] }, @@ -2896,22 +3086,25 @@ "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6129" + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6129" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060347" } ], - "bom-ref": "vuln-4", + "bom-ref": "vuln-7", "ratings": [ { "severity": "none", - "score": 0.00061, + "score": 0.00194, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6129" } }, { @@ -2943,7 +3136,7 @@ "analysis": { "state": "in_triage" }, - "updated": "2024-02-16T13:15:09Z" + "updated": "2024-05-03T13:15:21Z" }, { "advisories": [ @@ -2956,32 +3149,53 @@ { "url": "https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8" }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-0727" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2024-005.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2478.html" + }, { "url": "https://ubuntu.com/security/notices/USN-6632-1" }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2483.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2479.html" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, { "url": "https://ubuntu.com/security/notices/USN-6622-1" }, { "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061582" }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, { "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0727" + "url": "https://access.redhat.com/errata/RHSA-2024:2447" } ], - "bom-ref": "vuln-5", + "bom-ref": "vuln-8", "ratings": [ { "severity": "none", "score": 0.00228, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0727" } }, { @@ -3010,71 +3224,754 @@ "analysis": { "state": "in_triage" }, - "updated": "2024-02-08T10:15:13Z" + "updated": "2024-05-01T18:15:13Z" }, { "advisories": [ { - "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/" }, { - "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt" }, { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067849" }, { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + "url": "https://ubuntu.com/security/notices/USN-6719-2" }, { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4039" + "url": "https://ubuntu.com/security/notices/USN-6719-1" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28085" } ], - "bom-ref": "vuln-6", + "bom-ref": "vuln-9", "ratings": [ - { - "severity": "medium", - "score": 4.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" - } - }, { "severity": "none", "score": 0.00046, "method": "other", - "vector": "model:v2023.03.01,date:2024-03-04T00:00:00+0000", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", "source": { "name": "EPSS", - "url": "https://www.first.org/epss/" + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28085" } } ], - "created": "2023-09-13T09:15:15Z", - "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "created": "2024-03-27T19:15:48Z", + "description": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.", "affects": [ { - "ref": "comp-105" + "ref": "comp-5" } ], - "id": "CVE-2023-4039", + "id": "CVE-2024-28085", "source": { "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085" }, - "cwes": [ - 693 - ], "analysis": { "state": "exploitable" }, - "updated": "2024-02-19T23:15:07Z", + "updated": "2024-05-01T18:15:16Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-19T20:53:50Z" + }, + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-5", + "value": "0:2.38.1-5+deb12u1" + } + ] + }, + { + "advisories": [ + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055" + }, + { + "url": "https://www.openssl.org/news/secadv/20231106.txt" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c" + }, + { + "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2023:7877" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-004.html" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-5678" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6632-1" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2351.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1318" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1317" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6709-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0208" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2023-1891.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1319" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055473" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0154" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1325" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-443.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2350.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1316" + } + ], + "bom-ref": "vuln-10", + "ratings": [ + { + "severity": "medium", + "score": 5.3, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + } + }, + { + "severity": "none", + "score": 0.00111, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-5678" + } + } + ], + "created": "2023-11-06T16:15:42Z", + "description": "Issue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays. Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\n\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\n\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\n\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\n\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions. An application calling any of those other\nfunctions may similarly be affected. The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\n\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\n\n", + "affects": [ + { + "ref": "comp-63" + } + ], + "id": "CVE-2023-5678", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678" + }, + "cwes": [ + 754 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6754-2" + }, + { + "url": "https://www.kb.cert.org/vuls/id/421644" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-593.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2780" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-592.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2694" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2693" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068415" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-28182" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2937" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2523.html" + }, + { + "url": "https://alas.aws.amazon.com/ALAS-2024-1935.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2853" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-594.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2779" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2778" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2910" + } + ], + "bom-ref": "vuln-11", + "ratings": [ + { + "severity": "none", + "score": 0.00044, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28182" + } + } + ], + "created": "2024-04-04T15:15:38Z", + "description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.", + "affects": [ + { + "ref": "comp-176" + } + ], + "id": "CVE-2024-28182", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28182" + }, + "cwes": [ + 770 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-05-01T18:15:17Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-20T15:47:49Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33602" + }, + { + "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=31680" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-12", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33602" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings\n\nThe Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory\nwhen the NSS callback does not store all strings in the provided buffer.\nThe flaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-33602", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33602" + }, + "cwes": [ + 466 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://developer.arm.com/Arm Security Center/GCC Stack Protector Vulnerability AArch64" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2245.html" + }, + { + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4039" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-342.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-2244.html" + } + ], + "bom-ref": "vuln-13", + "ratings": [ + { + "severity": "medium", + "score": 4.8, + "method": "CVSSv31", + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + } + }, + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-4039" + } + } + ], + "created": "2023-09-13T09:15:15Z", + "description": "\n\n**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.\n\n\n\n\n\n", + "affects": [ + { + "ref": "comp-105" + } + ], + "id": "CVE-2023-4039", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4039" + }, + "cwes": [ + 693 + ], + "analysis": { + "state": "exploitable" + }, + "updated": "2024-02-19T23:15:07Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:exploit_available", + "value": "true" + }, + { + "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", + "value": "2024-05-18T04:18:41Z" + } + ] + }, + { + "advisories": [ + { + "url": "https://www.openssl.org/news/secadv/20240115.txt" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6622-1" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060858" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-520.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2447" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-6237" + } + ], + "bom-ref": "vuln-14", + "ratings": [ + { + "severity": "none", + "score": 0.00045, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-6237" + } + } + ], + "created": "2024-04-25T07:15:45Z", + "description": "Issue summary: Checking excessively long invalid RSA public keys may take\na long time.\n\nImpact summary: Applications that use the function EVP_PKEY_public_check()\nto check RSA public keys may experience long delays. Where the key that\nis being checked has been obtained from an untrusted source this may lead\nto a Denial of Service.\n\nWhen function EVP_PKEY_public_check() is called on RSA public keys,\na computation is done to confirm that the RSA modulus, n, is composite.\nFor valid RSA keys, n is a product of two or more large primes and this\ncomputation completes quickly. However, if n is an overly large prime,\nthen this computation would take a long time.\n\nAn application that calls EVP_PKEY_public_check() and supplies an RSA key\nobtained from an untrusted source could be vulnerable to a Denial of Service\nattack.\n\nThe function EVP_PKEY_public_check() is not called from other OpenSSL\nfunctions however it is called from the OpenSSL pkey command line\napplication. For that reason that application is also vulnerable if used\nwith the '-pubin' and '-check' options on untrusted data.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.", + "affects": [ + { + "ref": "comp-63" + } + ], + "id": "CVE-2023-6237", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6237" + }, + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-01T18:15:12Z" + }, + { + "advisories": [ + { + "url": "https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2024-33601" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2799" + }, + { + "url": "https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/" + } + ], + "bom-ref": "vuln-15", + "ratings": [ + { + "severity": "none", + "score": 0.00043, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-33601" + } + } + ], + "created": "2024-05-06T20:15:11Z", + "description": "nscd: netgroup cache may terminate daemon on memory allocation failure\n\nThe Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or\nxrealloc and these functions may terminate the process due to a memory\nallocation failure resulting in a denial of service to the clients. The\nflaw was introduced in glibc 2.15 when the cache was added to nscd.\n\nThis vulnerability is only present in the nscd binary.\n\n", + "affects": [ + { + "ref": "comp-86" + } + ], + "id": "CVE-2024-33601", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33601" + }, + "cwes": [ + 617 + ], + "analysis": { + "state": "in_triage" + }, + "updated": "2024-05-07T13:39:32Z", + "properties": [ + { + "name": "amazon:inspector:sbom_scanner:fixed_version:comp-86", + "value": "0:2.36-9+deb12u7" + } + ] + }, + { + "advisories": [ + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/" + }, + { + "url": "https://kb.isc.org/docs/cve-2023-50868" + }, + { + "url": "https://datatracker.ietf.org/doc/html/rfc5155" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/" + }, + { + "url": "https://www.isc.org/blogs/2024-bind-security-release/" + }, + { + "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html" + }, + { + "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2023-50868" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/" + }, + { + "url": "https://bugzilla.suse.com/show_bug.cgi?id=1219826" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/" + }, + { + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/" + }, + { + "url": "https://www.cve.org/CVERecord?id=CVE-2023-50868" + }, + { + "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063845" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6657-2" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1648" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0977" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1801" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1647" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALASDNSMASQ-2024-002.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-552.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1804" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6642-1" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6665-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1803" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2696" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1782" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1543" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1545" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1522" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1544" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1789" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1800" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2890" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2551" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1781" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2530.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-553.html" + }, + { + "url": "https://blog.powerdns.com/2024/02/13/powerdns-recursor-4-8-6-4-9-3-5-0-2-released" + }, + { + "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2481.html" + }, + { + "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-550.html" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0965" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6633-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2720" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0981" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1334" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2587" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:0982" + }, + { + "url": "https://ubuntu.com/security/notices/USN-6723-1" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2821" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:2721" + }, + { + "url": "https://access.redhat.com/errata/RHSA-2024:1335" + } + ], + "bom-ref": "vuln-16", + "ratings": [ + { + "severity": "none", + "score": 0.00046, + "method": "other", + "vector": "model:v2023.03.01,date:2024-05-21T00:00:00+0000", + "source": { + "name": "EPSS", + "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50868" + } + } + ], + "created": "2024-02-14T16:15:45Z", + "description": "The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the \"NSEC3\" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations.", + "affects": [ + { + "ref": "comp-19" + } + ], + "id": "CVE-2023-50868", + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50868" + }, + "analysis": { + "state": "exploitable" + }, + "updated": "2024-03-07T17:15:11Z", "properties": [ { "name": "amazon:inspector:sbom_scanner:exploit_available", @@ -3082,7 +3979,7 @@ }, { "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-03T13:05:49Z" + "value": "2024-05-20T06:17:55Z" } ] } diff --git a/entrypoint/tests/test_data/scans/testData.json b/entrypoint/tests/test_data/scans/testData.json deleted file mode 100644 index 6e5f555..0000000 --- a/entrypoint/tests/test_data/scans/testData.json +++ /dev/null @@ -1,25790 +0,0 @@ -{ - "sbom": { - "specVersion": "1.5", - "metadata": { - "tools": { - "services": [ - { - "name": "Amazon Inspector Scan SBOM API", - "version": "68166634+398d10c9" - } - ] - }, - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:critical_vulnerabilities", - "value": "16" - }, - { - "name": "amazon:inspector:sbom_scanner:high_vulnerabilities", - "value": "64" - }, - { - "name": "amazon:inspector:sbom_scanner:medium_vulnerabilities", - "value": "62" - }, - { - "name": "amazon:inspector:sbom_scanner:low_vulnerabilities", - "value": "5" - } - ], - "timestamp": "2024-03-26T19:06:27.774Z" - }, - "components": [ - { - "bom-ref": "comp-1", - "name": "nesbot/carbon", - "purl": "pkg:composer/nesbot/carbon@2.53.1", - "type": "library", - "version": "2.53.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-2", - "name": "symfony/deprecation-contracts", - "purl": "pkg:composer/symfony/deprecation-contracts@v3.2.1", - "type": "library", - "version": "v3.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-3", - "name": "symfony/polyfill-mbstring", - "purl": "pkg:composer/symfony/polyfill-mbstring@v1.27.0", - "type": "library", - "version": "v1.27.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-4", - "name": "symfony/polyfill-php80", - "purl": "pkg:composer/symfony/polyfill-php80@v1.27.0", - "type": "library", - "version": "v1.27.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-5", - "name": "symfony/translation", - "purl": "pkg:composer/symfony/translation@v5.4.21", - "type": "library", - "version": "v5.4.21", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-6", - "name": "symfony/translation-contracts", - "purl": "pkg:composer/symfony/translation-contracts@v2.5.2", - "type": "library", - "version": "v2.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_1/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-7", - "name": "alrik11es/cowsayphp", - "purl": "pkg:composer/alrik11es/cowsayphp@1.2.0", - "type": "library", - "version": "1.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/project_2/composer.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-8", - "name": "nesbot/carbon", - "purl": "pkg:composer/nesbot/carbon@2.53.1", - "type": "library", - "version": "2.53.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-9", - "name": "symfony/deprecation-contracts", - "purl": "pkg:composer/symfony/deprecation-contracts@v3.2.1", - "type": "library", - "version": "v3.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-10", - "name": "symfony/polyfill-mbstring", - "purl": "pkg:composer/symfony/polyfill-mbstring@v1.27.0", - "type": "library", - "version": "v1.27.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-11", - "name": "symfony/polyfill-php80", - "purl": "pkg:composer/symfony/polyfill-php80@v1.27.0", - "type": "library", - "version": "v1.27.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-12", - "name": "symfony/translation", - "purl": "pkg:composer/symfony/translation@v5.4.21", - "type": "library", - "version": "v5.4.21", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-13", - "name": "symfony/translation-contracts", - "purl": "pkg:composer/symfony/translation-contracts@v2.5.2", - "type": "library", - "version": "v2.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/php/vendor/composer/installed.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-14", - "name": "Newtonsoft.Json", - "purl": "pkg:nuget/Newtonsoft.Json@13.0.3", - "type": "library", - "version": "13.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.csproj" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-15", - "name": "Microsoft.EntityFrameworkCore", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.csproj" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-16", - "name": "Microsoft.Extensions.Primitives", - "purl": "pkg:nuget/Microsoft.Extensions.Primitives@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-17", - "name": "Microsoft.Extensions.Caching.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.Caching.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-18", - "name": "Newtonsoft.Json", - "purl": "pkg:nuget/Newtonsoft.Json@13.0.3", - "type": "library", - "version": "13.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-19", - "name": "Microsoft.EntityFrameworkCore", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-20", - "name": "Microsoft.Extensions.DependencyInjection.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-21", - "name": "Microsoft.Extensions.Logging", - "purl": "pkg:nuget/Microsoft.Extensions.Logging@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-22", - "name": "Microsoft.Extensions.Logging.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-23", - "name": "Microsoft.Extensions.DependencyInjection", - "purl": "pkg:nuget/Microsoft.Extensions.DependencyInjection@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-24", - "name": "Microsoft.EntityFrameworkCore.Abstractions", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore.Abstractions@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-25", - "name": "Microsoft.EntityFrameworkCore.Analyzers", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore.Analyzers@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-26", - "name": "Microsoft.Extensions.Caching.Memory", - "purl": "pkg:nuget/Microsoft.Extensions.Caching.Memory@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-27", - "name": "Microsoft.Extensions.Options", - "purl": "pkg:nuget/Microsoft.Extensions.Options@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-28", - "name": "sample-Nuget", - "purl": "pkg:nuget/sample-Nuget@1.0.0", - "type": "library", - "version": "1.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/sample-Nuget.deps.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-29", - "name": "FluentAssertions", - "purl": "pkg:nuget/FluentAssertions@5.4.1", - "type": "library", - "version": "5.4.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-30", - "name": "Newtonsoft.Json", - "purl": "pkg:nuget/Newtonsoft.Json@11.0.2", - "type": "library", - "version": "11.0.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - } - ] - }, - { - "bom-ref": "comp-31", - "name": "SpecFlow", - "purl": "pkg:nuget/SpecFlow@2.4.0", - "type": "library", - "version": "2.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-32", - "name": "SpecRun.Runner", - "purl": "pkg:nuget/SpecRun.Runner@1.8.0", - "type": "library", - "version": "1.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-33", - "name": "SpecRun.SpecFlow", - "purl": "pkg:nuget/SpecRun.SpecFlow@1.8.0", - "type": "library", - "version": "1.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-34", - "name": "SpecRun.SpecFlow.2-4-0", - "purl": "pkg:nuget/SpecRun.SpecFlow.2-4-0@1.8.0", - "type": "library", - "version": "1.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-35", - "name": "System.ValueTuple", - "purl": "pkg:nuget/System.ValueTuple@4.5.0", - "type": "library", - "version": "4.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/Packages.config" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-36", - "name": "Microsoft.Extensions.DependencyInjection", - "purl": "pkg:nuget/Microsoft.Extensions.DependencyInjection@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-37", - "name": "Microsoft.Extensions.DependencyInjection.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-38", - "name": "Microsoft.Extensions.Logging.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-39", - "name": "Microsoft.Extensions.Primitives", - "purl": "pkg:nuget/Microsoft.Extensions.Primitives@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-40", - "name": "Microsoft.Extensions.Caching.Memory", - "purl": "pkg:nuget/Microsoft.Extensions.Caching.Memory@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-41", - "name": "Newtonsoft.Json", - "purl": "pkg:nuget/Newtonsoft.Json@13.0.3", - "type": "library", - "version": "13.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-42", - "name": "Microsoft.EntityFrameworkCore.Abstractions", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore.Abstractions@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-43", - "name": "Microsoft.EntityFrameworkCore.Analyzers", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore.Analyzers@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-44", - "name": "Microsoft.Extensions.Caching.Abstractions", - "purl": "pkg:nuget/Microsoft.Extensions.Caching.Abstractions@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-45", - "name": "Microsoft.Extensions.Logging", - "purl": "pkg:nuget/Microsoft.Extensions.Logging@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-46", - "name": "Microsoft.Extensions.Options", - "purl": "pkg:nuget/Microsoft.Extensions.Options@7.0.0", - "type": "library", - "version": "7.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-47", - "name": "Microsoft.EntityFrameworkCore", - "purl": "pkg:nuget/Microsoft.EntityFrameworkCore@7.0.5", - "type": "library", - "version": "7.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nuget/packages.lock.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-48", - "name": "requests", - "purl": "pkg:pypi/requests@2.28.2", - "type": "library", - "version": "2.28.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pipvenv/Pipfile.lock" - } - ] - }, - { - "bom-ref": "comp-49", - "name": "urllib3", - "purl": "pkg:pypi/urllib3@1.26.14", - "type": "library", - "version": "1.26.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pipvenv/Pipfile.lock" - } - ] - }, - { - "bom-ref": "comp-50", - "name": "certifi", - "purl": "pkg:pypi/certifi@2022.12.7", - "type": "library", - "version": "2022.12.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pipvenv/Pipfile.lock" - } - ] - }, - { - "bom-ref": "comp-51", - "name": "charset-normalizer", - "purl": "pkg:pypi/charset-normalizer@3.1.0", - "type": "library", - "version": "3.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pipvenv/Pipfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-52", - "name": "idna", - "purl": "pkg:pypi/idna@3.4", - "type": "library", - "version": "3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pipvenv/Pipfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-53", - "name": "github.com/akamensky/argparse", - "purl": "pkg:golang/github.com/akamensky/argparse@v1.4.0", - "type": "library", - "version": "v1.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-54", - "name": "github.com/aws/aws-lambda-go", - "purl": "pkg:golang/github.com/aws/aws-lambda-go@v1.32.1", - "type": "library", - "version": "v1.32.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-55", - "name": "github.com/aws/aws-sdk-go-v2", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2@v1.16.7", - "type": "library", - "version": "v1.16.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-56", - "name": "github.com/aws/aws-sdk-go-v2/config", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/config@v1.15.14", - "type": "library", - "version": "v1.15.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-57", - "name": "github.com/aws/aws-sdk-go-v2/service/s3", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/s3@v1.27.1", - "type": "library", - "version": "v1.27.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-58", - "name": "github.com/beevik/etree", - "purl": "pkg:golang/github.com/beevik/etree@v1.1.0", - "type": "library", - "version": "v1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-59", - "name": "github.com/sirupsen/logrus", - "purl": "pkg:golang/github.com/sirupsen/logrus@v1.9.0", - "type": "library", - "version": "v1.9.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-60", - "name": "github.com/ulikunitz/xz", - "purl": "pkg:golang/github.com/ulikunitz/xz@v0.5.10", - "type": "library", - "version": "v0.5.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-61", - "name": "github.com/Microsoft/go-winio", - "purl": "pkg:golang/github.com/Microsoft/go-winio@v0.5.2", - "type": "library", - "version": "v0.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-62", - "name": "github.com/ProtonMail/go-crypto", - "purl": "pkg:golang/github.com/ProtonMail/go-crypto@v0.0.0-20221026131551-cf6655e29de4", - "type": "library", - "version": "v0.0.0-20221026131551-cf6655e29de4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-63", - "name": "github.com/PuerkitoBio/goquery", - "purl": "pkg:golang/github.com/PuerkitoBio/goquery@v1.5.1", - "type": "library", - "version": "v1.5.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-64", - "name": "github.com/acomagu/bufpipe", - "purl": "pkg:golang/github.com/acomagu/bufpipe@v1.0.3", - "type": "library", - "version": "v1.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-65", - "name": "github.com/andybalholm/cascadia", - "purl": "pkg:golang/github.com/andybalholm/cascadia@v1.1.0", - "type": "library", - "version": "v1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-66", - "name": "github.com/cloudflare/circl", - "purl": "pkg:golang/github.com/cloudflare/circl@v1.1.0", - "type": "library", - "version": "v1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - } - ] - }, - { - "bom-ref": "comp-67", - "name": "github.com/emirpasic/gods", - "purl": "pkg:golang/github.com/emirpasic/gods@v1.18.1", - "type": "library", - "version": "v1.18.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-68", - "name": "github.com/go-git/gcfg", - "purl": "pkg:golang/github.com/go-git/gcfg@v1.5.0", - "type": "library", - "version": "v1.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-69", - "name": "github.com/go-git/go-billy/v5", - "purl": "pkg:golang/github.com/go-git/go-billy/v5@v5.3.1", - "type": "library", - "version": "v5.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-70", - "name": "github.com/imdario/mergo", - "purl": "pkg:golang/github.com/imdario/mergo@v0.3.13", - "type": "library", - "version": "v0.3.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-71", - "name": "github.com/jbenet/go-context", - "purl": "pkg:golang/github.com/jbenet/go-context@v0.0.0-20150711004518-d14ea06fba99", - "type": "library", - "version": "v0.0.0-20150711004518-d14ea06fba99", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-72", - "name": "github.com/json-iterator/go", - "purl": "pkg:golang/github.com/json-iterator/go@v1.1.10", - "type": "library", - "version": "v1.1.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-73", - "name": "github.com/kevinburke/ssh_config", - "purl": "pkg:golang/github.com/kevinburke/ssh_config@v1.2.0", - "type": "library", - "version": "v1.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-74", - "name": "github.com/mmcdole/goxpp", - "purl": "pkg:golang/github.com/mmcdole/goxpp@v0.0.0-20181012175147-0068e33feabf", - "type": "library", - "version": "v0.0.0-20181012175147-0068e33feabf", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-75", - "name": "github.com/modern-go/concurrent", - "purl": "pkg:golang/github.com/modern-go/concurrent@v0.0.0-20180228061459-e0a39a4cb421", - "type": "library", - "version": "v0.0.0-20180228061459-e0a39a4cb421", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-76", - "name": "github.com/modern-go/reflect2", - "purl": "pkg:golang/github.com/modern-go/reflect2@v0.0.0-20180701023420-4b7aa43c6742", - "type": "library", - "version": "v0.0.0-20180701023420-4b7aa43c6742", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-77", - "name": "github.com/pjbgf/sha1cd", - "purl": "pkg:golang/github.com/pjbgf/sha1cd@v0.2.3", - "type": "library", - "version": "v0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-78", - "name": "github.com/sergi/go-diff", - "purl": "pkg:golang/github.com/sergi/go-diff@v1.2.0", - "type": "library", - "version": "v1.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-79", - "name": "github.com/skeema/knownhosts", - "purl": "pkg:golang/github.com/skeema/knownhosts@v1.1.0", - "type": "library", - "version": "v1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-80", - "name": "github.com/xanzy/ssh-agent", - "purl": "pkg:golang/github.com/xanzy/ssh-agent@v0.3.3", - "type": "library", - "version": "v0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-81", - "name": "golang.org/x/crypto", - "purl": "pkg:golang/golang.org/x/crypto@v0.3.0", - "type": "library", - "version": "v0.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - } - ] - }, - { - "bom-ref": "comp-82", - "name": "golang.org/x/net", - "purl": "pkg:golang/golang.org/x/net@v0.4.0", - "type": "library", - "version": "v0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - } - ] - }, - { - "bom-ref": "comp-83", - "name": "golang.org/x/text", - "purl": "pkg:golang/golang.org/x/text@v0.5.0", - "type": "library", - "version": "v0.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-84", - "name": "gopkg.in/warnings.v0", - "purl": "pkg:golang/gopkg.in/warnings.v0@v0.1.2", - "type": "library", - "version": "v0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-85", - "name": "github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.4.3", - "type": "library", - "version": "v1.4.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-86", - "name": "github.com/aws/aws-sdk-go-v2/credentials", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/credentials@v1.12.9", - "type": "library", - "version": "v1.12.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-87", - "name": "github.com/aws/aws-sdk-go-v2/feature/ec2/imds", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/feature/ec2/imds@v1.12.8", - "type": "library", - "version": "v1.12.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-88", - "name": "github.com/aws/aws-sdk-go-v2/internal/configsources", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/internal/configsources@v1.1.14", - "type": "library", - "version": "v1.1.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-89", - "name": "github.com/aws/aws-sdk-go-v2/internal/endpoints/v2", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2@v2.4.8", - "type": "library", - "version": "v2.4.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-90", - "name": "github.com/aws/aws-sdk-go-v2/internal/ini", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/internal/ini@v1.3.15", - "type": "library", - "version": "v1.3.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-91", - "name": "github.com/aws/aws-sdk-go-v2/internal/v4a", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/internal/v4a@v1.0.5", - "type": "library", - "version": "v1.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-92", - "name": "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding@v1.9.3", - "type": "library", - "version": "v1.9.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-93", - "name": "github.com/aws/aws-sdk-go-v2/service/internal/checksum", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/checksum@v1.1.9", - "type": "library", - "version": "v1.1.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-94", - "name": "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url@v1.9.8", - "type": "library", - "version": "v1.9.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-95", - "name": "github.com/aws/aws-sdk-go-v2/service/internal/s3shared", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/internal/s3shared@v1.13.8", - "type": "library", - "version": "v1.13.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-96", - "name": "github.com/aws/aws-sdk-go-v2/service/sso", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/sso@v1.11.12", - "type": "library", - "version": "v1.11.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-97", - "name": "github.com/aws/aws-sdk-go-v2/service/sts", - "purl": "pkg:golang/github.com/aws/aws-sdk-go-v2/service/sts@v1.16.9", - "type": "library", - "version": "v1.16.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-98", - "name": "github.com/aws/smithy-go", - "purl": "pkg:golang/github.com/aws/smithy-go@v1.12.0", - "type": "library", - "version": "v1.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-99", - "name": "github.com/go-git/go-git/v5", - "purl": "pkg:golang/github.com/go-git/go-git/v5@v5.5.1", - "type": "library", - "version": "v5.5.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - } - ] - }, - { - "bom-ref": "comp-100", - "name": "github.com/mmcdole/gofeed", - "purl": "pkg:golang/github.com/mmcdole/gofeed@v1.1.3", - "type": "library", - "version": "v1.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-101", - "name": "github.com/secsy/goftp", - "purl": "pkg:golang/github.com/secsy/goftp@v0.0.0-20200609142545-aa2de14babf4", - "type": "library", - "version": "v0.0.0-20200609142545-aa2de14babf4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-102", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.3.0", - "type": "library", - "version": "v0.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-103", - "name": "github.com/mmcloughlin/avo", - "purl": "pkg:golang/github.com/mmcloughlin/avo@v0.2.0", - "type": "library", - "version": "v0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.mod" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-104", - "name": "github.com/mmcloughlin/avo", - "purl": "pkg:golang/github.com/mmcloughlin/avo@v0.2.0", - "type": "library", - "version": "v0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-105", - "name": "github.com/yuin/goldmark", - "purl": "pkg:golang/github.com/yuin/goldmark@v1.2.1", - "type": "library", - "version": "v1.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-106", - "name": "golang.org/x/arch", - "purl": "pkg:golang/golang.org/x/arch@v0.0.0-20210405154355-08b684f594a5", - "type": "library", - "version": "v0.0.0-20210405154355-08b684f594a5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-107", - "name": "golang.org/x/crypto", - "purl": "pkg:golang/golang.org/x/crypto@v0.0.0-20190308221718-c2843e01d9a2", - "type": "library", - "version": "v0.0.0-20190308221718-c2843e01d9a2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-108", - "name": "golang.org/x/crypto", - "purl": "pkg:golang/golang.org/x/crypto@v0.0.0-20191011191535-87dc89f01550", - "type": "library", - "version": "v0.0.0-20191011191535-87dc89f01550", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-109", - "name": "golang.org/x/crypto", - "purl": "pkg:golang/golang.org/x/crypto@v0.0.0-20200622213623-75b288015ac9", - "type": "library", - "version": "v0.0.0-20200622213623-75b288015ac9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-110", - "name": "golang.org/x/mod", - "purl": "pkg:golang/golang.org/x/mod@v0.3.0", - "type": "library", - "version": "v0.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-111", - "name": "golang.org/x/net", - "purl": "pkg:golang/golang.org/x/net@v0.0.0-20190404232315-eb5bcb51f2a3", - "type": "library", - "version": "v0.0.0-20190404232315-eb5bcb51f2a3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-112", - "name": "golang.org/x/net", - "purl": "pkg:golang/golang.org/x/net@v0.0.0-20190620200207-3b0461eec859", - "type": "library", - "version": "v0.0.0-20190620200207-3b0461eec859", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-113", - "name": "golang.org/x/net", - "purl": "pkg:golang/golang.org/x/net@v0.0.0-20201021035429-f5854403a974", - "type": "library", - "version": "v0.0.0-20201021035429-f5854403a974", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-114", - "name": "golang.org/x/sync", - "purl": "pkg:golang/golang.org/x/sync@v0.0.0-20190423024810-112230192c58", - "type": "library", - "version": "v0.0.0-20190423024810-112230192c58", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-115", - "name": "golang.org/x/sync", - "purl": "pkg:golang/golang.org/x/sync@v0.0.0-20201020160332-67f06af15bc9", - "type": "library", - "version": "v0.0.0-20201020160332-67f06af15bc9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-116", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20190215142949-d0b11bdaac8a", - "type": "library", - "version": "v0.0.0-20190215142949-d0b11bdaac8a", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-117", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20190412213103-97732733099d", - "type": "library", - "version": "v0.0.0-20190412213103-97732733099d", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-118", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20200930185726-fdedc70b468f", - "type": "library", - "version": "v0.0.0-20200930185726-fdedc70b468f", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-119", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20210119212857-b64e53b001e4", - "type": "library", - "version": "v0.0.0-20210119212857-b64e53b001e4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-120", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.0.0-20210403161142-5e06dd20ab57", - "type": "library", - "version": "v0.0.0-20210403161142-5e06dd20ab57", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-121", - "name": "golang.org/x/text", - "purl": "pkg:golang/golang.org/x/text@v0.3.0", - "type": "library", - "version": "v0.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-122", - "name": "golang.org/x/text", - "purl": "pkg:golang/golang.org/x/text@v0.3.3", - "type": "library", - "version": "v0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - } - ] - }, - { - "bom-ref": "comp-123", - "name": "golang.org/x/tools", - "purl": "pkg:golang/golang.org/x/tools@v0.0.0-20180917221912-90fa682c2a6e", - "type": "library", - "version": "v0.0.0-20180917221912-90fa682c2a6e", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-124", - "name": "golang.org/x/tools", - "purl": "pkg:golang/golang.org/x/tools@v0.0.0-20191119224855-298f0cb1881e", - "type": "library", - "version": "v0.0.0-20191119224855-298f0cb1881e", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-125", - "name": "golang.org/x/tools", - "purl": "pkg:golang/golang.org/x/tools@v0.1.0", - "type": "library", - "version": "v0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-126", - "name": "golang.org/x/xerrors", - "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20190717185122-a985d3407aa7", - "type": "library", - "version": "v0.0.0-20190717185122-a985d3407aa7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-127", - "name": "golang.org/x/xerrors", - "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191011141410-1b5146add898", - "type": "library", - "version": "v0.0.0-20191011141410-1b5146add898", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-128", - "name": "golang.org/x/xerrors", - "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20200804184101-5ec99f83aff1", - "type": "library", - "version": "v0.0.0-20200804184101-5ec99f83aff1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-129", - "name": "rsc.io/pdf", - "purl": "pkg:golang/rsc.io/pdf@v0.1.1", - "type": "library", - "version": "v0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/golang/nomad/go.sum" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-130", - "name": "boto3", - "purl": "pkg:pypi/boto3@1.24.91", - "type": "library", - "version": "1.24.91", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/python-pkg/boto3-1.24.91.dist-info/METADATA" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-131", - "name": "botocore", - "purl": "pkg:pypi/botocore@1.27.91", - "type": "library", - "version": "1.27.91", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/python-pkg/botocore-1.27.91.dist-info/METADATA" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-132", - "name": "protobuf", - "purl": "pkg:pypi/protobuf@4.21.12", - "type": "library", - "version": "4.21.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/python-pkg/protobuf-4.21.12-py3.10.egg-info/PKG-INFO" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-133", - "name": "six", - "purl": "pkg:pypi/six@1.16.0", - "type": "library", - "version": "1.16.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/python-pkg/six-1.16.0-py3.10.egg-info/PKG-INFO" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-134", - "name": "cat.inspiracio/rhino-js-engine", - "purl": "pkg:maven/cat.inspiracio/rhino-js-engine@1.7.10", - "type": "library", - "version": "1.7.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/META-INF/maven/cat.inspiracio/rhino-js-engine/pom.properties" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-135", - "name": "sample", - "purl": "pkg:maven/sample", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/sample.ear" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no version in purl provided." - } - ] - }, - { - "bom-ref": "comp-136", - "name": "HelloWorldFirst", - "purl": "pkg:maven/HelloWorldFirst", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/sample.ear/HelloWorldFirst.war" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no version in purl provided." - } - ] - }, - { - "bom-ref": "comp-137", - "name": "HelloWorldSecond", - "purl": "pkg:maven/HelloWorldSecond", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/sample.ear/HelloWorldFirst.war/HelloWorldSecond.war" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no version in purl provided." - } - ] - }, - { - "bom-ref": "comp-138", - "name": "sample", - "purl": "pkg:maven/sample", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/sample.war" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no version in purl provided." - } - ] - }, - { - "bom-ref": "comp-139", - "name": "test", - "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@9.0.65", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/test.jar" - } - ] - }, - { - "bom-ref": "comp-140", - "name": "test", - "purl": "pkg:maven/test", - "type": "library", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/test.par" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no version in purl provided." - } - ] - }, - { - "bom-ref": "comp-141", - "name": "com.fasterxml.jackson.core/jackson-core", - "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.10", - "type": "library", - "version": "2.9.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/test.par/lib/jackson-core-2.9.10.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.properties" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-142", - "name": "rhino-js-engine", - "purl": "pkg:maven/rhino-js-engine@1.7.10", - "type": "library", - "version": "1.7.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/java/rhino-js-engine-1.7.10.jar" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-143", - "name": "certifi", - "purl": "pkg:pypi/certifi@2022.12.7", - "type": "library", - "version": "2022.12.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/poetry/poetry.lock" - } - ] - }, - { - "bom-ref": "comp-144", - "name": "charset-normalizer", - "purl": "pkg:pypi/charset-normalizer@3.1.0", - "type": "library", - "version": "3.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/poetry/poetry.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-145", - "name": "idna", - "purl": "pkg:pypi/idna@3.4", - "type": "library", - "version": "3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/poetry/poetry.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-146", - "name": "requests", - "purl": "pkg:pypi/requests@2.28.2", - "type": "library", - "version": "2.28.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/poetry/poetry.lock" - } - ] - }, - { - "bom-ref": "comp-147", - "name": "urllib3", - "purl": "pkg:pypi/urllib3@1.26.14", - "type": "library", - "version": "1.26.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/poetry/poetry.lock" - } - ] - }, - { - "bom-ref": "comp-148", - "name": "ast", - "purl": "pkg:gem/ast@2.4.2", - "type": "library", - "version": "2.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-149", - "name": "awesome_print", - "purl": "pkg:gem/awesome_print@1.9.2", - "type": "library", - "version": "1.9.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-150", - "name": "diff-lcs", - "purl": "pkg:gem/diff-lcs@1.5.0", - "type": "library", - "version": "1.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-151", - "name": "json", - "purl": "pkg:gem/json@2.6.3", - "type": "library", - "version": "2.6.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-152", - "name": "parallel", - "purl": "pkg:gem/parallel@1.22.1", - "type": "library", - "version": "1.22.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-153", - "name": "parser", - "purl": "pkg:gem/parser@3.2.2.0", - "type": "library", - "version": "3.2.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-154", - "name": "rainbow", - "purl": "pkg:gem/rainbow@3.1.1", - "type": "library", - "version": "3.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-155", - "name": "regexp_parser", - "purl": "pkg:gem/regexp_parser@2.7.0", - "type": "library", - "version": "2.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-156", - "name": "rexml", - "purl": "pkg:gem/rexml@3.2.5", - "type": "library", - "version": "3.2.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-157", - "name": "rspec", - "purl": "pkg:gem/rspec@3.12.0", - "type": "library", - "version": "3.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-158", - "name": "rspec-core", - "purl": "pkg:gem/rspec-core@3.12.1", - "type": "library", - "version": "3.12.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-159", - "name": "rspec-expectations", - "purl": "pkg:gem/rspec-expectations@3.12.2", - "type": "library", - "version": "3.12.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-160", - "name": "rspec-mocks", - "purl": "pkg:gem/rspec-mocks@3.12.5", - "type": "library", - "version": "3.12.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-161", - "name": "rspec-support", - "purl": "pkg:gem/rspec-support@3.12.0", - "type": "library", - "version": "3.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-162", - "name": "rubocop", - "purl": "pkg:gem/rubocop@1.49.0", - "type": "library", - "version": "1.49.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-163", - "name": "rubocop-ast", - "purl": "pkg:gem/rubocop-ast@1.28.0", - "type": "library", - "version": "1.28.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-164", - "name": "ruby-progressbar", - "purl": "pkg:gem/ruby-progressbar@1.13.0", - "type": "library", - "version": "1.13.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-165", - "name": "unicode-display_width", - "purl": "pkg:gem/unicode-display_width@2.4.2", - "type": "library", - "version": "2.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/Gemfile.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-166", - "name": "generategem", - "purl": "pkg:gem/generategem@2.0.0", - "type": "library", - "version": "2.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/generategem.gemspec" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-167", - "name": "adler32", - "purl": "pkg:cargo/adler32@1.0.3", - "type": "library", - "version": "1.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-168", - "name": "aho-corasick", - "purl": "pkg:cargo/aho-corasick@0.7.4", - "type": "library", - "version": "0.7.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-169", - "name": "ansi_term", - "purl": "pkg:cargo/ansi_term@0.11.0", - "type": "library", - "version": "0.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-170", - "name": "arrayvec", - "purl": "pkg:cargo/arrayvec@0.4.10", - "type": "library", - "version": "0.4.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-171", - "name": "atty", - "purl": "pkg:cargo/atty@0.2.11", - "type": "library", - "version": "0.2.11", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-172", - "name": "autocfg", - "purl": "pkg:cargo/autocfg@0.1.4", - "type": "library", - "version": "0.1.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-173", - "name": "backtrace", - "purl": "pkg:cargo/backtrace@0.3.32", - "type": "library", - "version": "0.3.32", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-174", - "name": "backtrace-sys", - "purl": "pkg:cargo/backtrace-sys@0.1.30", - "type": "library", - "version": "0.1.30", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-175", - "name": "base64", - "purl": "pkg:cargo/base64@0.10.1", - "type": "library", - "version": "0.10.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-176", - "name": "bitflags", - "purl": "pkg:cargo/bitflags@1.1.0", - "type": "library", - "version": "1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-177", - "name": "byteorder", - "purl": "pkg:cargo/byteorder@1.3.2", - "type": "library", - "version": "1.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-178", - "name": "bytes", - "purl": "pkg:cargo/bytes@0.4.12", - "type": "library", - "version": "0.4.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-179", - "name": "c2-chacha", - "purl": "pkg:cargo/c2-chacha@0.2.2", - "type": "library", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-180", - "name": "cargo-example", - "purl": "pkg:cargo/cargo-example@0.2.1", - "type": "library", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-181", - "name": "cc", - "purl": "pkg:cargo/cc@1.0.37", - "type": "library", - "version": "1.0.37", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-182", - "name": "cfg-if", - "purl": "pkg:cargo/cfg-if@0.1.9", - "type": "library", - "version": "0.1.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-183", - "name": "clap", - "purl": "pkg:cargo/clap@2.33.0", - "type": "library", - "version": "2.33.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-184", - "name": "cloudabi", - "purl": "pkg:cargo/cloudabi@0.0.3", - "type": "library", - "version": "0.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-185", - "name": "cookie", - "purl": "pkg:cargo/cookie@0.12.0", - "type": "library", - "version": "0.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-186", - "name": "cookie_store", - "purl": "pkg:cargo/cookie_store@0.7.0", - "type": "library", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-187", - "name": "core-foundation", - "purl": "pkg:cargo/core-foundation@0.6.4", - "type": "library", - "version": "0.6.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-188", - "name": "core-foundation-sys", - "purl": "pkg:cargo/core-foundation-sys@0.6.2", - "type": "library", - "version": "0.6.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-189", - "name": "crc32fast", - "purl": "pkg:cargo/crc32fast@1.2.0", - "type": "library", - "version": "1.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-190", - "name": "crossbeam-deque", - "purl": "pkg:cargo/crossbeam-deque@0.7.1", - "type": "library", - "version": "0.7.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-191", - "name": "crossbeam-epoch", - "purl": "pkg:cargo/crossbeam-epoch@0.7.1", - "type": "library", - "version": "0.7.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-192", - "name": "crossbeam-queue", - "purl": "pkg:cargo/crossbeam-queue@0.1.2", - "type": "library", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-193", - "name": "crossbeam-utils", - "purl": "pkg:cargo/crossbeam-utils@0.6.5", - "type": "library", - "version": "0.6.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-194", - "name": "dtoa", - "purl": "pkg:cargo/dtoa@0.4.4", - "type": "library", - "version": "0.4.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-195", - "name": "either", - "purl": "pkg:cargo/either@1.5.2", - "type": "library", - "version": "1.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-196", - "name": "encoding_rs", - "purl": "pkg:cargo/encoding_rs@0.8.17", - "type": "library", - "version": "0.8.17", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-197", - "name": "error-chain", - "purl": "pkg:cargo/error-chain@0.12.1", - "type": "library", - "version": "0.12.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-198", - "name": "failure", - "purl": "pkg:cargo/failure@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-199", - "name": "failure_derive", - "purl": "pkg:cargo/failure_derive@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-200", - "name": "flate2", - "purl": "pkg:cargo/flate2@1.0.9", - "type": "library", - "version": "1.0.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-201", - "name": "fnv", - "purl": "pkg:cargo/fnv@1.0.6", - "type": "library", - "version": "1.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-202", - "name": "foreign-types", - "purl": "pkg:cargo/foreign-types@0.3.2", - "type": "library", - "version": "0.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-203", - "name": "foreign-types-shared", - "purl": "pkg:cargo/foreign-types-shared@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-204", - "name": "fuchsia-cprng", - "purl": "pkg:cargo/fuchsia-cprng@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-205", - "name": "fuchsia-zircon", - "purl": "pkg:cargo/fuchsia-zircon@0.3.3", - "type": "library", - "version": "0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-206", - "name": "fuchsia-zircon-sys", - "purl": "pkg:cargo/fuchsia-zircon-sys@0.3.3", - "type": "library", - "version": "0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-207", - "name": "futures", - "purl": "pkg:cargo/futures@0.1.28", - "type": "library", - "version": "0.1.28", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-208", - "name": "futures-cpupool", - "purl": "pkg:cargo/futures-cpupool@0.1.8", - "type": "library", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-209", - "name": "getrandom", - "purl": "pkg:cargo/getrandom@0.1.6", - "type": "library", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-210", - "name": "git2", - "purl": "pkg:cargo/git2@0.9.1", - "type": "library", - "version": "0.9.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-211", - "name": "h2", - "purl": "pkg:cargo/h2@0.1.25", - "type": "library", - "version": "0.1.25", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-212", - "name": "http", - "purl": "pkg:cargo/http@0.1.17", - "type": "library", - "version": "0.1.17", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-213", - "name": "http-body", - "purl": "pkg:cargo/http-body@0.1.0", - "type": "library", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-214", - "name": "httparse", - "purl": "pkg:cargo/httparse@1.3.4", - "type": "library", - "version": "1.3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-215", - "name": "hyper", - "purl": "pkg:cargo/hyper@0.12.31", - "type": "library", - "version": "0.12.31", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-216", - "name": "hyper-tls", - "purl": "pkg:cargo/hyper-tls@0.3.2", - "type": "library", - "version": "0.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-217", - "name": "idna", - "purl": "pkg:cargo/idna@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-218", - "name": "indexmap", - "purl": "pkg:cargo/indexmap@1.0.2", - "type": "library", - "version": "1.0.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-219", - "name": "iovec", - "purl": "pkg:cargo/iovec@0.1.2", - "type": "library", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-220", - "name": "itoa", - "purl": "pkg:cargo/itoa@0.4.4", - "type": "library", - "version": "0.4.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-221", - "name": "kernel32-sys", - "purl": "pkg:cargo/kernel32-sys@0.2.2", - "type": "library", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-222", - "name": "lazy_static", - "purl": "pkg:cargo/lazy_static@1.3.0", - "type": "library", - "version": "1.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-223", - "name": "libc", - "purl": "pkg:cargo/libc@0.2.58", - "type": "library", - "version": "0.2.58", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-224", - "name": "libgit2-sys", - "purl": "pkg:cargo/libgit2-sys@0.8.1", - "type": "library", - "version": "0.8.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-225", - "name": "libssh2-sys", - "purl": "pkg:cargo/libssh2-sys@0.2.11", - "type": "library", - "version": "0.2.11", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-226", - "name": "libz-sys", - "purl": "pkg:cargo/libz-sys@1.0.25", - "type": "library", - "version": "1.0.25", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-227", - "name": "lock_api", - "purl": "pkg:cargo/lock_api@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-228", - "name": "log", - "purl": "pkg:cargo/log@0.4.6", - "type": "library", - "version": "0.4.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-229", - "name": "matches", - "purl": "pkg:cargo/matches@0.1.8", - "type": "library", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-230", - "name": "memchr", - "purl": "pkg:cargo/memchr@2.2.0", - "type": "library", - "version": "2.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-231", - "name": "memoffset", - "purl": "pkg:cargo/memoffset@0.2.1", - "type": "library", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-232", - "name": "mime", - "purl": "pkg:cargo/mime@0.3.13", - "type": "library", - "version": "0.3.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-233", - "name": "mime_guess", - "purl": "pkg:cargo/mime_guess@2.0.0-alpha.6", - "type": "library", - "version": "2.0.0-alpha.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-234", - "name": "miniz_oxide", - "purl": "pkg:cargo/miniz_oxide@0.2.2", - "type": "library", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-235", - "name": "miniz_oxide_c_api", - "purl": "pkg:cargo/miniz_oxide_c_api@0.2.2", - "type": "library", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-236", - "name": "mio", - "purl": "pkg:cargo/mio@0.6.19", - "type": "library", - "version": "0.6.19", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-237", - "name": "miow", - "purl": "pkg:cargo/miow@0.2.1", - "type": "library", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-238", - "name": "native-tls", - "purl": "pkg:cargo/native-tls@0.2.3", - "type": "library", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-239", - "name": "net2", - "purl": "pkg:cargo/net2@0.2.33", - "type": "library", - "version": "0.2.33", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-240", - "name": "nodrop", - "purl": "pkg:cargo/nodrop@0.1.13", - "type": "library", - "version": "0.1.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-241", - "name": "num_cpus", - "purl": "pkg:cargo/num_cpus@1.10.1", - "type": "library", - "version": "1.10.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-242", - "name": "numtoa", - "purl": "pkg:cargo/numtoa@0.1.0", - "type": "library", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-243", - "name": "openssl", - "purl": "pkg:cargo/openssl@0.10.23", - "type": "library", - "version": "0.10.23", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-244", - "name": "openssl-probe", - "purl": "pkg:cargo/openssl-probe@0.1.2", - "type": "library", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-245", - "name": "openssl-sys", - "purl": "pkg:cargo/openssl-sys@0.9.47", - "type": "library", - "version": "0.9.47", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-246", - "name": "owning_ref", - "purl": "pkg:cargo/owning_ref@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-247", - "name": "parking_lot", - "purl": "pkg:cargo/parking_lot@0.7.1", - "type": "library", - "version": "0.7.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-248", - "name": "parking_lot_core", - "purl": "pkg:cargo/parking_lot_core@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-249", - "name": "percent-encoding", - "purl": "pkg:cargo/percent-encoding@1.0.1", - "type": "library", - "version": "1.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-250", - "name": "phf", - "purl": "pkg:cargo/phf@0.7.24", - "type": "library", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-251", - "name": "phf_codegen", - "purl": "pkg:cargo/phf_codegen@0.7.24", - "type": "library", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-252", - "name": "phf_generator", - "purl": "pkg:cargo/phf_generator@0.7.24", - "type": "library", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-253", - "name": "phf_shared", - "purl": "pkg:cargo/phf_shared@0.7.24", - "type": "library", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-254", - "name": "pkg-config", - "purl": "pkg:cargo/pkg-config@0.3.14", - "type": "library", - "version": "0.3.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-255", - "name": "ppv-lite86", - "purl": "pkg:cargo/ppv-lite86@0.2.5", - "type": "library", - "version": "0.2.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-256", - "name": "proc-macro2", - "purl": "pkg:cargo/proc-macro2@0.4.30", - "type": "library", - "version": "0.4.30", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-257", - "name": "publicsuffix", - "purl": "pkg:cargo/publicsuffix@1.5.2", - "type": "library", - "version": "1.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-258", - "name": "quote", - "purl": "pkg:cargo/quote@0.6.12", - "type": "library", - "version": "0.6.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-259", - "name": "rand", - "purl": "pkg:cargo/rand@0.6.5", - "type": "library", - "version": "0.6.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-260", - "name": "rand", - "purl": "pkg:cargo/rand@0.7.0", - "type": "library", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-261", - "name": "rand_chacha", - "purl": "pkg:cargo/rand_chacha@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-262", - "name": "rand_chacha", - "purl": "pkg:cargo/rand_chacha@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-263", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.3.1", - "type": "library", - "version": "0.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-264", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-265", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.5.0", - "type": "library", - "version": "0.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-266", - "name": "rand_hc", - "purl": "pkg:cargo/rand_hc@0.1.0", - "type": "library", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-267", - "name": "rand_hc", - "purl": "pkg:cargo/rand_hc@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-268", - "name": "rand_isaac", - "purl": "pkg:cargo/rand_isaac@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-269", - "name": "rand_jitter", - "purl": "pkg:cargo/rand_jitter@0.1.4", - "type": "library", - "version": "0.1.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-270", - "name": "rand_os", - "purl": "pkg:cargo/rand_os@0.1.3", - "type": "library", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-271", - "name": "rand_pcg", - "purl": "pkg:cargo/rand_pcg@0.1.2", - "type": "library", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-272", - "name": "rand_xorshift", - "purl": "pkg:cargo/rand_xorshift@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-273", - "name": "rdrand", - "purl": "pkg:cargo/rdrand@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-274", - "name": "redox_syscall", - "purl": "pkg:cargo/redox_syscall@0.1.56", - "type": "library", - "version": "0.1.56", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-275", - "name": "redox_termios", - "purl": "pkg:cargo/redox_termios@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-276", - "name": "regex", - "purl": "pkg:cargo/regex@1.1.8", - "type": "library", - "version": "1.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-277", - "name": "regex-syntax", - "purl": "pkg:cargo/regex-syntax@0.6.7", - "type": "library", - "version": "0.6.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-278", - "name": "remove_dir_all", - "purl": "pkg:cargo/remove_dir_all@0.5.2", - "type": "library", - "version": "0.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-279", - "name": "reqwest", - "purl": "pkg:cargo/reqwest@0.9.18", - "type": "library", - "version": "0.9.18", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-280", - "name": "rustc-demangle", - "purl": "pkg:cargo/rustc-demangle@0.1.15", - "type": "library", - "version": "0.1.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-281", - "name": "rustc_version", - "purl": "pkg:cargo/rustc_version@0.2.3", - "type": "library", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-282", - "name": "ryu", - "purl": "pkg:cargo/ryu@1.0.0", - "type": "library", - "version": "1.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-283", - "name": "schannel", - "purl": "pkg:cargo/schannel@0.1.15", - "type": "library", - "version": "0.1.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-284", - "name": "scopeguard", - "purl": "pkg:cargo/scopeguard@0.3.3", - "type": "library", - "version": "0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-285", - "name": "security-framework", - "purl": "pkg:cargo/security-framework@0.3.1", - "type": "library", - "version": "0.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-286", - "name": "security-framework-sys", - "purl": "pkg:cargo/security-framework-sys@0.3.1", - "type": "library", - "version": "0.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-287", - "name": "semver", - "purl": "pkg:cargo/semver@0.9.0", - "type": "library", - "version": "0.9.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-288", - "name": "semver-parser", - "purl": "pkg:cargo/semver-parser@0.7.0", - "type": "library", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-289", - "name": "serde", - "purl": "pkg:cargo/serde@1.0.94", - "type": "library", - "version": "1.0.94", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-290", - "name": "serde_derive", - "purl": "pkg:cargo/serde_derive@1.0.94", - "type": "library", - "version": "1.0.94", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-291", - "name": "serde_json", - "purl": "pkg:cargo/serde_json@1.0.40", - "type": "library", - "version": "1.0.40", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-292", - "name": "serde_urlencoded", - "purl": "pkg:cargo/serde_urlencoded@0.5.5", - "type": "library", - "version": "0.5.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-293", - "name": "siphasher", - "purl": "pkg:cargo/siphasher@0.2.3", - "type": "library", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-294", - "name": "slab", - "purl": "pkg:cargo/slab@0.4.2", - "type": "library", - "version": "0.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-295", - "name": "smallvec", - "purl": "pkg:cargo/smallvec@0.6.10", - "type": "library", - "version": "0.6.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-296", - "name": "spin", - "purl": "pkg:cargo/spin@0.5.0", - "type": "library", - "version": "0.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-297", - "name": "stable_deref_trait", - "purl": "pkg:cargo/stable_deref_trait@1.1.1", - "type": "library", - "version": "1.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-298", - "name": "string", - "purl": "pkg:cargo/string@0.2.1", - "type": "library", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-299", - "name": "strsim", - "purl": "pkg:cargo/strsim@0.8.0", - "type": "library", - "version": "0.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-300", - "name": "syn", - "purl": "pkg:cargo/syn@0.15.39", - "type": "library", - "version": "0.15.39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-301", - "name": "synstructure", - "purl": "pkg:cargo/synstructure@0.10.2", - "type": "library", - "version": "0.10.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-302", - "name": "tempfile", - "purl": "pkg:cargo/tempfile@3.1.0", - "type": "library", - "version": "3.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-303", - "name": "termion", - "purl": "pkg:cargo/termion@1.5.3", - "type": "library", - "version": "1.5.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-304", - "name": "textwrap", - "purl": "pkg:cargo/textwrap@0.11.0", - "type": "library", - "version": "0.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-305", - "name": "thread_local", - "purl": "pkg:cargo/thread_local@0.3.6", - "type": "library", - "version": "0.3.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-306", - "name": "time", - "purl": "pkg:cargo/time@0.1.42", - "type": "library", - "version": "0.1.42", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-307", - "name": "tokio", - "purl": "pkg:cargo/tokio@0.1.22", - "type": "library", - "version": "0.1.22", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - } - ] - }, - { - "bom-ref": "comp-308", - "name": "tokio-buf", - "purl": "pkg:cargo/tokio-buf@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-309", - "name": "tokio-current-thread", - "purl": "pkg:cargo/tokio-current-thread@0.1.6", - "type": "library", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-310", - "name": "tokio-executor", - "purl": "pkg:cargo/tokio-executor@0.1.8", - "type": "library", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-311", - "name": "tokio-io", - "purl": "pkg:cargo/tokio-io@0.1.12", - "type": "library", - "version": "0.1.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-312", - "name": "tokio-reactor", - "purl": "pkg:cargo/tokio-reactor@0.1.9", - "type": "library", - "version": "0.1.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-313", - "name": "tokio-sync", - "purl": "pkg:cargo/tokio-sync@0.1.6", - "type": "library", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-314", - "name": "tokio-tcp", - "purl": "pkg:cargo/tokio-tcp@0.1.3", - "type": "library", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-315", - "name": "tokio-threadpool", - "purl": "pkg:cargo/tokio-threadpool@0.1.15", - "type": "library", - "version": "0.1.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-316", - "name": "tokio-timer", - "purl": "pkg:cargo/tokio-timer@0.2.11", - "type": "library", - "version": "0.2.11", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-317", - "name": "try-lock", - "purl": "pkg:cargo/try-lock@0.2.2", - "type": "library", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-318", - "name": "try_from", - "purl": "pkg:cargo/try_from@0.3.2", - "type": "library", - "version": "0.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-319", - "name": "ucd-util", - "purl": "pkg:cargo/ucd-util@0.1.3", - "type": "library", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-320", - "name": "unicase", - "purl": "pkg:cargo/unicase@1.4.2", - "type": "library", - "version": "1.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-321", - "name": "unicase", - "purl": "pkg:cargo/unicase@2.4.0", - "type": "library", - "version": "2.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-322", - "name": "unicode-bidi", - "purl": "pkg:cargo/unicode-bidi@0.3.4", - "type": "library", - "version": "0.3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-323", - "name": "unicode-normalization", - "purl": "pkg:cargo/unicode-normalization@0.1.8", - "type": "library", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-324", - "name": "unicode-width", - "purl": "pkg:cargo/unicode-width@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-325", - "name": "unicode-xid", - "purl": "pkg:cargo/unicode-xid@0.1.0", - "type": "library", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-326", - "name": "url", - "purl": "pkg:cargo/url@1.7.2", - "type": "library", - "version": "1.7.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-327", - "name": "utf8-ranges", - "purl": "pkg:cargo/utf8-ranges@1.0.3", - "type": "library", - "version": "1.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-328", - "name": "uuid", - "purl": "pkg:cargo/uuid@0.7.4", - "type": "library", - "version": "0.7.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-329", - "name": "vcpkg", - "purl": "pkg:cargo/vcpkg@0.2.7", - "type": "library", - "version": "0.2.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-330", - "name": "vec_map", - "purl": "pkg:cargo/vec_map@0.8.1", - "type": "library", - "version": "0.8.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-331", - "name": "version_check", - "purl": "pkg:cargo/version_check@0.1.5", - "type": "library", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-332", - "name": "want", - "purl": "pkg:cargo/want@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-333", - "name": "winapi", - "purl": "pkg:cargo/winapi@0.2.8", - "type": "library", - "version": "0.2.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-334", - "name": "winapi", - "purl": "pkg:cargo/winapi@0.3.7", - "type": "library", - "version": "0.3.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-335", - "name": "winapi-build", - "purl": "pkg:cargo/winapi-build@0.1.1", - "type": "library", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-336", - "name": "winapi-i686-pc-windows-gnu", - "purl": "pkg:cargo/winapi-i686-pc-windows-gnu@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-337", - "name": "winapi-x86_64-pc-windows-gnu", - "purl": "pkg:cargo/winapi-x86_64-pc-windows-gnu@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-338", - "name": "ws2_32-sys", - "purl": "pkg:cargo/ws2_32-sys@0.2.1", - "type": "library", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargolock/Cargo.lock" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-339", - "name": "wait-timeout", - "purl": "pkg:cargo/wait-timeout@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargotoml/wait-timeout-0.2.0/Cargo.toml" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-340", - "name": "want", - "purl": "pkg:cargo/want@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargotoml/want-0.2.0/Cargo.toml" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-341", - "name": "winnow", - "purl": "pkg:cargo/winnow@0.4.1", - "type": "library", - "version": "0.4.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargotoml/winnow-0.4.1/Cargo.toml" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-342", - "name": "zeroize", - "purl": "pkg:cargo/zeroize@1.6.0", - "type": "library", - "version": "1.6.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/rust/cargotoml/zeroize-1.6.0/Cargo.toml" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-343", - "name": "CFPropertyList", - "purl": "pkg:gem/CFPropertyList@2.3.6", - "type": "library", - "version": "2.3.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/ruby/gems/2.6.0/gems/CFPropertyList-2.3.6" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-344", - "name": "libxml-ruby", - "purl": "pkg:gem/libxml-ruby@3.2.1", - "type": "library", - "version": "3.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/ruby/gems/2.6.0/gems/libxml-ruby-3.2.1" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-345", - "name": "mini_portile2", - "purl": "pkg:gem/mini_portile2@2.8.0", - "type": "library", - "version": "2.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/ruby/gems/2.6.0/gems/mini_portile2-2.8.0" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-346", - "name": "nokogiri", - "purl": "pkg:gem/nokogiri@1.13.8", - "type": "library", - "version": "1.13.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/ruby/gems/2.6.0/gems/nokogiri-1.13.8" - } - ] - }, - { - "bom-ref": "comp-347", - "name": "sqlite3", - "purl": "pkg:gem/sqlite3@1.3.13", - "type": "library", - "version": "1.3.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/ruby/gems/2.6.0/gems/sqlite3-1.3.13" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-348", - "name": "CFPropertyList", - "purl": "pkg:gem/CFPropertyList@2.3.6", - "type": "library", - "version": "2.3.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/lib/ruby/gems/2.6.0/gems/CFPropertyList-2.3.6" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-349", - "name": "libxml-ruby", - "purl": "pkg:gem/libxml-ruby@3.2.1", - "type": "library", - "version": "3.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/lib/ruby/gems/2.6.0/gems/libxml-ruby-3.2.1" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-350", - "name": "mini_portile2", - "purl": "pkg:gem/mini_portile2@2.8.0", - "type": "library", - "version": "2.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/lib/ruby/gems/2.6.0/gems/mini_portile2-2.8.0" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-351", - "name": "nokogiri", - "purl": "pkg:gem/nokogiri@1.13.8", - "type": "library", - "version": "1.13.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/lib/ruby/gems/2.6.0/gems/nokogiri-1.13.8" - } - ] - }, - { - "bom-ref": "comp-352", - "name": "sqlite3", - "purl": "pkg:gem/sqlite3@1.3.13", - "type": "library", - "version": "1.3.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/lib/ruby/gems/2.6.0/gems/sqlite3-1.3.13" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-353", - "name": "bigdecimal", - "purl": "pkg:gem/bigdecimal@3.1.3", - "type": "library", - "version": "3.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/share/gems/gems/bigdecimal-3.1.3" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-354", - "name": "io-console", - "purl": "pkg:gem/io-console@0.6.0", - "type": "library", - "version": "0.6.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/ruby/usr/share/gems/gems/io-console-0.6.0" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-355", - "name": "%40nodelib/fs.scandir", - "purl": "pkg:npm/%40nodelib/fs.scandir@2.1.5", - "type": "library", - "version": "2.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/javascript/nodejs/node_modules/@nodelib/fs.scandir/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-356", - "name": "%40nodelib/fs.stat", - "purl": "pkg:npm/%40nodelib/fs.stat@2.0.5", - "type": "library", - "version": "2.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/javascript/nodejs/node_modules/@nodelib/fs.stat/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-357", - "name": "%40nodelib/fs.walk", - "purl": "pkg:npm/%40nodelib/fs.walk@1.2.8", - "type": "library", - "version": "1.2.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/javascript/nodejs/node_modules/@nodelib/fs.walk/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-358", - "name": "arrify", - "purl": "pkg:npm/arrify@2.0.1?private=true", - "type": "library", - "version": "2.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/javascript/nodejs/node_modules/arrify/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: marked as private." - } - ] - }, - { - "bom-ref": "comp-359", - "name": "yargs", - "purl": "pkg:npm/yargs@16.2.0", - "type": "library", - "version": "16.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/javascript/nodejs/node_modules/yargs/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-360", - "name": "%40nodelib/fs.scandir", - "purl": "pkg:npm/%40nodelib/fs.scandir@2.1.5", - "type": "library", - "version": "2.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nodejs/node_modules/@nodelib/fs.scandir/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-361", - "name": "%40nodelib/fs.stat", - "purl": "pkg:npm/%40nodelib/fs.stat@2.0.5", - "type": "library", - "version": "2.0.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nodejs/node_modules/@nodelib/fs.stat/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-362", - "name": "%40nodelib/fs.walk", - "purl": "pkg:npm/%40nodelib/fs.walk@1.2.8", - "type": "library", - "version": "1.2.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nodejs/node_modules/@nodelib/fs.walk/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-363", - "name": "arrify", - "purl": "pkg:npm/arrify@2.0.1?private=true", - "type": "library", - "version": "2.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nodejs/node_modules/arrify/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: marked as private." - } - ] - }, - { - "bom-ref": "comp-364", - "name": "yargs", - "purl": "pkg:npm/yargs@16.2.0", - "type": "library", - "version": "16.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/nodejs/node_modules/yargs/package.json" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-365", - "name": "atomicwrites", - "purl": "pkg:pypi/atomicwrites@1.4.1", - "type": "library", - "version": "1.4.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-366", - "name": "attrs", - "purl": "pkg:pypi/attrs@21.4.0", - "type": "library", - "version": "21.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-367", - "name": "colorama", - "purl": "pkg:pypi/colorama@0.4.5", - "type": "library", - "version": "0.4.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-368", - "name": "coverage", - "purl": "pkg:pypi/coverage@5.5", - "type": "library", - "version": "5.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-369", - "name": "importlib-metadata", - "purl": "pkg:pypi/importlib-metadata@4.12.0", - "type": "library", - "version": "4.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-370", - "name": "iniconfig", - "purl": "pkg:pypi/iniconfig@1.1.1", - "type": "library", - "version": "1.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-371", - "name": "packaging", - "purl": "pkg:pypi/packaging@21.3", - "type": "library", - "version": "21.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-372", - "name": "pluggy", - "purl": "pkg:pypi/pluggy@1.0.0", - "type": "library", - "version": "1.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-373", - "name": "py", - "purl": "pkg:pypi/py@1.11.0", - "type": "library", - "version": "1.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - } - ] - }, - { - "bom-ref": "comp-374", - "name": "pyparsing", - "purl": "pkg:pypi/pyparsing@3.0.9", - "type": "library", - "version": "3.0.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-375", - "name": "pytest", - "purl": "pkg:pypi/pytest@7.1.2", - "type": "library", - "version": "7.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-376", - "name": "pytest-cov", - "purl": "pkg:pypi/pytest-cov@2.12.1", - "type": "library", - "version": "2.12.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-377", - "name": "toml", - "purl": "pkg:pypi/toml@0.10.2", - "type": "library", - "version": "0.10.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-378", - "name": "tomli", - "purl": "pkg:pypi/tomli@2.0.1", - "type": "library", - "version": "2.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-379", - "name": "typing-extensions", - "purl": "pkg:pypi/typing-extensions@4.3.0", - "type": "library", - "version": "4.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-380", - "name": "wheel", - "purl": "pkg:pypi/wheel@0.38.1", - "type": "library", - "version": "0.38.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-381", - "name": "zipp", - "purl": "pkg:pypi/zipp@3.8.0", - "type": "library", - "version": "3.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev-lock.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-382", - "name": "wheel", - "purl": "pkg:pypi/wheel@0.38.1", - "type": "library", - "version": "0.38.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-383", - "name": "coverage", - "purl": "pkg:pypi/coverage@5.5", - "type": "library", - "version": "5.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-384", - "name": "pytest", - "purl": "pkg:pypi/pytest@7.1.2", - "type": "library", - "version": "7.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-385", - "name": "pytest-cov", - "purl": "pkg:pypi/pytest-cov@2.12.1", - "type": "library", - "version": "2.12.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-386", - "name": "atomicwrites", - "purl": "pkg:pypi/atomicwrites@1.0", - "type": "library", - "version": "1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-dev.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-387", - "name": "markupsafe", - "purl": "pkg:pypi/markupsafe@1.1", - "type": "library", - "version": "1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-docs.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-388", - "name": "jinja2", - "purl": "pkg:pypi/jinja2@2.3", - "type": "library", - "version": "2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-docs.txt" - } - ] - }, - { - "bom-ref": "comp-389", - "name": "Sphinx", - "purl": "pkg:pypi/Sphinx@1.1.3", - "type": "library", - "version": "1.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-docs.txt" - } - ] - }, - { - "bom-ref": "comp-390", - "name": "docutils", - "purl": "pkg:pypi/docutils@0.10", - "type": "library", - "version": "0.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-docs.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-391", - "name": "guzzle_sphinx_theme", - "purl": "pkg:pypi/guzzle_sphinx_theme@0.7.10", - "type": "library", - "version": "0.7.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements-docs.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-392", - "name": "aiohttp-jinja2", - "purl": "pkg:pypi/aiohttp-jinja2@1.5.0", - "type": "library", - "version": "1.5.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-393", - "name": "aiohttp", - "purl": "pkg:pypi/aiohttp@3.8.1", - "type": "library", - "version": "3.8.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-394", - "name": "aiohttp_session", - "purl": "pkg:pypi/aiohttp_session@2.9.0", - "type": "library", - "version": "2.9.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-395", - "name": "aiohttp-security", - "purl": "pkg:pypi/aiohttp-security@0.4.0", - "type": "library", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-396", - "name": "aiohttp-apispec", - "purl": "pkg:pypi/aiohttp-apispec@2.2.3", - "type": "library", - "version": "2.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-397", - "name": "jinja2", - "purl": "pkg:pypi/jinja2@3.0.3", - "type": "library", - "version": "3.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-398", - "name": "pyyaml", - "purl": "pkg:pypi/pyyaml@5.1", - "type": "library", - "version": "5.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-399", - "name": "cryptography", - "purl": "pkg:pypi/cryptography@3.2", - "type": "library", - "version": "3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-400", - "name": "websockets", - "purl": "pkg:pypi/websockets@10.3", - "type": "library", - "version": "10.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-401", - "name": "Sphinx", - "purl": "pkg:pypi/Sphinx@5.1.1", - "type": "library", - "version": "5.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-402", - "name": "docutils", - "purl": "pkg:pypi/docutils@0.16", - "type": "library", - "version": "0.16", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-403", - "name": "sphinx_rtd_theme", - "purl": "pkg:pypi/sphinx_rtd_theme@0.4.3", - "type": "library", - "version": "0.4.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-404", - "name": "myst-parser", - "purl": "pkg:pypi/myst-parser@0.18.0", - "type": "library", - "version": "0.18.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-405", - "name": "marshmallow", - "purl": "pkg:pypi/marshmallow@3.5.1", - "type": "library", - "version": "3.5.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-406", - "name": "dirhash", - "purl": "pkg:pypi/dirhash@0.2.0", - "type": "library", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-407", - "name": "docker", - "purl": "pkg:pypi/docker@4.2.0", - "type": "library", - "version": "4.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-408", - "name": "donut-shellcode", - "purl": "pkg:pypi/donut-shellcode@0.9.2", - "type": "library", - "version": "0.9.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-409", - "name": "marshmallow-enum", - "purl": "pkg:pypi/marshmallow-enum@1.5.1", - "type": "library", - "version": "1.5.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-410", - "name": "ldap3", - "purl": "pkg:pypi/ldap3@2.8.1", - "type": "library", - "version": "2.8.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-411", - "name": "lxml", - "purl": "pkg:pypi/lxml@4.9.1", - "type": "library", - "version": "4.9.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-412", - "name": "reportlab", - "purl": "pkg:pypi/reportlab@3.5.67", - "type": "library", - "version": "3.5.67", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-413", - "name": "svglib", - "purl": "pkg:pypi/svglib@1.0.1", - "type": "library", - "version": "1.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-414", - "name": "Markdown", - "purl": "pkg:pypi/Markdown@3.3.3", - "type": "library", - "version": "3.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-415", - "name": "dnspython", - "purl": "pkg:pypi/dnspython@2.1.0", - "type": "library", - "version": "2.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-416", - "name": "asyncssh", - "purl": "pkg:pypi/asyncssh@2.11.0", - "type": "library", - "version": "2.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - } - ] - }, - { - "bom-ref": "comp-417", - "name": "aioftp%7E%3D0.20.0%3B python_version ", - "purl": "pkg:pypi/aioftp%7E%3D0.20.0%3B%20python_version%20@3.7", - "type": "library", - "version": "3.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-418", - "name": "aioftp", - "purl": "pkg:pypi/aioftp@0.16.1", - "type": "library", - "version": "0.16.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_caldera.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-419", - "name": "pytest", - "purl": "pkg:pypi/pytest@2.8.0", - "type": "library", - "version": "2.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_requests.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-420", - "name": "pytest-httpbin", - "purl": "pkg:pypi/pytest-httpbin@1.0.0", - "type": "library", - "version": "1.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_requests.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-421", - "name": "pytest-mock", - "purl": "pkg:pypi/pytest-mock@2.0.0", - "type": "library", - "version": "2.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_requests.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-422", - "name": "httpbin", - "purl": "pkg:pypi/httpbin@0.7.0", - "type": "library", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/proglang/python/pip/requirements_requests.txt" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-423", - "name": "testRustBinary", - "type": "application", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no purl provided." - } - ] - }, - { - "bom-ref": "comp-424", - "name": "adler32", - "purl": "pkg:cargo/adler32@1.0.3", - "type": "application", - "version": "1.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-425", - "name": "aho-corasick", - "purl": "pkg:cargo/aho-corasick@0.7.4", - "type": "application", - "version": "0.7.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-426", - "name": "ansi_term", - "purl": "pkg:cargo/ansi_term@0.11.0", - "type": "application", - "version": "0.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-427", - "name": "arrayvec", - "purl": "pkg:cargo/arrayvec@0.4.10", - "type": "application", - "version": "0.4.10", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-428", - "name": "atty", - "purl": "pkg:cargo/atty@0.2.11", - "type": "application", - "version": "0.2.11" - }, - { - "bom-ref": "comp-429", - "name": "autocfg", - "purl": "pkg:cargo/autocfg@0.1.4", - "type": "application", - "version": "0.1.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-430", - "name": "backtrace", - "purl": "pkg:cargo/backtrace@0.3.32", - "type": "application", - "version": "0.3.32", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-431", - "name": "backtrace-sys", - "purl": "pkg:cargo/backtrace-sys@0.1.30", - "type": "application", - "version": "0.1.30", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-432", - "name": "base64", - "purl": "pkg:cargo/base64@0.10.1", - "type": "application", - "version": "0.10.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-433", - "name": "bitflags", - "purl": "pkg:cargo/bitflags@1.1.0", - "type": "application", - "version": "1.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-434", - "name": "byteorder", - "purl": "pkg:cargo/byteorder@1.3.2", - "type": "application", - "version": "1.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-435", - "name": "bytes", - "purl": "pkg:cargo/bytes@0.4.12", - "type": "application", - "version": "0.4.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-436", - "name": "c2-chacha", - "purl": "pkg:cargo/c2-chacha@0.2.2", - "type": "application", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-437", - "name": "cargo-example", - "purl": "pkg:cargo/cargo-example@0.2.1", - "type": "application", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-438", - "name": "cc", - "purl": "pkg:cargo/cc@1.0.37", - "type": "application", - "version": "1.0.37", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-439", - "name": "cfg-if", - "purl": "pkg:cargo/cfg-if@0.1.9", - "type": "application", - "version": "0.1.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-440", - "name": "clap", - "purl": "pkg:cargo/clap@2.33.0", - "type": "application", - "version": "2.33.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-441", - "name": "cookie", - "purl": "pkg:cargo/cookie@0.12.0", - "type": "application", - "version": "0.12.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-442", - "name": "cookie_store", - "purl": "pkg:cargo/cookie_store@0.7.0", - "type": "application", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-443", - "name": "core-foundation", - "purl": "pkg:cargo/core-foundation@0.6.4", - "type": "application", - "version": "0.6.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-444", - "name": "core-foundation-sys", - "purl": "pkg:cargo/core-foundation-sys@0.6.2", - "type": "application", - "version": "0.6.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-445", - "name": "crc32fast", - "purl": "pkg:cargo/crc32fast@1.2.0", - "type": "application", - "version": "1.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-446", - "name": "crossbeam-deque", - "purl": "pkg:cargo/crossbeam-deque@0.7.1", - "type": "application", - "version": "0.7.1" - }, - { - "bom-ref": "comp-447", - "name": "crossbeam-epoch", - "purl": "pkg:cargo/crossbeam-epoch@0.7.1", - "type": "application", - "version": "0.7.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-448", - "name": "crossbeam-queue", - "purl": "pkg:cargo/crossbeam-queue@0.1.2", - "type": "application", - "version": "0.1.2" - }, - { - "bom-ref": "comp-449", - "name": "crossbeam-utils", - "purl": "pkg:cargo/crossbeam-utils@0.6.5", - "type": "application", - "version": "0.6.5" - }, - { - "bom-ref": "comp-450", - "name": "dtoa", - "purl": "pkg:cargo/dtoa@0.4.4", - "type": "application", - "version": "0.4.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-451", - "name": "either", - "purl": "pkg:cargo/either@1.5.2", - "type": "application", - "version": "1.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-452", - "name": "encoding_rs", - "purl": "pkg:cargo/encoding_rs@0.8.17", - "type": "application", - "version": "0.8.17", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-453", - "name": "error-chain", - "purl": "pkg:cargo/error-chain@0.12.1", - "type": "application", - "version": "0.12.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-454", - "name": "failure", - "purl": "pkg:cargo/failure@0.1.5", - "type": "application", - "version": "0.1.5" - }, - { - "bom-ref": "comp-455", - "name": "failure_derive", - "purl": "pkg:cargo/failure_derive@0.1.5", - "type": "application", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-456", - "name": "flate2", - "purl": "pkg:cargo/flate2@1.0.9", - "type": "application", - "version": "1.0.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-457", - "name": "fnv", - "purl": "pkg:cargo/fnv@1.0.6", - "type": "application", - "version": "1.0.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-458", - "name": "futures", - "purl": "pkg:cargo/futures@0.1.28", - "type": "application", - "version": "0.1.28", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-459", - "name": "futures-cpupool", - "purl": "pkg:cargo/futures-cpupool@0.1.8", - "type": "application", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-460", - "name": "getrandom", - "purl": "pkg:cargo/getrandom@0.1.6", - "type": "application", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-461", - "name": "git2", - "purl": "pkg:cargo/git2@0.9.1", - "type": "application", - "version": "0.9.1" - }, - { - "bom-ref": "comp-462", - "name": "h2", - "purl": "pkg:cargo/h2@0.1.25", - "type": "application", - "version": "0.1.25" - }, - { - "bom-ref": "comp-463", - "name": "http", - "purl": "pkg:cargo/http@0.1.17", - "type": "application", - "version": "0.1.17" - }, - { - "bom-ref": "comp-464", - "name": "http-body", - "purl": "pkg:cargo/http-body@0.1.0", - "type": "application", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-465", - "name": "httparse", - "purl": "pkg:cargo/httparse@1.3.4", - "type": "application", - "version": "1.3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-466", - "name": "hyper", - "purl": "pkg:cargo/hyper@0.12.31", - "type": "application", - "version": "0.12.31" - }, - { - "bom-ref": "comp-467", - "name": "hyper-tls", - "purl": "pkg:cargo/hyper-tls@0.3.2", - "type": "application", - "version": "0.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-468", - "name": "idna", - "purl": "pkg:cargo/idna@0.1.5", - "type": "application", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-469", - "name": "indexmap", - "purl": "pkg:cargo/indexmap@1.0.2", - "type": "application", - "version": "1.0.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-470", - "name": "iovec", - "purl": "pkg:cargo/iovec@0.1.2", - "type": "application", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-471", - "name": "itoa", - "purl": "pkg:cargo/itoa@0.4.4", - "type": "application", - "version": "0.4.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-472", - "name": "lazy_static", - "purl": "pkg:cargo/lazy_static@1.3.0", - "type": "application", - "version": "1.3.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-473", - "name": "libc", - "purl": "pkg:cargo/libc@0.2.58", - "type": "application", - "version": "0.2.58", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-474", - "name": "libgit2-sys", - "purl": "pkg:cargo/libgit2-sys@0.8.1", - "type": "application", - "version": "0.8.1" - }, - { - "bom-ref": "comp-475", - "name": "libssh2-sys", - "purl": "pkg:cargo/libssh2-sys@0.2.11", - "type": "application", - "version": "0.2.11", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-476", - "name": "libz-sys", - "purl": "pkg:cargo/libz-sys@1.0.25", - "type": "application", - "version": "1.0.25", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-477", - "name": "lock_api", - "purl": "pkg:cargo/lock_api@0.1.5", - "type": "application", - "version": "0.1.5" - }, - { - "bom-ref": "comp-478", - "name": "log", - "purl": "pkg:cargo/log@0.4.6", - "type": "application", - "version": "0.4.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-479", - "name": "matches", - "purl": "pkg:cargo/matches@0.1.8", - "type": "application", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-480", - "name": "memchr", - "purl": "pkg:cargo/memchr@2.2.0", - "type": "application", - "version": "2.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-481", - "name": "memoffset", - "purl": "pkg:cargo/memoffset@0.2.1", - "type": "application", - "version": "0.2.1" - }, - { - "bom-ref": "comp-482", - "name": "mime", - "purl": "pkg:cargo/mime@0.3.13", - "type": "application", - "version": "0.3.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-483", - "name": "mime_guess", - "purl": "pkg:cargo/mime_guess@2.0.0-alpha.6", - "type": "application", - "version": "2.0.0-alpha.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-484", - "name": "miniz_oxide", - "purl": "pkg:cargo/miniz_oxide@0.2.2", - "type": "application", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-485", - "name": "miniz_oxide_c_api", - "purl": "pkg:cargo/miniz_oxide_c_api@0.2.2", - "type": "application", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-486", - "name": "mio", - "purl": "pkg:cargo/mio@0.6.19", - "type": "application", - "version": "0.6.19", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-487", - "name": "native-tls", - "purl": "pkg:cargo/native-tls@0.2.3", - "type": "application", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-488", - "name": "net2", - "purl": "pkg:cargo/net2@0.2.33", - "type": "application", - "version": "0.2.33" - }, - { - "bom-ref": "comp-489", - "name": "nodrop", - "purl": "pkg:cargo/nodrop@0.1.13", - "type": "application", - "version": "0.1.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-490", - "name": "num_cpus", - "purl": "pkg:cargo/num_cpus@1.10.1", - "type": "application", - "version": "1.10.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-491", - "name": "openssl-sys", - "purl": "pkg:cargo/openssl-sys@0.9.47", - "type": "application", - "version": "0.9.47", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-492", - "name": "owning_ref", - "purl": "pkg:cargo/owning_ref@0.4.0", - "type": "application", - "version": "0.4.0" - }, - { - "bom-ref": "comp-493", - "name": "parking_lot", - "purl": "pkg:cargo/parking_lot@0.7.1", - "type": "application", - "version": "0.7.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-494", - "name": "parking_lot_core", - "purl": "pkg:cargo/parking_lot_core@0.4.0", - "type": "application", - "version": "0.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-495", - "name": "percent-encoding", - "purl": "pkg:cargo/percent-encoding@1.0.1", - "type": "application", - "version": "1.0.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-496", - "name": "phf", - "purl": "pkg:cargo/phf@0.7.24", - "type": "application", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-497", - "name": "phf_codegen", - "purl": "pkg:cargo/phf_codegen@0.7.24", - "type": "application", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-498", - "name": "phf_generator", - "purl": "pkg:cargo/phf_generator@0.7.24", - "type": "application", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-499", - "name": "phf_shared", - "purl": "pkg:cargo/phf_shared@0.7.24", - "type": "application", - "version": "0.7.24", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-500", - "name": "pkg-config", - "purl": "pkg:cargo/pkg-config@0.3.14", - "type": "application", - "version": "0.3.14", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-501", - "name": "ppv-lite86", - "purl": "pkg:cargo/ppv-lite86@0.2.5", - "type": "application", - "version": "0.2.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-502", - "name": "proc-macro2", - "purl": "pkg:cargo/proc-macro2@0.4.30", - "type": "application", - "version": "0.4.30", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-503", - "name": "publicsuffix", - "purl": "pkg:cargo/publicsuffix@1.5.2", - "type": "application", - "version": "1.5.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-504", - "name": "quote", - "purl": "pkg:cargo/quote@0.6.12", - "type": "application", - "version": "0.6.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-505", - "name": "rand", - "purl": "pkg:cargo/rand@0.6.5", - "type": "application", - "version": "0.6.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-506", - "name": "rand", - "purl": "pkg:cargo/rand@0.7.0", - "type": "application", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-507", - "name": "rand_chacha", - "purl": "pkg:cargo/rand_chacha@0.1.1", - "type": "application", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-508", - "name": "rand_chacha", - "purl": "pkg:cargo/rand_chacha@0.2.0", - "type": "application", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-509", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.3.1", - "type": "application", - "version": "0.3.1" - }, - { - "bom-ref": "comp-510", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.4.0", - "type": "application", - "version": "0.4.0" - }, - { - "bom-ref": "comp-511", - "name": "rand_core", - "purl": "pkg:cargo/rand_core@0.5.0", - "type": "application", - "version": "0.5.0" - }, - { - "bom-ref": "comp-512", - "name": "rand_hc", - "purl": "pkg:cargo/rand_hc@0.1.0", - "type": "application", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-513", - "name": "rand_isaac", - "purl": "pkg:cargo/rand_isaac@0.1.1", - "type": "application", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-514", - "name": "rand_jitter", - "purl": "pkg:cargo/rand_jitter@0.1.4", - "type": "application", - "version": "0.1.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-515", - "name": "rand_os", - "purl": "pkg:cargo/rand_os@0.1.3", - "type": "application", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-516", - "name": "rand_pcg", - "purl": "pkg:cargo/rand_pcg@0.1.2", - "type": "application", - "version": "0.1.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-517", - "name": "rand_xorshift", - "purl": "pkg:cargo/rand_xorshift@0.1.1", - "type": "application", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-518", - "name": "regex", - "purl": "pkg:cargo/regex@1.1.8", - "type": "application", - "version": "1.1.8" - }, - { - "bom-ref": "comp-519", - "name": "regex-syntax", - "purl": "pkg:cargo/regex-syntax@0.6.7", - "type": "application", - "version": "0.6.7", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-520", - "name": "remove_dir_all", - "purl": "pkg:cargo/remove_dir_all@0.5.2", - "type": "application", - "version": "0.5.2" - }, - { - "bom-ref": "comp-521", - "name": "reqwest", - "purl": "pkg:cargo/reqwest@0.9.18", - "type": "application", - "version": "0.9.18", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-522", - "name": "rustc-demangle", - "purl": "pkg:cargo/rustc-demangle@0.1.15", - "type": "application", - "version": "0.1.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-523", - "name": "rustc_version", - "purl": "pkg:cargo/rustc_version@0.2.3", - "type": "application", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-524", - "name": "ryu", - "purl": "pkg:cargo/ryu@1.0.0", - "type": "application", - "version": "1.0.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-525", - "name": "scopeguard", - "purl": "pkg:cargo/scopeguard@0.3.3", - "type": "application", - "version": "0.3.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-526", - "name": "security-framework", - "purl": "pkg:cargo/security-framework@0.3.1", - "type": "application", - "version": "0.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - }, - { - "bom-ref": "comp-527", - "name": "security-framework-sys", - "purl": "pkg:cargo/security-framework-sys@0.3.1", - "type": "application", - "version": "0.3.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-528", - "name": "semver", - "purl": "pkg:cargo/semver@0.9.0", - "type": "application", - "version": "0.9.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-529", - "name": "semver-parser", - "purl": "pkg:cargo/semver-parser@0.7.0", - "type": "application", - "version": "0.7.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-530", - "name": "serde", - "purl": "pkg:cargo/serde@1.0.94", - "type": "application", - "version": "1.0.94", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-531", - "name": "serde_derive", - "purl": "pkg:cargo/serde_derive@1.0.94", - "type": "application", - "version": "1.0.94", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-532", - "name": "serde_json", - "purl": "pkg:cargo/serde_json@1.0.40", - "type": "application", - "version": "1.0.40", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-533", - "name": "serde_urlencoded", - "purl": "pkg:cargo/serde_urlencoded@0.5.5", - "type": "application", - "version": "0.5.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-534", - "name": "siphasher", - "purl": "pkg:cargo/siphasher@0.2.3", - "type": "application", - "version": "0.2.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-535", - "name": "slab", - "purl": "pkg:cargo/slab@0.4.2", - "type": "application", - "version": "0.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-536", - "name": "smallvec", - "purl": "pkg:cargo/smallvec@0.6.10", - "type": "application", - "version": "0.6.10" - }, - { - "bom-ref": "comp-537", - "name": "spin", - "purl": "pkg:cargo/spin@0.5.0", - "type": "application", - "version": "0.5.0" - }, - { - "bom-ref": "comp-538", - "name": "stable_deref_trait", - "purl": "pkg:cargo/stable_deref_trait@1.1.1", - "type": "application", - "version": "1.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-539", - "name": "string", - "purl": "pkg:cargo/string@0.2.1", - "type": "application", - "version": "0.2.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-540", - "name": "strsim", - "purl": "pkg:cargo/strsim@0.8.0", - "type": "application", - "version": "0.8.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-541", - "name": "syn", - "purl": "pkg:cargo/syn@0.15.39", - "type": "application", - "version": "0.15.39", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-542", - "name": "synstructure", - "purl": "pkg:cargo/synstructure@0.10.2", - "type": "application", - "version": "0.10.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-543", - "name": "tempfile", - "purl": "pkg:cargo/tempfile@3.1.0", - "type": "application", - "version": "3.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-544", - "name": "textwrap", - "purl": "pkg:cargo/textwrap@0.11.0", - "type": "application", - "version": "0.11.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-545", - "name": "thread_local", - "purl": "pkg:cargo/thread_local@0.3.6", - "type": "application", - "version": "0.3.6" - }, - { - "bom-ref": "comp-546", - "name": "time", - "purl": "pkg:cargo/time@0.1.42", - "type": "application", - "version": "0.1.42" - }, - { - "bom-ref": "comp-547", - "name": "tokio", - "purl": "pkg:cargo/tokio@0.1.22", - "type": "application", - "version": "0.1.22" - }, - { - "bom-ref": "comp-548", - "name": "tokio-buf", - "purl": "pkg:cargo/tokio-buf@0.1.1", - "type": "application", - "version": "0.1.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-549", - "name": "tokio-current-thread", - "purl": "pkg:cargo/tokio-current-thread@0.1.6", - "type": "application", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-550", - "name": "tokio-executor", - "purl": "pkg:cargo/tokio-executor@0.1.8", - "type": "application", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-551", - "name": "tokio-io", - "purl": "pkg:cargo/tokio-io@0.1.12", - "type": "application", - "version": "0.1.12", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-552", - "name": "tokio-reactor", - "purl": "pkg:cargo/tokio-reactor@0.1.9", - "type": "application", - "version": "0.1.9", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-553", - "name": "tokio-sync", - "purl": "pkg:cargo/tokio-sync@0.1.6", - "type": "application", - "version": "0.1.6", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-554", - "name": "tokio-tcp", - "purl": "pkg:cargo/tokio-tcp@0.1.3", - "type": "application", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-555", - "name": "tokio-threadpool", - "purl": "pkg:cargo/tokio-threadpool@0.1.15", - "type": "application", - "version": "0.1.15", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-556", - "name": "tokio-timer", - "purl": "pkg:cargo/tokio-timer@0.2.11", - "type": "application", - "version": "0.2.11", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-557", - "name": "try-lock", - "purl": "pkg:cargo/try-lock@0.2.2", - "type": "application", - "version": "0.2.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-558", - "name": "try_from", - "purl": "pkg:cargo/try_from@0.3.2", - "type": "application", - "version": "0.3.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-559", - "name": "ucd-util", - "purl": "pkg:cargo/ucd-util@0.1.3", - "type": "application", - "version": "0.1.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-560", - "name": "unicase", - "purl": "pkg:cargo/unicase@1.4.2", - "type": "application", - "version": "1.4.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-561", - "name": "unicase", - "purl": "pkg:cargo/unicase@2.4.0", - "type": "application", - "version": "2.4.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-562", - "name": "unicode-bidi", - "purl": "pkg:cargo/unicode-bidi@0.3.4", - "type": "application", - "version": "0.3.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-563", - "name": "unicode-normalization", - "purl": "pkg:cargo/unicode-normalization@0.1.8", - "type": "application", - "version": "0.1.8", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-564", - "name": "unicode-width", - "purl": "pkg:cargo/unicode-width@0.1.5", - "type": "application", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-565", - "name": "unicode-xid", - "purl": "pkg:cargo/unicode-xid@0.1.0", - "type": "application", - "version": "0.1.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-566", - "name": "url", - "purl": "pkg:cargo/url@1.7.2", - "type": "application", - "version": "1.7.2", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-567", - "name": "utf8-ranges", - "purl": "pkg:cargo/utf8-ranges@1.0.3", - "type": "application", - "version": "1.0.3", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-568", - "name": "uuid", - "purl": "pkg:cargo/uuid@0.7.4", - "type": "application", - "version": "0.7.4", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-569", - "name": "vec_map", - "purl": "pkg:cargo/vec_map@0.8.1", - "type": "application", - "version": "0.8.1", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-570", - "name": "version_check", - "purl": "pkg:cargo/version_check@0.1.5", - "type": "application", - "version": "0.1.5", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-571", - "name": "want", - "purl": "pkg:cargo/want@0.2.0", - "type": "application", - "version": "0.2.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-572", - "name": "testGoBinary", - "type": "application", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no purl provided." - } - ] - }, - { - "bom-ref": "comp-573", - "name": "github.com/fatih/color", - "purl": "pkg:golang/github.com/fatih/color@v1.15.0", - "type": "library", - "version": "v1.15.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/binaries/testGoBinary" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-574", - "name": "github.com/mattn/go-colorable", - "purl": "pkg:golang/github.com/mattn/go-colorable@v0.1.13", - "type": "library", - "version": "v0.1.13", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/binaries/testGoBinary" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-575", - "name": "github.com/mattn/go-isatty", - "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.20", - "type": "library", - "version": "v0.0.20", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/binaries/testGoBinary" - }, - { - "name": "amazon:inspector:sbom_scanner:warning", - "value": "Component skipped: no rules found." - } - ] - }, - { - "bom-ref": "comp-576", - "name": "golang.org/x/sys", - "purl": "pkg:golang/golang.org/x/sys@v0.13.0", - "type": "library", - "version": "v0.13.0", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:path", - "value": "testData/binaries/testGoBinary" - }, - { - "name": "amazon:inspector:sbom_scanner:info", - "value": "Component scanned: no vulnerabilities found." - } - ] - } - ], - "serialNumber": "urn:uuid:248d4cb0-d7be-4bc3-b945-be4d899d2772", - "bomFormat": "CycloneDX", - "vulnerabilities": [ - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2022-0040.html" - } - ], - "bom-ref": "vuln-1", - "ratings": [ - { - "severity": "medium", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2022-08-10T17:26:00Z", - "description": "- `OwningRef::map_with_owner` is [unsound](https://github.com/Kimundi/owning-ref-rs/issues/77) and may result in a use-after-free.\n- `OwningRef::map` is [unsound](https://github.com/Kimundi/owning-ref-rs/issues/71) and may result in a use-after-free.\n- `OwningRefMut::as_owner` and `OwningRefMut::as_owner_mut` are [unsound](https://github.com/Kimundi/owning-ref-rs/issues/61) and may result in a use-after-free.\n- The crate [violates Rust's aliasing rules](https://github.com/Kimundi/owning-ref-rs/issues/49), which may cause miscompilations on recent compilers that emit the LLVM `noalias` attribute.\n\nNo patched versions are available at this time. While a pull request with some fixes is outstanding, the maintainer appears to be unresponsive.\n", - "affects": [ - { - "ref": "comp-246" - }, - { - "ref": "comp-492" - } - ], - "id": "GHSA-9qxh-258v-666c", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-9qxh-258v-666c" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2022-08-10T17:26:00Z" - }, - { - "advisories": [ - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6678-1" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24577" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2496.html" - }, - { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-541.html" - }, - { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2024-566.html" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063416" - } - ], - "bom-ref": "vuln-2", - "references": [ - { - "id": "SNYK-RUST-LIBGIT2SYS-6249445", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-LIBGIT2SYS-6249445" - } - } - ], - "created": "2024-02-06T22:16:15Z", - "description": "libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.", - "affects": [ - { - "ref": "comp-224" - }, - { - "ref": "comp-474" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577" - }, - "cwes": [ - 119, - 122 - ], - "analysis": { - "state": "in_triage" - }, - "ratings": [ - { - "severity": "critical", - "score": 9.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24577" - } - }, - { - "severity": "none", - "score": 0.00229, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2024-24577", - "updated": "2024-02-27T10:15:08Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-224", - "value": "0.16.2+1.7.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-474", - "value": "0.16.2+1.7.2" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2018-0018.html" - } - ], - "bom-ref": "vuln-3", - "ratings": [ - { - "severity": "medium", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2021-08-25T21:00:25Z", - "description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.\n", - "affects": [ - { - "ref": "comp-295" - }, - { - "ref": "comp-536" - } - ], - "id": "GHSA-66p5-j55p-32r9", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-66p5-j55p-32r9" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2021-08-06T16:36:54Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-295", - "value": "0.6.13" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-536", - "value": "0.6.13" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2020-0078.html" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976870" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35919" - } - ], - "bom-ref": "vuln-4", - "references": [ - { - "id": "RUSTSEC-2020-0078", - "source": { - "name": "RUST_SEC_ADVISORY", - "url": "https://github.com/RustSec/advisory-db/tree/master/crates/net2/RUSTSEC-2020-0078.md" - } - }, - { - "id": "GHSA-c79c-gwph-gqfm", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-c79c-gwph-gqfm" - } - } - ], - "ratings": [ - { - "severity": "none", - "score": 0.00044, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35919" - } - } - ], - "created": "2020-12-31T09:15:15Z", - "description": "An issue was discovered in the net2 crate before 0.2.36 for Rust. It has false expectations about the std::net::SocketAddr memory representation.", - "affects": [ - { - "ref": "comp-488" - }, - { - "ref": "comp-239" - } - ], - "id": "CVE-2020-35919", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35919" - }, - "analysis": { - "state": "exploitable" - }, - "updated": "2021-01-06T19:26:44Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-12T19:57:36Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-488", - "value": "0.2.36" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-239", - "value": "0.2.36" - } - ] - }, - { - "advisories": [ - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ME34ROZWMDK5KLMZKTSA422XVJZ7IMTE/" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056000" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46445" - } - ], - "bom-ref": "vuln-5", - "references": [ - { - "id": "GHSA-cfc2-wr2v-gxm5", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-cfc2-wr2v-gxm5" - } - }, - { - "id": "SNYK-PYTHON-ASYNCSSH-6054436", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-ASYNCSSH-6054436" - } - } - ], - "created": "2023-11-14T03:15:09Z", - "description": "An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a \"Rogue Extension Negotiation.\"", - "affects": [ - { - "ref": "comp-416" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46445" - }, - "cwes": [ - 345 - ], - "analysis": { - "state": "exploitable" - }, - "ratings": [ - { - "severity": "none", - "score": 0.00074, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "medium", - "score": 5.9, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46445" - } - } - ], - "id": "CVE-2023-46445", - "updated": "2023-12-22T20:15:07Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-10T00:18:32Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-416", - "value": "2.14.1" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2024-0003.html" - } - ], - "bom-ref": "vuln-6", - "ratings": [ - { - "severity": "medium", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2024-01-19T15:24:56Z", - "description": "An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the\ngeneration of reset frames on the victim endpoint.\nBy closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,\nresulting in Out Of Memory (OOM) and high CPU usage.\n\nThis fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of\ninternal error resets emitted by default before the connection is closed.\n", - "affects": [ - { - "ref": "comp-211" - }, - { - "ref": "comp-462" - } - ], - "id": "GHSA-8r5v-vm4m-4g25", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-8r5v-vm4m-4g25" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2024-01-19T15:24:56Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-211", - "value": "0.3.24" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-462", - "value": "0.3.24" - } - ] - }, - { - "bom-ref": "vuln-7", - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-HTTP-541418" - } - } - ], - "created": "2020-01-09T17:41:00Z", - "description": "\n\n\n## Amendment\nThis issue was found to be a duplicate.\nThe original vulnerability with details can be found [here](https://security.snyk.io/vuln/SNYK-RUST-HTTP-541330).", - "affects": [ - { - "ref": "comp-212" - }, - { - "ref": "comp-463" - } - ], - "id": "SNYK-RUST-HTTP-541418", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-HTTP-541418" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2021-04-12T08:43:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-212", - "value": "0.1.20" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-463", - "value": "0.1.20" - } - ] - }, - { - "advisories": [ - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6754de4a121ec7f261b16723180df6592cbb4508" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4bfac4471f53c4f74c8d81020beb938f92d84ca5" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a632d534c73eeb3e3db8c7540d811194ef7c79ff" - }, - { - "url": "https://www.openssl.org/news/secadv/20230908.txt" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4807" - } - ], - "bom-ref": "vuln-8", - "references": [ - { - "id": "SNYK-PYTHON-CRYPTOGRAPHY-5914629", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-5914629" - } - } - ], - "ratings": [ - { - "severity": "high", - "score": 7.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807" - } - }, - { - "severity": "none", - "score": 0.00043, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2023-09-08T12:15:08Z", - "description": "Issue summary: The POLY1305 MAC (message authentication code) implementation\ncontains a bug that might corrupt the internal state of applications on the\nWindows 64 platform when running on newer X86_64 processors supporting the\nAVX512-IFMA instructions.\n\nImpact summary: If in an application that uses the OpenSSL library an attacker\ncan influence whether the POLY1305 MAC algorithm is used, the application\nstate might be corrupted with various application dependent consequences.\n\nThe POLY1305 MAC (message authentication code) implementation in OpenSSL does\nnot save the contents of non-volatile XMM registers on Windows 64 platform\nwhen calculating the MAC of data larger than 64 bytes. Before returning to\nthe caller all the XMM registers are set to zero rather than restoring their\nprevious content. The vulnerable code is used only on newer x86_64 processors\nsupporting the AVX512-IFMA instructions.\n\nThe consequences of this kind of internal application state corruption can\nbe various - from no consequences, if the calling application does not\ndepend on the contents of non-volatile XMM registers at all, to the worst\nconsequences, where the attacker could get complete control of the application\nprocess. However given the contents of the registers are just zeroized so\nthe attacker cannot put arbitrary values inside, the most likely consequence,\nif any, would be an incorrect result of some application dependent\ncalculations or a crash leading to a denial of service.\n\nThe POLY1305 MAC algorithm is most frequently used as part of the\nCHACHA20-POLY1305 AEAD (authenticated encryption with associated data)\nalgorithm. The most common usage of this AEAD cipher is with TLS protocol\nversions 1.2 and 1.3 and a malicious client can influence whether this AEAD\ncipher is used by the server. This implies that server applications using\nOpenSSL can be potentially impacted. However we are currently not aware of\nany concrete application that would be affected by this issue therefore we\nconsider this a Low severity security issue.\n\nAs a workaround the AVX512-IFMA instructions support can be disabled at\nruntime by setting the environment variable OPENSSL_ia32cap:\n\n OPENSSL_ia32cap=:~0x200000\n\nThe FIPS provider is not affected by this issue.", - "affects": [ - { - "ref": "comp-399" - } - ], - "id": "CVE-2023-4807", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4807" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2023-09-21T17:15:24Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", - "value": "41.0.4" - } - ] - }, - { - "bom-ref": "vuln-9", - "ratings": [ - { - "severity": "medium", - "score": 5.9, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713" - } - } - ], - "created": "2024-02-11T09:08:00Z", - "description": "## Overview\n\nAffected versions of this package are vulnerable to Incorrect Behavior Order in the DNS pre-processing pipeline, which allows an off-path attacker who can spoof the source IP address of a malformed DNS response packet to cause denial of service. The UDP processing functions in `query.py` and `asyncquery.py` accept the first-arriving packet before closing the receiving socket, allowing the attacker to make the remote nameserver appear unavailable for the target resolver and clients.\n## Remediation\nUpgrade `dnspython` to version 2.6.1 or higher.\n## References\n- [GitHub Commit](https://github.com/rthalley/dnspython/commit/0ea5ad0a4583e1f519b9bcc67cfac381230d9cf2)\n- [GitHub Issue](https://github.com/rthalley/dnspython/issues/1045)\n- [Tudoor Paper](https://lixiang521.com/publication/oakland24/sp24spring-tudoor-li.pdf)", - "affects": [ - { - "ref": "comp-415" - } - ], - "id": "SNYK-PYTHON-DNSPYTHON-6241713", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2024-02-19T07:31:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-415", - "value": "2.6.1" - } - ] - }, - { - "advisories": [ - { - "url": "https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23672" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066877" - } - ], - "bom-ref": "vuln-10", - "references": [ - { - "id": "SNYK-JAVA-ORGAPACHETOMCATEMBED-6435950", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-6435950" - } - } - ], - "created": "2024-03-13T16:15:29Z", - "description": "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", - "affects": [ - { - "ref": "comp-139" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23672" - }, - "cwes": [ - 459 - ], - "analysis": { - "state": "in_triage" - }, - "ratings": [ - { - "severity": "none", - "score": 0.00043, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2024-23672", - "updated": "2024-03-13T18:15:58Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-139", - "value": "9.0.86" - } - ] - }, - { - "bom-ref": "vuln-11", - "ratings": [ - { - "severity": "high", - "score": 7.3, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-THREADLOCAL-2359987" - } - } - ], - "created": "2022-01-25T17:39:00Z", - "description": "## Overview\n[thread_local](https://crates.io/crates/thread_local) is a library which allow a separate copy of an object to be used for each thread. This allows for per-object thread-local storage, unlike the standard library's thread_local! macro which only allows static thread-local storage.\n\nAffected versions of this package are vulnerable to Memory Corruption via `{Iter, IterMut}::next` which uses a weaker memory ordering when loading values than what was required, exposing a potential data race when iterating over `ThreadLocal`'s values.\n## Remediation\nUpgrade `thread_local` to version 1.1.4 or higher.\n## References\n- [GitHub Commit](https://github.com/Amanieu/thread_local-rs/commit/3d69afaab242fc1dd3a0658eb363b2df5e02fcd6)\n- [GitHub Commit](https://github.com/rustsec/advisory-db/pull/1169/commits/ab1bf8721a112fca30bb7a5a07467245af6f5846)\n- [GitHub Issue](https://github.com/Amanieu/thread_local-rs/issues/33)", - "affects": [ - { - "ref": "comp-305" - }, - { - "ref": "comp-545" - } - ], - "id": "SNYK-RUST-THREADLOCAL-2359987", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-THREADLOCAL-2359987" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2022-01-25T17:39:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-305", - "value": "1.1.4" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-545", - "value": "1.1.4" - } - ] - }, - { - "bom-ref": "vuln-12", - "ratings": [ - { - "severity": "unknown", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2023-11-23T00:00:00Z", - "description": "This function returned a shared reference into an OpenSSL datastructure but did not account for interior mutability. OpenSSL may modify the data behind this reference, meaning accesses can race and the reference is unsound.\n\nUse of this function should be replaced with `X509StoreRef::all_certificates`.", - "affects": [ - { - "ref": "comp-243" - } - ], - "id": "RUSTSEC-2023-0072", - "source": { - "name": "RUST_SEC_ADVISORY", - "url": "https://github.com/RustSec/advisory-db/tree/master/crates/openssl/RUSTSEC-2023-0072.md" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2023-11-23T00:00:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-243", - "value": "0.10.60" - } - ] - }, - { - "advisories": [ - { - "url": "https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@" - }, - { - "url": "https://go-review.googlesource.com/c/crypto/+/278852" - }, - { - "url": "https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:0799" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:5633" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:2920" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1830.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29652" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:1796" - } - ], - "bom-ref": "vuln-13", - "references": [ - { - "id": "GHSA-3vm4-22fp-5rfm", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-3vm4-22fp-5rfm" - } - }, - { - "id": "SNYK-GOLANG-GOLANGORGXCRYPTO-2825234", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTO-2825234" - } - } - ], - "created": "2020-12-17T05:15:10Z", - "description": "A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.", - "affects": [ - { - "ref": "comp-109" - }, - { - "ref": "comp-108" - }, - { - "ref": "comp-107" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652" - }, - "cwes": [ - 476 - ], - "analysis": { - "state": "exploitable" - }, - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29652" - } - }, - { - "severity": "none", - "score": 0.00542, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2020-29652", - "updated": "2023-11-07T03:21:32Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-06T07:19:17Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-109", - "value": "0.0.0-20201216223049-8b5274cf687f" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-108", - "value": "0.0.0-20201216223049-8b5274cf687f" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-107", - "value": "0.0.0-20201216223049-8b5274cf687f" - } - ] - }, - { - "bom-ref": "vuln-14", - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-NOKOGIRI-3052880" - } - } - ], - "created": "2022-10-19T15:50:00Z", - "description": "## Overview\n[nokogiri](https://nokogiri.org) is a gem for parsing HTML, XML, SAX, and Reader.\n\nAffected versions of this package are vulnerable to NULL Pointer Dereference due to the usage of a vulnerable version of the bundled `libxml2` package.\n## Remediation\nUpgrade `nokogiri` to version 1.13.9 or higher.\n## References\n- [GitHub Commit](https://github.com/sparklemotion/nokogiri/commit/e8cfe13953c63099f879d8a25ca70a909e19fb96)\n- [GitHub Release](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.9)", - "affects": [ - { - "ref": "comp-346" - }, - { - "ref": "comp-351" - } - ], - "id": "SNYK-RUBY-NOKOGIRI-3052880", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUBY-NOKOGIRI-3052880" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2024-03-06T14:05:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-346", - "value": "1.13.9" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-351", - "value": "1.13.9" - } - ] - }, - { - "bom-ref": "vuln-15", - "ratings": [ - { - "severity": "medium", - "score": 6.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091623" - } - } - ], - "created": "2023-11-28T12:25:00Z", - "description": "## Overview\n\nAffected versions of this package are vulnerable to HTTP Request Smuggling due to a vulnerable dependency. An attacker can exploit request smuggling vulnerabilities.\n## Remediation\nUpgrade `aiohttp` to version 3.8.6 or higher.\n## References\n- [GitHub Commit](https://github.com/aio-libs/aiohttp/commit/1303350e834899ad1c7733effc716a1a46a4b817)\n- [GitHub Commit](https://github.com/aio-libs/aiohttp/commit/996de2629ef6b4c2934a7c04dfd49d0950d4c43b)\n- [GitHub Commit](https://github.com/aio-libs/aiohttp/commit/bcc416e533796d04fb8124ef1e7686b1f338767a)", - "affects": [ - { - "ref": "comp-393" - } - ], - "id": "SNYK-PYTHON-AIOHTTP-6091623", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091623" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2023-11-28T12:25:00Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-393", - "value": "3.8.6" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2021-0023.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27378" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - } - ], - "bom-ref": "vuln-16", - "references": [ - { - "id": "SNYK-RUST-RANDCORE-1076585", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-RANDCORE-1076585" - } - } - ], - "created": "2021-02-18T04:15:11Z", - "description": "An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.", - "affects": [ - { - "ref": "comp-511" - }, - { - "ref": "comp-510" - }, - { - "ref": "comp-265" - }, - { - "ref": "comp-264" - }, - { - "ref": "comp-263" - }, - { - "ref": "comp-509" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27378" - }, - "cwes": [ - 131 - ], - "analysis": { - "state": "in_triage" - }, - "ratings": [ - { - "severity": "none", - "score": 0.00222, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - }, - { - "severity": "critical", - "score": 9.8, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27378" - } - } - ], - "id": "CVE-2021-27378", - "updated": "2022-07-12T17:42:04Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-511", - "value": "0.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-510", - "value": "0.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-265", - "value": "0.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-264", - "value": "0.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-263", - "value": "0.6.2" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-509", - "value": "0.6.2" - } - ] - }, - { - "advisories": [ - { - "url": "https://security.gentoo.org/glsa/202402-08" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd" - }, - { - "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb" - }, - { - "url": "https://www.openssl.org/news/secadv/20230207.txt" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:4128" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:2932" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:3355" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:3421" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:3354" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:3420" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1199" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1405" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1935.html" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:0946" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:3408" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2023-1934.html" - }, - { - "url": "https://alas.aws.amazon.com/ALAS-2023-1683.html" - }, - { - "url": "https://ubuntu.com/security/notices/USN-5844-1" - }, - { - "url": "https://ubuntu.com/security/notices/USN-5845-2" - }, - { - "url": "https://alas.aws.amazon.com/AL2023/ALAS-2023-101.html" - }, - { - "url": "https://ubuntu.com/security/notices/USN-5845-1" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2024-2502.html" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://ubuntu.com/security/notices/USN-6564-1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:2165" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALASOPENSSL-SNAPSAFE-2023-002.html" - } - ], - "bom-ref": "vuln-17", - "references": [ - { - "id": "SNYK-PYTHON-CRYPTOGRAPHY-3315324", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-CRYPTOGRAPHY-3315324" - } - } - ], - "created": "2023-02-08T20:15:24Z", - "description": "The public API function BIO_new_NDEF is a helper function used for streaming\nASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the\nSMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by\nend user applications.\n\nThe function receives a BIO from the caller, prepends a new BIO_f_asn1 filter\nBIO onto the front of it to form a BIO chain, and then returns the new head of\nthe BIO chain to the caller. Under certain conditions, for example if a CMS\nrecipient public key is invalid, the new filter BIO is freed and the function\nreturns a NULL result indicating a failure. However, in this case, the BIO chain\nis not properly cleaned up and the BIO passed by the caller still retains\ninternal pointers to the previously freed filter BIO. If the caller then goes on\nto call BIO_pop() on the BIO then a use-after-free will occur. This will most\nlikely result in a crash.\n\n\n\nThis scenario occurs directly in the internal function B64_write_ASN1() which\nmay cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on\nthe BIO. This internal function is in turn called by the public API functions\nPEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream,\nSMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.\n\nOther public API functions that may be impacted by this include\ni2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and\ni2d_PKCS7_bio_stream.\n\nThe OpenSSL cms and smime command line applications are similarly affected.\n\n\n\n", - "affects": [ - { - "ref": "comp-399" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215" - }, - "cwes": [ - 416 - ], - "analysis": { - "state": "exploitable" - }, - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0215" - } - }, - { - "severity": "none", - "score": 0.00303, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2023-0215", - "updated": "2024-02-04T09:15:08Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-20T17:03:32Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", - "value": "39.0.1" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2019-0033.html" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25574" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969896" - } - ], - "bom-ref": "vuln-18", - "references": [ - { - "id": "SNYK-RUST-HTTP-541330", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-HTTP-541330" - } - }, - { - "id": "RUSTSEC-2019-0033", - "source": { - "name": "RUST_SEC_ADVISORY", - "url": "https://github.com/RustSec/advisory-db/tree/master/crates/http/RUSTSEC-2019-0033.md" - } - }, - { - "id": "GHSA-x7vr-c387-8w57", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-x7vr-c387-8w57" - } - } - ], - "created": "2020-09-14T19:15:11Z", - "description": "An issue was discovered in the http crate before 0.1.20 for Rust. An integer overflow in HeaderMap::reserve() could result in denial of service (e.g., an infinite loop).", - "affects": [ - { - "ref": "comp-212" - }, - { - "ref": "comp-463" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25574" - }, - "cwes": [ - 190, - 835 - ], - "analysis": { - "state": "exploitable" - }, - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25574" - } - }, - { - "severity": "none", - "score": 0.00157, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2020-25574", - "updated": "2021-07-21T11:39:23Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-02-22T01:51:23Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-212", - "value": "0.1.20" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-463", - "value": "0.1.20" - } - ] - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2023-0018.html" - } - ], - "bom-ref": "vuln-19", - "ratings": [ - { - "severity": "low", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2023-02-24T16:23:59Z", - "description": "The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\n\nThanks to the Rust security team for identifying the problem and alerting us to it.", - "affects": [ - { - "ref": "comp-278" - }, - { - "ref": "comp-520" - } - ], - "id": "GHSA-mc8h-8q98-g5hr", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-mc8h-8q98-g5hr" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2023-02-24T16:23:59Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-278", - "value": "0.8.0" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-520", - "value": "0.8.0" - } - ] - }, - { - "advisories": [ - { - "url": "https://www.debian.org/security/2022/dsa-5113" - }, - { - "url": "https://security.gentoo.org/glsa/202208-14" - }, - { - "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/" - }, - { - "url": "https://www.debian.org/security/2022/dsa-5118" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html" - }, - { - "url": "https://security.gentoo.org/glsa/202208-08" - }, - { - "url": "https://ubuntu.com/security/notices/USN-5370-1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1305" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1326" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1303" - }, - { - "url": "https://ubuntu.com/security/notices/USN-5610-1" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1302" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1301" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1287" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1286" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24713" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1285" - }, - { - "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2022-1789.html" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1284" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:1283" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007176" - }, - { - "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html" - } - ], - "bom-ref": "vuln-20", - "references": [ - { - "id": "GHSA-m5pq-gvj9-9vr8", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-m5pq-gvj9-9vr8" - } - }, - { - "id": "RUSTSEC-2022-0013", - "source": { - "name": "RUST_SEC_ADVISORY", - "url": "https://github.com/RustSec/advisory-db/tree/master/crates/regex/RUSTSEC-2022-0013.md" - } - }, - { - "id": "SNYK-RUST-REGEX-2420038", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-REGEX-2420038" - } - } - ], - "created": "2022-03-08T19:15:08Z", - "description": "regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.", - "affects": [ - { - "ref": "comp-276" - }, - { - "ref": "comp-518" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" - }, - "cwes": [ - 400, - 1333 - ], - "analysis": { - "state": "exploitable" - }, - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713" - } - }, - { - "severity": "none", - "score": 0.00357, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2022-24713", - "updated": "2023-11-07T03:44:34Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:exploit_available", - "value": "true" - }, - { - "name": "amazon:inspector:sbom_scanner:exploit_last_seen_in_public", - "value": "2024-03-20T17:08:30Z" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-276", - "value": "1.5.5" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-518", - "value": "1.5.5" - } - ] - }, - { - "advisories": [ - { - "url": "https://pypi.org/project/py" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42969" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - } - ], - "bom-ref": "vuln-21", - "references": [ - { - "id": "GHSA-w596-4wvx-j9j6", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-w596-4wvx-j9j6" - } - } - ], - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969" - } - }, - { - "severity": "none", - "score": 0.00365, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "created": "2022-10-16T06:15:09Z", - "description": "The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.", - "affects": [ - { - "ref": "comp-373" - } - ], - "id": "CVE-2022-42969", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969" - }, - "cwes": [ - 1333 - ], - "analysis": { - "state": "in_triage" - }, - "updated": "2023-02-28T15:11:27Z" - }, - { - "advisories": [ - { - "url": "https://rustsec.org/advisories/RUSTSEC-2019-0011.html" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936025" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15553" - } - ], - "bom-ref": "vuln-22", - "references": [ - { - "id": "SNYK-RUST-MEMOFFSET-451655", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-RUST-MEMOFFSET-451655" - } - }, - { - "id": "RUSTSEC-2019-0011", - "source": { - "name": "RUST_SEC_ADVISORY", - "url": "https://github.com/RustSec/advisory-db/tree/master/crates/memoffset/RUSTSEC-2019-0011.md" - } - }, - { - "id": "GHSA-rh89-x75f-rh3c", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-rh89-x75f-rh3c" - } - } - ], - "created": "2019-08-26T15:15:12Z", - "description": "An issue was discovered in the memoffset crate before 0.5.0 for Rust. offset_of and span_of can cause exposure of uninitialized memory.", - "affects": [ - { - "ref": "comp-231" - }, - { - "ref": "comp-481" - } - ], - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15553" - }, - "cwes": [ - 908 - ], - "analysis": { - "state": "in_triage" - }, - "ratings": [ - { - "severity": "high", - "score": 7.5, - "method": "CVSSv31", - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "source": { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15553" - } - }, - { - "severity": "none", - "score": 0.00149, - "method": "other", - "vector": "model:v2023.03.01,date:2024-03-25T00:00:00+0000", - "source": { - "name": "EPSS", - "url": "https://www.first.org/epss/" - } - } - ], - "id": "CVE-2019-15553", - "updated": "2020-08-24T17:37:01Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-231", - "value": "0.5.0" - }, - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-481", - "value": "0.5.0" - } - ] - }, - { - "advisories": [ - { - "url": "https://www.openssl.org/news/secadv/20230714.txt" - }, - { - "url": "https://www.openssl.org/news/secadv/20230731.txt" - }, - { - "url": "https://www.openssl.org/news/secadv/20230719.txt" - } - ], - "bom-ref": "vuln-23", - "ratings": [ - { - "severity": "low", - "method": "other", - "source": { - "name": "AMAZON_INSPECTOR", - "url": "https://aws.amazon.com/inspector/" - } - } - ], - "created": "2023-08-01T22:34:41Z", - "description": "pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8-41.0.2 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230731.txt, https://www.openssl.org/news/secadv/20230719.txt, and https://www.openssl.org/news/secadv/20230714.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.", - "affects": [ - { - "ref": "comp-399" - } - ], - "id": "GHSA-jm77-qphf-c4w8", - "source": { - "name": "GITHUB", - "url": "https://github.com/advisories/GHSA-jm77-qphf-c4w8" - }, - "analysis": { - "state": "in_triage" - }, - "updated": "2023-08-01T22:34:41Z", - "properties": [ - { - "name": "amazon:inspector:sbom_scanner:fixed_version:comp-399", - "value": "41.0.3" - } - ] - }, - { - "advisories": [ - { - "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@" - }, - { - "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@" - }, - { - "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@" - }, - { - "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@" - }, - { - "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@" - }, - { - "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@" - }, - { - "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@" - }, - { - "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@" - }, - { - "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@" - }, - { - "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "url": "https://www.drupal.org/sa-core-2020-002" - }, - { - "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@" - }, - { - "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/" - }, - { - "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@" - }, - { - "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@" - }, - { - "url": "https://jquery.com/upgrade-guide/3.5/" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/" - }, - { - "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@" - }, - { - "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released" - }, - { - "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@" - }, - { - "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@" - }, - { - "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/" - }, - { - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html" - }, - { - "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@" - }, - { - "url": "https://www.debian.org/security/2020/dsa-4693" - }, - { - "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@" - }, - { - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/" - }, - { - "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@" - }, - { - "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@" - }, - { - "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@" - }, - { - "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@" - }, - { - "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@" - }, - { - "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@" - }, - { - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" - }, - { - "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@" - }, - { - "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@" - }, - { - "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@" - }, - { - "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@" - }, - { - "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@" - }, - { - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@" - }, - { - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@" - }, - { - "url": "https://security.gentoo.org/glsa/202007-03" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:3247" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:0552" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:3369" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1049" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:5249" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:2412" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:0556" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1044" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:4211" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:4142" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1045" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:0554" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:4298" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:0553" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:6393" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:2813" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2022:7343" - }, - { - "url": "https://alas.aws.amazon.com/AL2/ALAS-2021-1626.html" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:0778" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:1846" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:3807" - }, - { - "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=null" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:5412" - }, - { - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2020:4847" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2023:1043" - }, - { - "url": "https://access.redhat.com/errata/RHSA-2021:0860" - } - ], - "bom-ref": "vuln-24", - "references": [ - { - "id": "SNYK-PYTHON-SPHINX-570773", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-SPHINX-570773" - } - } - ], - "created": "2020-04-29T21:15:11Z", - "description": "In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing