You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
77 lines
3.7 KiB
Plaintext
77 lines
3.7 KiB
Plaintext
{
|
|
"version": "2.1.0",
|
|
"$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
|
|
"runs": [
|
|
{
|
|
"tool": {
|
|
"driver": {
|
|
"fullName": "Trivy Vulnerability Scanner",
|
|
"informationUri": "https://github.com/aquasecurity/trivy",
|
|
"name": "Trivy",
|
|
"rules": [
|
|
{
|
|
"id": "CVE-2021-36159",
|
|
"name": "OsPackageVulnerability",
|
|
"shortDescription": {
|
|
"text": "CVE-2021-36159"
|
|
},
|
|
"fullDescription": {
|
|
"text": "libfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the \u0026#39;\\0\u0026#39; terminator one byte too late."
|
|
},
|
|
"defaultConfiguration": {
|
|
"level": "error"
|
|
},
|
|
"helpUri": "https://avd.aquasec.com/nvd/cve-2021-36159",
|
|
"help": {
|
|
"text": "Vulnerability CVE-2021-36159\nSeverity: CRITICAL\nPackage: apk-tools\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late.",
|
|
"markdown": "**Vulnerability CVE-2021-36159**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|CRITICAL|apk-tools|2.10.7-r0|[CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)|\n\nlibfetch before 2021-07-26, as used in apk-tools, xbps, and other products, mishandles numeric strings for the FTP and HTTP protocols. The FTP passive mode implementation allows an out-of-bounds read because strtol is used to parse the relevant numbers into address bytes. It does not check if the line ends prematurely. If it does, the for-loop condition checks for the '\\0' terminator one byte too late."
|
|
},
|
|
"properties": {
|
|
"precision": "very-high",
|
|
"security-severity": "9.1",
|
|
"tags": [
|
|
"vulnerability",
|
|
"security",
|
|
"CRITICAL"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"version": "0.37.2"
|
|
}
|
|
},
|
|
"results": [
|
|
{
|
|
"ruleId": "CVE-2021-36159",
|
|
"ruleIndex": 0,
|
|
"level": "error",
|
|
"message": {
|
|
"text": "Package: apk-tools\nInstalled Version: 2.10.6-r0\nVulnerability CVE-2021-36159\nSeverity: CRITICAL\nFixed Version: 2.10.7-r0\nLink: [CVE-2021-36159](https://avd.aquasec.com/nvd/cve-2021-36159)"
|
|
},
|
|
"locations": [
|
|
{
|
|
"physicalLocation": {
|
|
"artifactLocation": {
|
|
"uri": "library/alpine",
|
|
"uriBaseId": "ROOTPATH"
|
|
},
|
|
"region": {
|
|
"startLine": 1,
|
|
"startColumn": 1,
|
|
"endLine": 1,
|
|
"endColumn": 1
|
|
}
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"columnKind": "utf16CodeUnits",
|
|
"originalUriBaseIds": {
|
|
"ROOTPATH": {
|
|
"uri": "file:///"
|
|
}
|
|
}
|
|
}
|
|
]
|
|
} |