Tech Product Catalog (SNYK)- Medium Vulnerabilities

by ADMIN 52 views

Introduction

As a security-conscious organization, it's essential to stay on top of the latest vulnerabilities in your tech products. In this report, we'll be covering the medium-level vulnerabilities found in our tech product catalog using the SNYK vulnerability scanner. The scan was conducted on 13/03/2025, and the results are based on a 30-day term.

Definition of Done (DOD)

Before we dive into the vulnerabilities, let's define what we mean by "Definition of Done" (DOD). Our DOD consists of three key steps:

  1. Vulnerabilities mapped: We've identified and documented all the vulnerabilities found in our tech product catalog.
  2. Vulnerabilities fixed: We've taken steps to address and fix the identified vulnerabilities.
  3. Confirmed by SecOps Team: Our security operations team has reviewed and confirmed that the vulnerabilities have been properly addressed.

Project Name: StackSpot Platform

Vulnerable Resources

  • Container does not drop all default capabilities: This vulnerability allows an attacker to gain elevated privileges within the container.
  • Container is running without privilege escalation control: This vulnerability allows an attacker to gain elevated privileges within the container.
  • Container or Pod is running without root user control: This vulnerability allows an attacker to gain elevated privileges within the container.

Vulnerable Resources

  • openssl/libcrypto3 3.1.1-r1: This library has several vulnerabilities, including:
    • Out-of-bounds Write: This vulnerability allows an attacker to write data outside the bounds of a buffer.
    • Improper Check for Unusual or Exceptional Conditions: This vulnerability allows an attacker to bypass security checks.
    • CVE-2024-0727: This vulnerability allows an attacker to gain elevated privileges.
    • Improper Authentication: This vulnerability allows an attacker to bypass authentication checks.
    • Inefficient Regular Expression Complexity: This vulnerability allows an attacker to bypass security checks.

Vulnerable Resources

  • openssl/libssl3 3.1.1-r1: This library has several vulnerabilities, including:
    • Improper Check for Unusual or Exceptional Conditions: This vulnerability allows an attacker to bypass security checks.
    • Excessive Iteration: This vulnerability allows an attacker to bypass security checks.

Vulnerable Resources

  • glibc/libc6 2.36-9+deb12u3: This library has several vulnerabilities, including:
    • Incorrect Calculation of Buffer Size: This vulnerability allows an attacker to write data outside the bounds of a buffer.

Vulnerable Resources

  • tar 1.34+dfsg-1.2: This library has several vulnerabilities, including:
    • Out-of-bounds Read: This vulnerability allows an attacker to read data outside the bounds of a buffer.

Vulnerable Resources

  • systemd/libsystemd0 252.19-1~deb12u1: This library has several vulnerabilities, including:
    • CVE-2023-7008: This vulnerability allows an attacker to gain elevated privileges.

Vulnerable Resources

  • inflight 1.0.6: This library has several vulnerabilities, including:
    • Missing Release of Resource after Effective Lifetime: This vulnerability allows an attacker to bypass security checks.

Vulnerable Resources

  • serialize-javascript 6.0.1: This library has several vulnerabilities, including:
    • Cross-site Scripting (XSS): This vulnerability allows an attacker to inject malicious code.

Vulnerable Resources

  • tar 1.34+dfsg-1.2: This library has several vulnerabilities, including:
    • Out-of-bounds Read: This vulnerability allows an attacker to read data outside the bounds of a buffer.

Vulnerable Resources

  • systemd/libudev1 252.19-1~deb12u1: This library has several vulnerabilities, including:
    • CVE-2023-7008: This vulnerability allows an attacker to gain elevated privileges.

Vulnerable Resources

  • glibc/libc-bin 2.36-9+deb12u3: This library has several vulnerabilities, including:
    • Incorrect Calculation of Buffer Size: This vulnerability allows an attacker to write data outside the bounds of a buffer.

Vulnerable Resources

  • gnutls28/libgnutls30 3.7.1-5+deb11u3: This library has several vulnerabilities, including:
    • Information Exposure: This vulnerability allows an attacker to gain sensitive information.

Vulnerable Resources

  • tar 1.34+dfsg-1: This library has several vulnerabilities, including:
    • Out-of-bounds Read: This vulnerability allows an attacker to read data outside the bounds of a buffer.

Vulnerable Resources

  • gnutls28/libgnutls30 3.7.1-5+deb11u3: This library has several vulnerabilities, including:
    • Information Exposure: This vulnerability allows an attacker to gain sensitive information.

Vulnerable Resources

  • org.hibernate.orm:hibernate-core 6.5.2.Final: This library has several vulnerabilities, including:
    • LGPL-2.1 license: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • ch.qos.logback:logback-core 1.5.11: This library has several vulnerabilities, including:
    • Dual license: EPL-1.0, LGPL-2.1: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • org.springframework.boot:spring-boot-actuator 3.0.5: This library has several vulnerabilities, including:
    • Denial of Service (DoS): This vulnerability allows an attacker to crash the system.

Vulnerable Resources

  • org.springframework:spring-web 6.0.7: This library has several vulnerabilities, including:
    • Denial of Service (DoS): This vulnerability allows an attacker to crash the system.

Vulnerable Resources

  • com.h2database:h2 2.2.220: This library has several vulnerabilities, including:
    • Dual license: EPL-1.0, MPL-2.0: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • io.netty:netty-handler 4.1.90.Final: This library has several vulnerabilities, including:
    • Denial of Service (DoS): This vulnerability allows an attacker to crash the system.

Vulnerable Resources

  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including:
    • Access Restriction Bypass: This vulnerability allows an attacker to bypass security checks.
    • Incomplete Cleanup: This vulnerability allows an attacker to bypass security checks.

Vulnerable Resources

  • org.bouncycastle:bcprov-jdk15on 1.69: This library has several vulnerabilities, including:
    • Uncontrolled Resource Consumption ('Resource Exhaustion'): This vulnerability allows an attacker to consume system resources.

Vulnerable Resources

  • ch.qos.logback:logback-classic 1.5.6: This library has several vulnerabilities, including:
    • Dual license: EPL-1.0, LGPL-2.1: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • org.hibernate.common:hibernate-commons-annotations 6.0.6.Final: This library has several vulnerabilities, including:
    • LGPL-2.1 license: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • org.apache.commons:commons-compress 1.22: This library has several vulnerabilities, including:
    • Improper Input Validation: This vulnerability allows an attacker to bypass security checks.

Vulnerable Resources

  • org.yaml:snakeyaml 1.33: This library has several vulnerabilities, including:
    • Arbitrary Code Execution: This vulnerability allows an attacker to execute arbitrary code.

Vulnerable Resources

  • com.h2database:h2 2.2.220: This library has several vulnerabilities, including:
    • Information Exposure: This vulnerability allows an attacker to gain sensitive information.

Vulnerable Resources

  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including:
    • Denial of Service (DoS): This vulnerability allows an attacker to crash the system.

Vulnerable Resources

  • org.mozilla:rhino 1.7.12: This library has several vulnerabilities, including:
    • MPL-2.0 license: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • org.springframework:spring-expression 6.0.7: This library has several vulnerabilities, including:
    • Allocation of Resources Without Limits or Throttling: This vulnerability allows an attacker to consume system resources.

Vulnerable Resources

  • org.aspectj:aspectjweaver 1.9.19: This library has several vulnerabilities, including:
    • EPL-1.0 license: This vulnerability allows an attacker to bypass licensing checks.

Vulnerable Resources

  • commons-fileupload:commons-fileupload 1.4: This library has several vulnerabilities, including:
    • Denial of Service (DoS): This vulnerability allows an attacker to crash the system.

Vulnerable Resources

  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including:
    • Improper Input Validation: This vulnerability allows
      Q&A: Tech Product Catalog (SNYK) - Medium Vulnerabilities

Q: What is the purpose of this report? A: This report provides an overview of the medium-level vulnerabilities found in our tech product catalog using the SNYK vulnerability scanner. The scan was conducted on 13/03/2025, and the results are based on a 30-day term.

Q: What is the Definition of Done (DOD) for this report? A: Our DOD consists of three key steps:

  1. Vulnerabilities mapped: We've identified and documented all the vulnerabilities found in our tech product catalog.
  2. Vulnerabilities fixed: We've taken steps to address and fix the identified vulnerabilities.
  3. Confirmed by SecOps Team: Our security operations team has reviewed and confirmed that the vulnerabilities have been properly addressed.

Q: What are some of the vulnerable resources listed in this report? A: Some of the vulnerable resources listed in this report include:

  • openssl/libcrypto3 3.1.1-r1: This library has several vulnerabilities, including Out-of-bounds Write, Improper Check for Unusual or Exceptional Conditions, CVE-2024-0727, Improper Authentication, and Inefficient Regular Expression Complexity.
  • openssl/libssl3 3.1.1-r1: This library has several vulnerabilities, including Improper Check for Unusual or Exceptional Conditions and Excessive Iteration.
  • glibc/libc6 2.36-9+deb12u3: This library has several vulnerabilities, including Incorrect Calculation of Buffer Size.
  • tar 1.34+dfsg-1.2: This library has several vulnerabilities, including Out-of-bounds Read.
  • systemd/libsystemd0 252.19-1~deb12u1: This library has several vulnerabilities, including CVE-2023-7008.
  • inflight 1.0.6: This library has several vulnerabilities, including Missing Release of Resource after Effective Lifetime.
  • serialize-javascript 6.0.1: This library has several vulnerabilities, including Cross-site Scripting (XSS).
  • tar 1.34+dfsg-1.2: This library has several vulnerabilities, including Out-of-bounds Read.
  • systemd/libudev1 252.19-1~deb12u1: This library has several vulnerabilities, including CVE-2023-7008.
  • glibc/libc-bin 2.36-9+deb12u3: This library has several vulnerabilities, including Incorrect Calculation of Buffer Size.
  • gnutls28/libgnutls30 3.7.1-5+deb11u3: This library has several vulnerabilities, including Information Exposure.
  • tar 1.34+dfsg-1: This library has several vulnerabilities, including Out-of-bounds Read.
  • gnutls28/libgnutls30 3.7.1-5+deb11u3: This library has several vulnerabilities, including Information Exposure.
  • org.hibernate.orm:hibernate-core 6.5.2.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • ch.qos.logback:logback-core 1.5.11: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.1.
  • org.springframework.boot:spring-boot-actuator 3.0.5: This library has several vulnerabilities, including Denial of Service (DoS).
  • org.springframework:spring-web 6.0.7: This library has several vulnerabilities, including Denial of Service (DoS).
  • com.h2database:h2 2.2.220: This library has several vulnerabilities, including Dual license: EPL-1.0, MPL-2.0.
  • io.netty:netty-handler 4.1.90.Final: This library has several vulnerabilities, including Denial of Service (DoS).
  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including Access Restriction Bypass and Incomplete Cleanup.
  • org.bouncycastle:bcprov-jdk15on 1.69: This library has several vulnerabilities, including Uncontrolled Resource Consumption ('Resource Exhaustion').
  • ch.qos.logback:logback-classic 1.5.6: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.1.
  • org.hibernate.common:hibernate-commons-annotations 6.0.6.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • org.apache.commons:commons-compress 1.22: This library has several vulnerabilities, including Improper Input Validation.
  • org.yaml:snakeyaml 1.33: This library has several vulnerabilities, including Arbitrary Code Execution.
  • com.h2database:h2 2.2.220: This library has several vulnerabilities, including Information Exposure.
  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including Denial of Service (DoS).
  • org.mozilla:rhino 1.7.12: This library has several vulnerabilities, including MPL-2.0 license.
  • org.springframework:spring-expression 6.0.7: This library has several vulnerabilities, including Allocation of Resources Without Limits or Throttling.
  • org.aspectj:aspectjweaver 1.9.19: This library has several vulnerabilities, including EPL-1.0 license.
  • commons-fileupload:commons-fileupload 1.4: This library has several vulnerabilities, including Denial of Service (DoS).
  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including Improper Input Validation.
  • org.hibernate.common:hibernate-commons-annotations 6.0.6.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including Access Restriction Bypass.
  • org.hibernate.orm:hibernate-core 6.4.9.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • ch.qos.logback:logback-core 1.5.6: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.1.
  • org.hibernate.common:hibernate-commons-annotations 6.0.6.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • org.apache.commons:commons-compress 1.22: This library has several vulnerabilities, including Improper Input Validation.
  • org.yaml:snakeyaml 1.33: This library has several vulnerabilities, including Arbitrary Code Execution.
  • ch.qos.logback.contrib:logback-json-core 0.1.5: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.0.
  • org.bouncycastle:bcprov-jdk15on 1.69: This library has several vulnerabilities, including Information Exposure.
  • org.hibernate.orm:hibernate-core 6.4.9.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • org.springframework.boot:spring-boot-actuator 3.0.5: This library has several vulnerabilities, including Denial of Service (DoS).
  • ch.qos.logback:logback-core 1.5.6: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.1.
  • org.hibernate.common:hibernate-commons-annotations 6.0.6.Final: This library has several vulnerabilities, including LGPL-2.1 license.
  • org.apache.commons:commons-compress 1.22: This library has several vulnerabilities, including Improper Input Validation.
  • org.yaml:snakeyaml 1.33: This library has several vulnerabilities, including Arbitrary Code Execution.
  • ch.qos.logback.contrib:logback-json-classic 0.1.5: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.0.
  • org.springframework:spring-web 6.0.7: This library has several vulnerabilities, including Denial of Service (DoS).
  • org.apache.tomcat.embed:tomcat-embed-core 10.1.7: This library has several vulnerabilities, including Improper Input Validation.
  • ch.qos.logback:logback-classic 1.5.12: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.1.
  • org.aspectj:aspectjweaver 1.9.22.1: This library has several vulnerabilities, including EPL-1.0 license.
  • org.springframework:spring-expression 6.0.7: This library has several vulnerabilities, including Allocation of Resources Without Limits or Throttling.
  • ch.qos.logback.contrib:logback-jackson 0.1.5: This library has several vulnerabilities, including Dual license: EPL-1.0, LGPL-2.0.
  • Container does not drop all default capabilities: This vulnerability allows an attacker to gain elevated privileges within the container.
  • Container is running without privilege escalation control: This vulnerability allows an attacker to gain elevated privileges within the container.