CVE Layout Changes #3524
CVE Layout Changes #3524
Conversation
✅ Deploy Preview for docs-spectrocloud ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
karl-cardenas-coding
added
backport-version-4-0
Updated CVE
Updated CVE
Updating CVE
…arium into CVE-Updates
…arium into CVE-Updates
…arium into CVE-Updates
…arium into CVE-Updates
…ium into CVE-Updates
…ium into CVE-Updates
| | [CVE-2021-45079](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | 7/16/24 | In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version 5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: You can learn more at https://ubuntu.com/security/CVE-2021-45079. | [9.1](https://nvd.nist.gov/vuln/detail/CVE-2021-45079) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'strongSwan'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS package version 5.8.2-1ubuntu3.fips.3.6 that is being used in VerteX.Review: You can learn more at [https://ubuntu.com/security/CVE-2021-45079](https://ubuntu.com/security/CVE-2021-45079). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| | [CVE-2020-1971](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | 7/16/24 | The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You learn more at https://ubuntu.com/security/CVE-2020-1971. | [5.9](https://nvd.nist.gov/vuln/detail/CVE-2020-1971) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL\_NAME\_cmp which compares different instances of a GENERAL\_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL\_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL\_NAME\_cmp function for two purposes: 1\) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2\) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS\_RESP\_verify\_response and TS\_RESP\_verify\_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s\_server, s\_client and verify tools have support for the "-crl\_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'display' instead of 'see'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at [https://ubuntu.com/security/CVE-2021-3449](https://ubuntu.com/security/CVE-2021-3449). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| | [PRISMA-2022-0227](https://github.com/kubernetes/kubernetes/issues/120604) | 7/16/24 | github.com/emicklei/go-restful/v3 module prior to v3.10.0 is vulnerable to Authentication Bypass by Primary Weakness. There is an inconsistency in how go-restful parses URL paths. This inconsistency could lead to several security check bypass in a complex system. | The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. | N/A | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/31/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/31/2024'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in vsphere-csi 3.2.0, and Kubernetes 1.28.11. Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in virtual cluster CAPI provider. Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
| | [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | 7/16/24 | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. | This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at https://ubuntu.com/security/CVE-2023-0215. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-0215) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version 1.1.1f-1ubuntu2.fips.22 that’s being used in VerteX. You can learn more at [https://ubuntu.com/security/CVE-2023-0215](https://ubuntu.com/security/CVE-2023-0215). |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| | [CVE-2023-5528](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | 7/16/24 | A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. | [8.8](https://nvd.nist.gov/vuln/detail/CVE-2023-5528) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in vsphere-csi 3.2.0, Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
| | [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | 7/16/24 | There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. | This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. | [7.4](https://nvd.nist.gov/vuln/detail/CVE-2023-0286) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| This is a false positive reported by twistlock only. We have confirmed this CVE is fixed in the FIPS openSSL version that’s being used in VerteX. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'coredns'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE reported in coredns and kube-vip. Govulncheck reports it as non-impacting. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Govulncheck'?
| | [CVE-2023-52425](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | 7/16/24 | libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. | The CVE is reported in vsphere-csi 3.2.0. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-52425) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'libexpat'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'reparsings'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| The CVE is reported in vsphere-csi 3.2.0. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
| | [GHSA-m425-mq94-257g](https://github.com/advisories/GHSA-m425-mq94-257g) | 10/25/23 | The affected releases of gRPC-Go, it is possible for an attacker to send HTTP/2 requests, cancel them, and send subsequent requests, which is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit. | CVE exists in coredns that’s being used in k8s 1.28.11. Affects only k8s version 1.28.11. For customer workload clusters, workaround is to use k8s version 1.29+. For Palette Self Hosted cluster, a future release will upgrade to 1.29+. | [7.5](https://github.com/advisories/GHSA-m425-mq94-257g) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 10/25/2023 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '10/25/2023'.
| | [CVE-2023-47108](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | 7/16/24 | OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. | CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. | [7.5](https://nvd.nist.gov/vuln/detail/CVE-2023-47108) | Ongoing | | ||
| ## Last Update | ||
|
|
||
| 7/16/2024 |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.DateFormat] Use 'July 31, 2016' format, not '7/16/2024'.
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'grpc'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Unary'?
|
|
||
| ## Our Official Summary | ||
|
|
||
| CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| CVE exists in vsphere-csi 3.2.0, and kube-controller-manaer version 1.28.11. Impacts all vsphere clusters. There is no workaround. |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'vSphere' instead of 'vsphere'.
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
vale
docs/docs-content/security-bulletins/reports/cve-2024-21626.md|26 col 112| [Vale.Spelling] Did you really mean 'runc'?
docs/docs-content/security-bulletins/reports/ghsa-m425-mq94-257g.md|27 col 15| [Vale.Spelling] Did you really mean 'coredns'?
docs/docs-content/security-bulletins/reports/cve-2023-0286.md|28 col 54| [Vale.Terms] Use 'we' instead of 'We'.
docs/docs-content/security-bulletins/reports/cve-2023-47108.md|21 col 117| [Vale.Spelling] Did you really mean 'grpc'?
docs/docs-content/security-bulletins/reports/cve-2023-47108.md|22 col 1| [Vale.Spelling] Did you really mean 'Unary'?
docs/docs-content/security-bulletins/reports/cve-2023-47108.md|27 col 15| [Vale.Terms] Use 'vSphere' instead of 'vsphere'.
docs/docs-content/security-bulletins/reports/cve-2023-47108.md|27 col 90| [Vale.Terms] Use 'vSphere' instead of 'vsphere'.
docs/docs-content/security-bulletins/reports/cve-2023-52425.md|21 col 1| [Vale.Spelling] Did you really mean 'libexpat'?
docs/docs-content/security-bulletins/reports/cve-2023-52425.md|21 col 92| [Vale.Spelling] Did you really mean 'reparsings'?
docs/docs-content/security-bulletins/reports/cve-2021-3449.md|22 col 45| [Vale.Spelling] Did you really mean 'signature_algorithms'?
docs/docs-content/security-bulletins/reports/cve-2021-3449.md|23 col 30| [Vale.Spelling] Did you really mean 'signature_algorithms_cert'?
docs/docs-content/security-bulletins/reports/cve-2021-3449.md|23 col 86| [Vale.Spelling] Did you really mean 'dereference'?
docs/docs-content/security-bulletins/reports/cve-2021-3449.md|31 col 49| [Vale.Terms] Use 'we' instead of 'We'.
docs/docs-content/security-bulletins/reports/cve-2021-3711.md|23 col 6| [Vale.Spelling] Did you really mean 'outlen'?
docs/docs-content/security-bulletins/reports/cve-2021-3711.md|23 col 89| [Vale.Spelling] Did you really mean 'plaintext'?
docs/docs-content/security-bulletins/reports/cve-2021-3711.md|26 col 27| [Vale.Spelling] Did you really mean 'plaintext'?
docs/docs-content/security-bulletins/reports/cve-2021-3711.md|36 col 49| [Vale.Terms] Use 'we' instead of 'We'.
|
|
||
| ## Our Official Summary | ||
|
|
||
| This is a false positive reported by twistlock. We have confirmed this CVE is fixed in the FIPS openSSL version |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Terms] Use 'we' instead of 'We'.
| ## NIST CVE Summary | ||
|
|
||
| The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known | ||
| as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'GENERAL_NAME_cmp'?
|
|
||
| The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known | ||
| as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to | ||
| see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'display' instead of 'see'.
|
|
||
| The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known | ||
| as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to | ||
| see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'GENERAL_NAMEs'?
| The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known | ||
| as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to | ||
| see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL | ||
| pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'dereference'?
|
|
||
| ## NIST CVE Summary | ||
|
|
||
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'runc'?
| ## NIST CVE Summary | ||
|
|
||
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and | ||
| earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Google.LyHyphens] 'newly-spawned' doesn't need a hyphen.
| ## NIST CVE Summary | ||
|
|
||
| runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and | ||
| earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'runc'?
| earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc | ||
| exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to | ||
| the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to | ||
| gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'runc'?
| earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc | ||
| exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to | ||
| the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to | ||
| gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to |
There was a problem hiding this comment.
🚫 [vale] reported by reviewdog 🐶
[spectrocloud-docs-internal.ableism] Avoid using ableism terms. Use 'issue' instead of 'run'.
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
* docs: first entry * Update cve-2020-1971.md * Update prisma-2022-0227.md Updated CVE * Update cve-2021-3449.md Updated CVE * Update cve-2021-3711.md * Update cve-2022-25883.md Updating CVE * Update cve-2021-45079.md * Updating CVEs * Updating CVEs * chore: prettier --------- Co-authored-by: frederickjoi <[email protected]> Co-authored-by: Karl Cardenas <[email protected]> (cherry picked from commit 364f54c) Co-authored-by: JamieM-Spectro <[email protected]>
|
🎉 This PR is included in version 4.4.12 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Describe the Change
This PR is to update CVE layouts
Changed Pages
💻 Preview URL for Page
Jira Tickets
🎫 Jira Ticket
Backports
Can this PR be backported?