Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy scan shows critical vulnerability CVE-2021-27568 in flyway/flyway:7.9.1-alpine and flyway/flyway:7.9.1 #3178

Closed
tbondarchuk opened this issue May 21, 2021 · 1 comment
Closed

Trivy scan shows critical vulnerability CVE-2021-27568 in flyway/flyway:7.9.1-alpine and flyway/flyway:7.9.1 #3178

tbondarchuk opened this issue May 21, 2021 · 1 comment
Labels
t:vulnerability scan

Comments

@tbondarchuk
Copy link

Trivy vulerability scanner shows following on scanning flyway/flyway:7.9.1-alpine image:

➜  trivy image flyway/flyway:7.9.1-alpine
2021-05-21T21:19:04.659+0300	INFO	Detected OS: alpine
2021-05-21T21:19:04.660+0300	INFO	Detecting Alpine vulnerabilities...
2021-05-21T21:19:04.666+0300	INFO	Number of PL dependency files: 42
2021-05-21T21:19:04.666+0300	INFO	Detecting jar vulnerabilities...
2021-05-21T21:19:04.670+0300	WARN	maven constraint error ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
	* improper constraint: [10.5-alpha0,10.5.3.0_1]
	* improper requirements: []



flyway/flyway:7.9.1-alpine (alpine 3.13.5)
==========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


flyway/lib/aad/nimbus-jose-jwt-9.8.1.jar
========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| net.minidev:json-smart | CVE-2021-27568   | CRITICAL | 1.3.2             | 2.4.1         | json-smart: uncaught                  |
|                        |                  |          |                   |               | exception may lead to crash           |
|                        |                  |          |                   |               | or information disclosure             |
|                        |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27568 |
+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+

https://avd.aquasec.com/nvd/cve-2021-27568/
https://nvd.nist.gov/vuln/detail/CVE-2021-27568
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27568

I've downloaded and scanned latest version of that package - nimbus-jose-jwt-9.9.3.jar and scan does not show any vulnerabilities in it.

FYI: I've scanned flyway/flyway:7.9.1 as well and it shows quite a lot of vulnerable OS packages, though only low and medium:

Total: 42 (UNKNOWN: 0, LOW: 36, MEDIUM: 6, HIGH: 0, CRITICAL: 0) 
➜  trivy image flyway/flyway:7.9.1
2021-05-21T21:21:26.128+0300	INFO	Detected OS: ubuntu
2021-05-21T21:21:26.128+0300	INFO	Detecting Ubuntu vulnerabilities...
2021-05-21T21:21:26.135+0300	INFO	Number of PL dependency files: 42
2021-05-21T21:21:26.135+0300	INFO	Detecting jar vulnerabilities...
2021-05-21T21:21:26.139+0300	WARN	maven constraint error ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:
	* improper constraint: [10.5-alpha0,10.5.3.0_1]
	* improper requirements: []



flyway/flyway:7.9.1 (ubuntu 20.04)
==================================
Total: 42 (UNKNOWN: 0, LOW: 36, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION    | FIXED VERSION |                  TITLE                  |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| bash             | CVE-2019-18276   | LOW      | 5.0-6ubuntu1.1         |               | bash: when effective UID is not         |
|                  |                  |          |                        |               | equal to its real UID the...            |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-18276   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| coreutils        | CVE-2016-2781    |          | 8.30-3ubuntu2          |               | coreutils: Non-privileged               |
|                  |                  |          |                        |               | session can escape to the               |
|                  |                  |          |                        |               | parent session in chroot                |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2016-2781    |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| gpgv             | CVE-2019-13050   |          | 2.2.19-3ubuntu2.1      |               | GnuPG: interaction between the          |
|                  |                  |          |                        |               | sks-keyserver code and GnuPG            |
|                  |                  |          |                        |               | allows for a Certificate...             |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-13050   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| libc-bin         | CVE-2016-10228   |          | 2.31-0ubuntu9.2        |               | glibc: iconv program can hang           |
|                  |                  |          |                        |               | when invoked with the -c option         |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2019-25013   |          |                        |               | glibc: buffer over-read in              |
|                  |                  |          |                        |               | iconv when processing invalid           |
|                  |                  |          |                        |               | multi-byte input sequences in...        |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-27618   |          |                        |               | glibc: iconv when processing            |
|                  |                  |          |                        |               | invalid multi-byte input                |
|                  |                  |          |                        |               | sequences fails to advance the...       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-29562   |          |                        |               | glibc: assertion failure in iconv       |
|                  |                  |          |                        |               | when converting invalid UCS4            |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-6096    |          |                        |               | glibc: signed comparison                |
|                  |                  |          |                        |               | vulnerability in the                    |
|                  |                  |          |                        |               | ARMv7 memcpy function                   |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2021-27645   |          |                        |               | glibc: Use-after-free in                |
|                  |                  |          |                        |               | addgetnetgrentX function                |
|                  |                  |          |                        |               | in netgroupcache.c                      |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+------------------+------------------+          +                        +---------------+-----------------------------------------+
| libc6            | CVE-2016-10228   |          |                        |               | glibc: iconv program can hang           |
|                  |                  |          |                        |               | when invoked with the -c option         |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2019-25013   |          |                        |               | glibc: buffer over-read in              |
|                  |                  |          |                        |               | iconv when processing invalid           |
|                  |                  |          |                        |               | multi-byte input sequences in...        |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-27618   |          |                        |               | glibc: iconv when processing            |
|                  |                  |          |                        |               | invalid multi-byte input                |
|                  |                  |          |                        |               | sequences fails to advance the...       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-29562   |          |                        |               | glibc: assertion failure in iconv       |
|                  |                  |          |                        |               | when converting invalid UCS4            |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-6096    |          |                        |               | glibc: signed comparison                |
|                  |                  |          |                        |               | vulnerability in the                    |
|                  |                  |          |                        |               | ARMv7 memcpy function                   |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2021-27645   |          |                        |               | glibc: Use-after-free in                |
|                  |                  |          |                        |               | addgetnetgrentX function                |
|                  |                  |          |                        |               | in netgroupcache.c                      |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| libgcrypt20      | CVE-2019-12904   |          | 1.8.5-5ubuntu1         |               | Libgcrypt: physical addresses           |
|                  |                  |          |                        |               | being available to other processes      |
|                  |                  |          |                        |               | leads to a flush-and-reload...          |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-12904   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| libgnutls30      | CVE-2021-20231   |          | 3.6.13-2ubuntu1.3      |               | gnutls: Use after free in               |
|                  |                  |          |                        |               | client key_share extension              |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-20231   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2021-20232   |          |                        |               | gnutls: Use after free                  |
|                  |                  |          |                        |               | in client_send_params in                |
|                  |                  |          |                        |               | lib/ext/pre_shared_key.c                |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-20232   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| libgssapi-krb5-2 | CVE-2018-5709    |          | 1.17-6ubuntu4.1        |               | krb5: integer overflow                  |
|                  |                  |          |                        |               | in dbentry->n_key_data                  |
|                  |                  |          |                        |               | in kadmin/dbutil/dump.c                 |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2018-5709    |
+------------------+                  +          +                        +---------------+                                         +
| libk5crypto3     |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
+------------------+                  +          +                        +---------------+                                         +
| libkrb5-3        |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
+------------------+                  +          +                        +---------------+                                         +
| libkrb5support0  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| liblz4-1         | CVE-2021-3520    | MEDIUM   | 1.9.2-2                |               | lz4: memory corruption                  |
|                  |                  |          |                        |               | due to an integer overflow              |
|                  |                  |          |                        |               | bug caused by memmove...                |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-3520    |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| libpcre3         | CVE-2017-11164   | LOW      | 2:8.39-12build1        |               | pcre: OP_KETRMAX feature in the         |
|                  |                  |          |                        |               | match function in pcre_exec.c           |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2017-11164   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2019-20838   |          |                        |               | pcre: buffer over-read in               |
|                  |                  |          |                        |               | JIT when UTF is disabled                |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-20838   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-14155   |          |                        |               | pcre: integer overflow in libpcre       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-14155   |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| libsqlite3-0     | CVE-2020-9794    | MEDIUM   | 3.31.1-4ubuntu0.2      |               | An out-of-bounds read was               |
|                  |                  |          |                        |               | addressed with improved bounds          |
|                  |                  |          |                        |               | checking. This issue is...              |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-9794    |
+                  +------------------+----------+                        +---------------+-----------------------------------------+
|                  | CVE-2020-9849    | LOW      |                        |               | An information disclosure issue         |
|                  |                  |          |                        |               | was addressed with improved             |
|                  |                  |          |                        |               | state management. This issue...         |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-9849    |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-9991    |          |                        |               | This issue was addressed                |
|                  |                  |          |                        |               | with improved checks.                   |
|                  |                  |          |                        |               | This issue is fixed in...               |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-9991    |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| libsystemd0      | CVE-2018-20839   | MEDIUM   | 245.4-4ubuntu3.6       |               | systemd: mishandling of the             |
|                  |                  |          |                        |               | current keyboard mode check             |
|                  |                  |          |                        |               | leading to passwords being...           |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2018-20839   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-13529   |          |                        |               | systemd: DHCP FORCERENEW                |
|                  |                  |          |                        |               | authentication not implemented          |
|                  |                  |          |                        |               | can cause a system running the...       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-13529   |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| libtasn1-6       | CVE-2018-1000654 | LOW      | 4.16.0-2               |               | libtasn1: Infinite loop in              |
|                  |                  |          |                        |               | _asn1_expand_object_id(ptree)           |
|                  |                  |          |                        |               | leads to memory exhaustion              |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| libudev1         | CVE-2018-20839   | MEDIUM   | 245.4-4ubuntu3.6       |               | systemd: mishandling of the             |
|                  |                  |          |                        |               | current keyboard mode check             |
|                  |                  |          |                        |               | leading to passwords being...           |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2018-20839   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-13529   |          |                        |               | systemd: DHCP FORCERENEW                |
|                  |                  |          |                        |               | authentication not implemented          |
|                  |                  |          |                        |               | can cause a system running the...       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-13529   |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+
| locales          | CVE-2016-10228   | LOW      | 2.31-0ubuntu9.2        |               | glibc: iconv program can hang           |
|                  |                  |          |                        |               | when invoked with the -c option         |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2016-10228   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2019-25013   |          |                        |               | glibc: buffer over-read in              |
|                  |                  |          |                        |               | iconv when processing invalid           |
|                  |                  |          |                        |               | multi-byte input sequences in...        |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-25013   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-27618   |          |                        |               | glibc: iconv when processing            |
|                  |                  |          |                        |               | invalid multi-byte input                |
|                  |                  |          |                        |               | sequences fails to advance the...       |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-29562   |          |                        |               | glibc: assertion failure in iconv       |
|                  |                  |          |                        |               | when converting invalid UCS4            |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-29562   |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2020-6096    |          |                        |               | glibc: signed comparison                |
|                  |                  |          |                        |               | vulnerability in the                    |
|                  |                  |          |                        |               | ARMv7 memcpy function                   |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2020-6096    |
+                  +------------------+          +                        +---------------+-----------------------------------------+
|                  | CVE-2021-27645   |          |                        |               | glibc: Use-after-free in                |
|                  |                  |          |                        |               | addgetnetgrentX function                |
|                  |                  |          |                        |               | in netgroupcache.c                      |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2021-27645   |
+------------------+------------------+          +------------------------+---------------+-----------------------------------------+
| login            | CVE-2013-4235    |          | 1:4.8.1-1ubuntu5.20.04 |               | shadow-utils: TOCTOU race               |
|                  |                  |          |                        |               | conditions by copying and               |
|                  |                  |          |                        |               | removing directory trees                |
|                  |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2013-4235    |
+------------------+                  +          +                        +---------------+                                         +
| passwd           |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
|                  |                  |          |                        |               |                                         |
+------------------+------------------+----------+------------------------+---------------+-----------------------------------------+

flyway/lib/aad/nimbus-jose-jwt-9.8.1.jar
========================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| net.minidev:json-smart | CVE-2021-27568   | CRITICAL | 1.3.2             | 2.4.1         | json-smart: uncaught                  |
|                        |                  |          |                   |               | exception may lead to crash           |
|                        |                  |          |                   |               | or information disclosure             |
|                        |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-27568 |
+------------------------+------------------+----------+-------------------+---------------+---------------------------------------+
@juliahayward juliahayward mentioned this issue May 24, 2021
Closed
@juliahayward
Copy link
Contributor

This is a transitive dependency of com.microsoft.azure:msal4j.jar v1.10.0 - if you're not using Windows auth to talk to SQL Server then this library is not invoked at all. I've submitted a request on to the MSAL maintainers and will look at forcibly overriding the version pulled when we build Flyway.

Interestingly, this vulnerability hasn't (yet) surfaced via Snyk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
t:vulnerability scan
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@juliahayward @tbondarchuk