Snyk test report
- quay.io/argoproj/argocd:v2.12.10/argoproj/argocd/Dockerfile (deb)
- quay.io/argoproj/argocd:v2.12.10/argoproj/argo-cd/v2//usr/local/bin/argocd (gomodules)
- quay.io/argoproj/argocd:v2.12.10//usr/local/bin/kustomize (gomodules)
- quay.io/argoproj/argocd:v2.12.10/helm/v3//usr/local/bin/helm (gomodules)
- quay.io/argoproj/argocd:v2.12.10/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.
Remediation
Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.
References
Server-side Request Forgery (SSRF)
Detailed paths
Overview
golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.
Remediation
Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.
References
Denial of Service (DoS)
Detailed paths
Overview
golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.
Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions parseDoctype, htmlIntegrationPoint, inBodyIM and inTableIM due to inefficient usage of the method strings.ToLower combining with the == operator to convert strings to lowercase and then comparing them.
An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade golang.org/x/net/html to version 0.33.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
golang.org/x/crypto/ssh is a SSH client and server
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.
Remediation
Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.
References
CVE-2024-56433
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Remediation
There is no fixed version for Ubuntu:24.04 shadow.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56433
- https://github.com/shadow-maint/shadow/blob/e2512d5741d4a44bdd81a8c2d0029b6222728cf0/etc/login.defs#L238-L241
- https://github.com/shadow-maint/shadow/issues/1157
- https://github.com/shadow-maint/shadow/releases/tag/4.4
Insecure Storage of Sensitive Information
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.
Remediation
There is no fixed version for Ubuntu:24.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041
- https://access.redhat.com/security/cve/CVE-2024-10041
- https://bugzilla.redhat.com/show_bug.cgi?id=2319212
- https://access.redhat.com/errata/RHSA-2024:9941
- https://access.redhat.com/errata/RHSA-2024:10379
- https://access.redhat.com/errata/RHSA-2024:11250
Improper Authentication
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability allows attackers to trick the system by pretending to be a trusted hostname, gaining unauthorized access. This issue poses a risk for systems that rely on this feature to control who can access certain services or terminals.
Remediation
There is no fixed version for Ubuntu:24.04 pam.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10963
- https://access.redhat.com/security/cve/CVE-2024-10963
- https://bugzilla.redhat.com/show_bug.cgi?id=2324291
- https://access.redhat.com/errata/RHSA-2024:10232
- https://access.redhat.com/errata/RHSA-2024:10244
- https://access.redhat.com/errata/RHSA-2024:10379
- https://access.redhat.com/errata/RHSA-2024:10518
- https://access.redhat.com/errata/RHSA-2024:10528
- https://access.redhat.com/errata/RHSA-2024:10852
Resource Exhaustion
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
Remediation
Upgrade Ubuntu:24.04 openssh to version 1:9.6p1-3ubuntu13.8 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-26466
- https://access.redhat.com/security/cve/CVE-2025-26466
- https://bugzilla.redhat.com/show_bug.cgi?id=2345043
- https://bugzilla.suse.com/show_bug.cgi?id=1237041
- https://security-tracker.debian.org/tracker/CVE-2025-26466
- https://security.netapp.com/advisory/ntap-20250228-0002/
- https://ubuntu.com/security/CVE-2025-26466
- https://www.openwall.com/lists/oss-security/2025/02/18/1
- https://www.openwall.com/lists/oss-security/2025/02/18/4
- https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt
Detection of Error Condition Without Action
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.
Remediation
Upgrade Ubuntu:24.04 openssh to version 1:9.6p1-3ubuntu13.8 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-26465
- https://access.redhat.com/security/cve/CVE-2025-26465
- https://bugzilla.redhat.com/show_bug.cgi?id=2344780
- https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
- https://bugzilla.suse.com/show_bug.cgi?id=1237040
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
- https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
- https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html
- https://security-tracker.debian.org/tracker/CVE-2025-26465
- https://security.netapp.com/advisory/ntap-20250228-0003/
- https://ubuntu.com/security/CVE-2025-26465
- https://www.openssh.com/releasenotes.html#9.9p2
- https://www.openwall.com/lists/oss-security/2025/02/18/1
- https://www.openwall.com/lists/oss-security/2025/02/18/4
- https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
- https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh
- https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh
- https://seclists.org/oss-sec/2025/q1/144
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.
Remediation
Upgrade Ubuntu:24.04 libtasn1-6 to version 4.19.0-3ubuntu0.24.04.1 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12133
- https://access.redhat.com/security/cve/CVE-2024-12133
- https://bugzilla.redhat.com/show_bug.cgi?id=2344611
- https://gitlab.com/gnutls/libtasn1/-/issues/52
- http://www.openwall.com/lists/oss-security/2025/02/06/6
- https://lists.debian.org/debian-lts-announce/2025/02/msg00025.html
CVE-2025-1390
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.
Remediation
Upgrade Ubuntu:24.04 libcap2 to version 1:2.66-5ubuntu2.2 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-1390
- https://bugzilla.openanolis.cn/show_bug.cgi?id=18804
Memory Leak
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-26462
- https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md
- https://security.netapp.com/advisory/ntap-20240415-0012/
Improper Validation of Integrity Check Value
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-3596
- https://www.kb.cert.org/vuls/id/456537
- http://www.openwall.com/lists/oss-security/2024/07/09/4
- https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
- https://datatracker.ietf.org/doc/html/rfc2865
- https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014
- https://security.netapp.com/advisory/ntap-20240822-0001/
- https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol
- https://www.blastradius.fail/
CVE-2025-24528
Detailed paths
NVD Description
This vulnerability has not been analyzed by NVD yet.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.5 or higher.
References
Algorithmic Complexity
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
Remediation
Upgrade Ubuntu:24.04 gnutls28 to version 3.8.3-1.1ubuntu3.3 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12243
- https://access.redhat.com/security/cve/CVE-2024-12243
- https://bugzilla.redhat.com/show_bug.cgi?id=2344615
- https://gitlab.com/gnutls/libtasn1/-/issues/52
- https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html
CVE-2025-0395
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.
Remediation
Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.4 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0395
- https://sourceware.org/bugzilla/show_bug.cgi?id=32582
- https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001
- https://sourceware.org/pipermail/libc-announce/2025/000044.html
- https://www.openwall.com/lists/oss-security/2025/01/22/4
- http://www.openwall.com/lists/oss-security/2025/01/22/4
- http://www.openwall.com/lists/oss-security/2025/01/23/2
- https://security.netapp.com/advisory/ntap-20250228-0006/
Denial of Service (DoS)
Detailed paths
Overview
Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a Access-Control-Request-Headers header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.
PoC
func BenchmarkPreflightAdversarialACRH(b *testing.B) {
resps := makeFakeResponses(b.N)
req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
req.Header.Add(headerOrigin, dummyOrigin)
req.Header.Add(headerACRM, http.MethodGet)
req.Header[headerACRH] = adversarialACRH
handler := Default().Handler(testHandler)
b.ReportAllocs()
b.ResetTimer()
for i := 0; i < b.N; i++ {
handler.ServeHTTP(resps[i], req)
}
}
var adversarialACRH []string
func init() { // populates adversarialACRH
n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
commas := strings.Repeat(",", n)
res := make([]string, n)
for i := range res {
res[i] = commas
}
adversarialACRH = res
}
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade github.com/rs/cors to version 1.11.0 or higher.
References
Allocation of Resources Without Limits or Throttling
Detailed paths
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.
Workaround
This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.
Remediation
Upgrade github.com/go-jose/go-jose/v3 to version 3.0.4 or higher.
References
Generation of Error Message Containing Sensitive Information
Detailed paths
Overview
Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information when syncing invalid Kubernetes Secret resources. An attacker with write access to the repository can expose secret values by committing an invalid Secret to repository and triggering a Sync, which then become visible to any user with read access to Argo CD.
Remediation
A fix was pushed into the master branch but not yet published.
References
Generation of Error Message Containing Sensitive Information
Detailed paths
Overview
Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information when syncing invalid Kubernetes Secret resources. An attacker with write access to the repository can expose secret values by committing an invalid Secret to repository and triggering a Sync, which then become visible to any user with read access to Argo CD.
Remediation
A fix was pushed into the master branch but not yet published.
References
Improper Encoding or Escaping of Output
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.
Remediation
There is no fixed version for Ubuntu:24.04 git.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
- https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
- https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net
Release of Invalid Pointer or Reference
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
Double Free
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.
Remediation
There is no fixed version for Ubuntu:24.04 patch.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-6952
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6952
- https://security-tracker.debian.org/tracker/CVE-2018-6952
- https://security.gentoo.org/glsa/201904-17
- https://savannah.gnu.org/bugs/index.php?53133
- https://access.redhat.com/errata/RHSA-2019:2033
- http://www.securityfocus.com/bid/103047
CVE-2024-41996
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.
Remediation
There is no fixed version for Ubuntu:24.04 openssl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-41996
- https://dheatattack.gitlab.io/details/
- https://dheatattack.gitlab.io/faq/
- https://gist.github.com/c0r0n3r/abccc14d4d96c0442f3a77fa5ca255d1
CVE-2024-9143
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes.
Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low.
In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding.
The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions.
Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-9143
- https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
- https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700
- https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4
- https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154
- https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a
- https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41
- https://openssl-library.org/news/secadv/20241016.txt
- http://www.openwall.com/lists/oss-security/2024/10/16/1
- http://www.openwall.com/lists/oss-security/2024/10/23/1
- http://www.openwall.com/lists/oss-security/2024/10/24/1
- https://security.netapp.com/advisory/ntap-20241101-0001/
CVE-2024-13176
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.
Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.
There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.
Remediation
Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-13176
- https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844
- https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467
- https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902
- https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65
- https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f
- https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded
- https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86
- https://openssl-library.org/news/secadv/20250120.txt
- http://www.openwall.com/lists/oss-security/2025/01/20/2
- https://security.netapp.com/advisory/ntap-20250124-0005/
Information Exposure
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Remediation
There is no fixed version for Ubuntu:24.04 libgcrypt20.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2236
- https://access.redhat.com/errata/RHSA-2024:9404
- https://bugzilla.redhat.com/show_bug.cgi?id=2268268
- https://access.redhat.com/security/cve/CVE-2024-2236
- https://bugzilla.redhat.com/show_bug.cgi?id=2245218
CVE-2024-26458
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-26458
- https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
- https://security.netapp.com/advisory/ntap-20240415-0010/
CVE-2024-26461
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
Remediation
Upgrade Ubuntu:24.04 krb5 to version 1.20.1-6ubuntu2.5 or higher.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-26461
- https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
- https://security.netapp.com/advisory/ntap-20240415-0011/
Out-of-bounds Write
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
Remediation
There is no fixed version for Ubuntu:24.04 gnupg2.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3219
- https://access.redhat.com/security/cve/CVE-2022-3219
- https://bugzilla.redhat.com/show_bug.cgi?id=2127010
- https://dev.gnupg.org/D556
- https://dev.gnupg.org/T5993
- https://marc.info/?l=oss-security&m=165696590211434&w=4
- https://security.netapp.com/advisory/ntap-20230324-0001/
Allocation of Resources Without Limits or Throttling
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
Remediation
There is no fixed version for Ubuntu:24.04 glibc.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-20013
- https://akkadia.org/drepper/SHA-crypt.txt
- https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
- https://twitter.com/solardiz/status/795601240151457793
Insufficient Documentation of Error Handling Techniques
Detailed paths
Overview
Affected versions of this package are vulnerable to Insufficient Documentation of Error Handling Techniques in the ParseWithClaims function. An attacker can exploit this to accept invalid tokens by only checking for specific errors and ignoring others.
Workaround
Users who are not able to upgrade to the fixed version should make sure that they are properly checking for all errors, see example_test.go
Remediation
Upgrade github.com/golang-jwt/jwt/v4 to version 4.5.1 or higher.
References
Insufficient Documentation of Error Handling Techniques
Detailed paths
Overview
Affected versions of this package are vulnerable to Insufficient Documentation of Error Handling Techniques in the ParseWithClaims function. An attacker can exploit this to accept invalid tokens by only checking for specific errors and ignoring others.
Workaround
Users who are not able to upgrade to the fixed version should make sure that they are properly checking for all errors, see example_test.go
Remediation
A fix was pushed into the master branch but not yet published.
References
CVE-2025-0167
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
When asked to use a .netrc file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
Remediation
There is no fixed version for Ubuntu:24.04 curl.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0167
- https://curl.se/docs/CVE-2025-0167.json
- https://hackerone.com/reports/2917232
- https://security.netapp.com/advisory/ntap-20250306-0008/
- https://curl.se/docs/CVE-2025-0167.html
Improper Input Validation
Detailed paths
NVD Description
Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu.
See How to fix? for Ubuntu:24.04 relevant fixed versions and status.
chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
Remediation
There is no fixed version for Ubuntu:24.04 coreutils.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2781
- https://security-tracker.debian.org/tracker/CVE-2016-2781
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
- http://www.openwall.com/lists/oss-security/2016/02/28/2
- http://www.openwall.com/lists/oss-security/2016/02/28/3
- https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E