Security information¶
Updated Synopsys scanner to version 2022.3.
All CVEs reported in OpenJDK 1.8.0u302 have been resolved by removal of the component.
All CVEs reported in NumPy are false positives, the result of being picked up from cache but for a version not in use with MSR.
Resolved CVEs, as detailed:
CVE
Status
Description
Resolved
Prior to 1.2.12, zlib allows memory corruption when deflating when the input has many distant matches.
Resolved
BusyBox up through version 1.35.0 allows remote attackers to execute arbitrary code when netstat is used to print the value of a DNS PTR record to a VT-compatible terminal. Alternatively, attackers can choose to change the colors of the terminal.
Resolved
Prior to 1.9.10, GORM permits SQL injection through incomplete parentheses. Note that misusing GORM by passing untrusted user input when GORM expects trusted SQL fragments is not a vulnerability in GORM but in the application.
Resolved/False Positive
Prior to 4.0.0-preview1, jwt-go allows attackers to bypass intended access restrictions in situations with
[]string{}
form["aud"]
, which is allowed according to the specification. The value of aud is “” because the type assertion fails. This is a security problem if the JWT token is presented to a service that lacks its own audience check.Not Vulnerable
The CVE is present in the JobRunner image, however while it is a required dependency of a component running in JobRunner, its functionality is never excercised.
In OpenLDAP 2.x prior to 2.5.12 and in 2.6.x prior to 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.
False Positive
Though Alpine Linux contains the affected OpenSSL version, the
c_rehash
script has been replaced by a C binary.The
c_rehash
script does not properly sanitize shell metacharacters to prevent command injection. Some operating systems distribute this script in a manner in which it is automatically executed, in which case attackers can execute arbitrary commands with the privileges of the script. Use of this script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. The vulernability is fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and in OpenSSL 1.0.2ze.False Positive
NumPy 1.16.0 and earlier use the pickle Python module in an unsafe manner that allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a
numpy.load
call. Note that third parties dispute the issue as, for example, it is a behavior that can have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources.