DevTenantQAOrg/DevQAPrivateSCA

Code Security Report

002ce05c-4d0d-4259-bc86-ede992770144 | 2024-01-14T15:38:39.66Z

1/50
Table of Contents

Executive Summary

Scan Summary

Scan Results

SAST

SCA

IaC Security

2/50
Executive Summary

Total Vulnerabilities High Med Low Info

70 31 31 7 1

Vulnerabilities per Scanner

40

30 29

23

20

10

5
4 4
2
1 1 1
0 0 0
0
IaC Security SAST SCA

Scan Information

Project name: DevTenantQAOrg/DevQAPrivateSCA

Scanners: SAST, SCA, IaC Security

Risk level: High

Result triage: IaC Security:

Confirmed 0%
Not Exploitable 0%
Proposed Not Exploitable 0%
To Verify 100%
Urgent 0%
SAST:
Confirmed 0%
Not Exploitable 16.67%
Proposed Not Exploitable 0%
To Verify 83.33%
Urgent 0%
SCA:
Confirmed 0%
Not Exploitable 0%
Proposed Not Exploitable 0%
To Verify 100%
Urgent 0%

3/50
Scan Summary

Scan ID: f17abcb6-8b74-4ca6-98ab-49283838c9b7

Languages: vb6

Number of scanners: 3
Completed date: 2024-01-14 08:14:46.73937 +0000 UTC

Scanner types: SAST, SCA, IaC Security

4/50
ASD STIG 4.10
Category

APSC-DV-002330 - CAT II The application must protect the confidentiality and

- 2 -
integrity of stored information when required by DoD policy or the information owner.

APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection. 2 - -

APSC-DV-002560 - CAT I The application must not be subject to input handling

- 1 -
vulnerabilities.

APSC-DV-003110 - CAT I The application must not contain embedded authentication

- 1 -
data.

5/50
FISMA 2014
Category

Identification And Authentication - 2 -

System And Information Integrity 2 - -

6/50
NIST SP 800-53
Category

SC-4 Information in Shared Resources (P1) - 2 -

SI-10 Information Input Validation (P1) 2 - -

7/50
OWASP Top 10 2013
Category

A1-Injection 2 - -

A2-Broken Authentication and Session Management - 1 -

A4-Insecure Direct Object References - 1 -

A6-Sensitive Data Exposure - 2 -

8/50
OWASP Top 10 2017
Category

A1-Injection 2 - -

A2-Broken Authentication - 1 -

A3-Sensitive Data Exposure - 2 -

A5-Broken Access Control - 1 -

9/50
OWASP Top 10 2021
Category

A1-Broken Access Control - 2 -

A3-Injection 2 - -

A4-Insecure Design - 1 -

A5-Security Misconfiguration - 1 -

10/50
PCI DSS v3.2.1
Category

PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 2 - -

11/50
Scan Results

SAST

5 1 4 00

vb6

SQL_Injection

Description: The application's @DestinationMethod method executes an SQL query with @DestinationElement, at line
@DestinationLine of @DestinationFile. The application constructs this SQL query by embedding an untrusted
string into the query without proper sanitization. The concatenated string is submitted to the database, where it
is parsed and executed accordingly. An attacker would be able to inject arbitrary syntax and data into the SQL
query, by crafting a malicious payload and providing it via the input @SourceElement; this input is then read by the
@SourceMethod method at line @SourceLine of @SourceFile. This input then flows through the code, into a query
and to the database server - without sanitization. This may enable an SQL Injection attack.

Query Path: VB6/VB6_High_Risk/SQL_Injection

Total Flows: 2

RECURRENT

State: To Verify
Status: RECURRENT

Group name: VB6_High_Risk

Confidence level: 75
First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC

First found date: 2024-01-14 08:09:28 +0000 UTC

Source element: text

Source file: /encode.frm
Source method: cmdunsafe_click

Source line: 42
Destination element: openrecordset

Destination file: /encode.frm

Destination method: cmdunsafe_click

Destination line: 52
Compliances: NIST SP 800-53, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10 2021, PCI DSS
v3.2.1, ASD STIG 4.10, FISMA 2014
CWE: CWE-89

12/50
 RECURRENT

State: Not Exploitable

Status: RECURRENT

Group name: VB6_High_Risk

Confidence level: 75

First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC

First found date: 2024-01-14 08:09:28 +0000 UTC

Source element: text
Source file: /encode.frm

Source method: cmdunsafe_click

Source line: 41

Destination element: openrecordset

Destination file: /encode.frm
Destination method: cmdunsafe_click

Destination line: 52
Compliances: NIST SP 800-53, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10 2021, PCI DSS
v3.2.1, ASD STIG 4.10, FISMA 2014

CWE: CWE-89

13/50
Privacy_Violation

Description: Method @SourceMethod at line @SourceLine of @SourceFile sends user information outside the application. This
may constitute a Privacy Violation.

Query Path: VB6/VB6_Medium_Threat/Privacy_Violation

Total Flows: 2

RECURRENT

State: To Verify
Status: RECURRENT

Group name: VB6_Medium_Threat

Confidence level: 72

First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC
First found date: 2024-01-14 08:09:28 +0000 UTC

Source element: password

Source file: /encode.frm

Source method: cmdunsafe_click

Source line: 42
Destination element: text

Destination file: /encode.frm

Destination method: cmdunsafe_click

Destination line: 48
Compliances: FISMA 2014, NIST SP 800-53, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10
2021, ASD STIG 4.10
CWE: CWE-359

14/50
 RECURRENT

State: To Verify
Status: RECURRENT
Group name: VB6_Medium_Threat

Confidence level: 72
First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC

First found date: 2024-01-14 08:09:28 +0000 UTC
Source element: password

Source file: /encode.frm

Source method: cmdsafe_click

Source line: 11
Destination element: text

Destination file: /encode.frm

Destination method: cmdsafe_click
Destination line: 17

Compliances: FISMA 2014, NIST SP 800-53, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10
2021, ASD STIG 4.10
CWE: CWE-359

15/50
Parameter_Tampering

Description: Method @SourceMethod at line @SourceLine of @SourceFile gets user input from element @SourceElement. This
input is later concatenated by the application directly into a string variable containing SQL commands, without
being validated. This string is then used in method @DestinationMethod to query the database
@DestinationElement, at line @DestinationLine of @DestinationFile, without any additional filtering by the
database. This could allow the user to tamper with the filter parameter.

Query Path: VB6/VB6_Medium_Threat/Parameter_Tampering

Total Flows: 1

RECURRENT

State: To Verify

Status: RECURRENT
Group name: VB6_Medium_Threat
Confidence level: 100

First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC

First found date: 2024-01-14 08:09:28 +0000 UTC

Source element: text
Source file: /encode.frm

Source method: CxMethod_Vb6_encode_d95407b7

Source line: 65

Destination element: open

Destination file: /encode.frm
Destination method: CxMethod_Vb6_encode_d95407b7

Destination line: 82
Compliances: ASD STIG 4.10, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10 2021

CWE: CWE-472

16/50
Hardcoded_password_in_Connection_String

Description: The application contains hardcoded connection details, @SourceElement, at line @SourceLine of @SourceFile.
This connection string contains a hardcoded password, which is used in @DestinationMethod at line
@DestinationLine of @DestinationFile to connect to a database server with @DestinationElement. This can expose
the database password, and impede proper password management.

Query Path: VB6/VB6_Medium_Threat/Hardcoded_password_in_Connection_String

Total Flows: 1

RECURRENT

State: To Verify
Status: RECURRENT

Group name: VB6_Medium_Threat

Confidence level: 87

First scan id: 427b4005-31c6-4948-be8a-dc24c885bdd9

Found date: 2024-01-14 08:13:04 +0000 UTC
First found date: 2024-01-14 08:09:28 +0000 UTC

Source element: ""connection string""

Source file: /encode.frm

Source method: CxMethod_Vb6_encode_d95407b7

Source line: 67
Destination element: open

Destination file: /encode.frm

Destination method: CxMethod_Vb6_encode_d95407b7

Destination line: 67
Compliances: ASD STIG 4.10, OWASP Top 10 2013, OWASP Top 10 2017, OWASP Top 10 2021

CWE: CWE-547

17/50
 SCA

54 29 23 2 0

Vulnerable packages (45)

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 401

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 5.1.18
Outdated: Yes
CWE: CWE-401

CVE: Cx039cb67c-ead3
Description: MySQL Connector/J before 5.1.37 is vulnerable to Memory Leak. The method
methodCompressedInputStream.getNextPacketFromServer() of
src/com/mysq/jdbc/CompressedInputStream.java has high memory and garbage collection
usage caused by the consecutive instantiation of a new inflater.

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 89

State: To Verify
Status: RECURRENT

First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 5.1.18
Outdated: Yes

CWE: CWE-89
CVE: CVE-2015-2575

Description: MySQL Connector/J before 5.1.35 is vulnerable to SQL Injection. The function quoteIdentifier()
in the file src/com/mysql/jdbc/StringUtils.java doesn't check if the identifier is correctly
quoted and if quotes within are correctly escaped in the given indentifier, allowing an attacker
to inject malicious queries.

18/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 284

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18

Outdated: Yes
CWE: CWE-284

CVE: CVE-2017-3523
Description: Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit
vulnerability allows low privileged attacker with network access via multiple protocols to
compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in
takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and
Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 20

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 5.1.18
Outdated: Yes
CWE: CWE-20

CVE: CVE-2018-3258
Description: Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via multiple protocols to
compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover
of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

19/50
Npm-@adobe/css-tools-4.0.1

RECURRENT | 1333

State: To Verify

Status: RECURRENT
First scan id: 9a05bd51-aa42-4028-8c49-a9f3ad522428
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2023-07-25 10:19:23 +0000 UTC

Version: 4.0.1

Outdated: Yes
CWE: CWE-1333
CVE: CVE-2023-48631

Description: @adobe/css-tools version prior to 4.3.2 are affected by an Improper Input Validation
vulnerability that could result in a denial of service while attempting to parse CSS.

Npm-@babel/traverse-7.18.13

RECURRENT | 697

State: To Verify

Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-08-29 13:47:03 +0000 UTC

Version: 7.18.13

Outdated: No
CWE: CWE-697

CVE: CVE-2023-45133
Description: Babel is a compiler for writing JavaScript. In `@babel/traverse` versions prior to 7.23.2 and
8.0.x prior to 8.0.0-alpha.4, using Babel to compile code that was specifically crafted by an
attacker can lead to arbitrary code execution during compilation, when using plugins that rely
on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. Known affected
plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` when using its
`useBuiltIns` option; and any "polyfill provider" plugin that depends on `@babel/helper-define-
polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-
plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`. No other plugins under the
`@babel/` namespace are impacted, but third-party plugins might be. Users that only compile
trusted code are not impacted. Those who cannot upgrade `@babel/traverse` and are using
one of the affected packages mentioned above should upgrade them to their latest version to
avoid triggering the vulnerable code path in affected `@babel/traverse` versions:
`@babel/plugin-transform-runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-
define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` v0.4.6, `babel-plugin-polyfill-
corejs3` v0.8.5, `babel-plugin-polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator`
v0.5.3.

20/50
Npm-debug-4.3.4

RECURRENT | 1333

State: To Verify
Status: RECURRENT

First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 4.3.4
Outdated: No

CWE: CWE-1333
CVE: Cx8bc4df28-fcf5

Description: In NPM `debug`, the `enable` function accepts a regular expression from user input without
escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack
on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service).
This is a different issue than CVE-2017-16137.

Npm-decode-uri-component-0.2.0

RECURRENT | 20

State: To Verify

Status: RECURRENT
First scan id: d7d2ce9e-1200-4d0d-8b7d-9171d35611f0
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-13 09:36:38 +0000 UTC

Version: 0.2.0

Outdated: No
CWE: CWE-20

CVE: CVE-2022-38900
Description: decode-uri-component is vulnerable to Improper Input Validation resulting in DoS.

21/50
Npm-get-func-name-2.0.0

RECURRENT | 1333

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 2.0.0
Outdated: No
CWE: CWE-1333
CVE: CVE-2023-43646

Description: get-func-name is a module to retrieve a function's name securely and consistently both in
NodeJS and the browser. Versions prior to 2.0.1 are subject to a Regular Expression Denial of
Service (redos) vulnerability which may lead to a denial of service when parsing malicious input.
This vulnerability can be exploited when there is an imbalance in parentheses, which results in
excessive backtracking and subsequently increases the CPU load and processing time
significantly. This vulnerability can be triggered using the following input: "\t'.repeat(54773) +
'\t/function/i".

Npm-inflight-1.0.6

RECURRENT | 772

State: To Verify

Status: RECURRENT
First scan id: c599ab77-3405-4af6-9e9c-1a6cbc693e08
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-06-16 14:10:21 +0000 UTC
Version: 1.0.6

Outdated: No
CWE: CWE-772
CVE: Cxdca8e59f-8bfe
Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after
being used. It appears to affect all versions, as the issue was not addressed and no fix is
found. NOTE: In the meantime, `logdna-agent`, a package that depends on `inflight`, has
merged a commit to address this solely in their package (so it should be fixed in `logdna-
agent` in versions 1.6.5 and later). `Node-glob`, a package that also depends on `inflight`, was
also planning to address this by not using `inflight` after version 8 is released, but it is still
being used.

22/50
Npm-json5-2.2.1

RECURRENT | 1321

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:43 +0000 UTC

First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 2.2.1
Outdated: No
CWE: CWE-1321
CVE: CVE-2022-46175

Description: JSON5 is an extension to the popular JSON file format that aims to be easier to write and
maintain by hand (e.g. for config files). The `parse` method of the JSON5 library version through
1.0.1 and 2.0.x through 2.2.1 does not restrict parsing of keys named `__proto__`, allowing
specially crafted strings to pollute the prototype of the resulting object. This vulnerability
pollutes the prototype of the object returned by `JSON5.parse` and not the global Object
prototype, which is the commonly understood definition of Prototype Pollution. However,
polluting the prototype of a single object can have a significant security impact for an
application if the object is later used in trusted operations. This vulnerability could allow an
attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The
actual impact will depend on how applications utilize the returned object and how they filter
unwanted keys, but could include denial of service, cross-site scripting, the elevation of
privilege, and in extreme cases, remote code execution. `JSON5.parse` should restrict parsing
of `__proto__` keys when parsing JSON strings to objects. As a point of reference, the
`JSON.parse` method included in JavaScript ignores `__proto__` keys. Simply changing
`JSON5.parse` to `JSON.parse` in the examples above mitigates this vulnerability.

Npm-loader-utils-2.0.2

RECURRENT | 1333

State: To Verify
Status: RECURRENT
First scan id: a348ad33-95da-4db6-88cc-de42edd4ee39

Found date: 2024-01-14 08:14:43 +0000 UTC

First found date: 2023-06-26 10:12:52 +0000 UTC
Version: 2.0.2
Outdated: Yes
CWE: CWE-1333

CVE: CVE-2022-37603
Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0
through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through 3.2.0. The affected function is
"interpolateName" in the "interpolateName.js" file via the "url" variable.

23/50
Npm-loader-utils-2.0.2

RECURRENT | 1321

State: To Verify
Status: RECURRENT
First scan id: a348ad33-95da-4db6-88cc-de42edd4ee39
Found date: 2024-01-14 08:14:43 +0000 UTC
First found date: 2023-06-26 10:12:52 +0000 UTC

Version: 2.0.2
Outdated: Yes
CWE: CWE-1321
CVE: CVE-2022-37601
Description: Prototype Pollution Vulnerability present in the loader-utils package in the function
'parseQuery()' of 'parseQuery.js' file via the 'name' variable. This vulnerability affects versions
prior to 1.4.1 and 2.0.x prior to 2.0.3.

Npm-loader-utils-2.0.2

RECURRENT | 1333

State: To Verify
Status: RECURRENT
First scan id: a348ad33-95da-4db6-88cc-de42edd4ee39

Found date: 2024-01-14 08:14:43 +0000 UTC

First found date: 2023-06-26 10:12:52 +0000 UTC
Version: 2.0.2
Outdated: Yes

CWE: CWE-1333
CVE: CVE-2022-37599
Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0
through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through 3.2.0. The affected function is
"interpolateName" in the "interpolateName.js" file via the "resourcePath" variable.

24/50
Npm-semver-6.3.0

RECURRENT | 1333

State: To Verify

Status: RECURRENT
First scan id: c599ab77-3405-4af6-9e9c-1a6cbc693e08
Found date: 2024-01-14 08:14:45 +0000 UTC
First found date: 2022-06-16 14:10:21 +0000 UTC
Version: 6.3.0

Outdated: Yes
CWE: CWE-1333
CVE: CVE-2022-25883
Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are
vulnerable to Regular Expression Denial of Service (ReDoS) via the function "new Range", when
untrusted user data is provided as a range.

Npm-semver-7.0.0

RECURRENT | 1333

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007

Found date: 2024-01-14 08:14:45 +0000 UTC

First found date: 2022-08-29 13:47:05 +0000 UTC
Version: 7.0.0
Outdated: Yes
CWE: CWE-1333

CVE: CVE-2022-25883
Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are
vulnerable to Regular Expression Denial of Service (ReDoS) via the function "new Range", when
untrusted user data is provided as a range.

25/50
Npm-semver-7.3.7

RECURRENT | 1333

State: To Verify
Status: RECURRENT

First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007

Found date: 2024-01-14 08:14:45 +0000 UTC
First found date: 2022-08-29 13:47:05 +0000 UTC
Version: 7.3.7

Outdated: No
CWE: CWE-1333
CVE: CVE-2022-25883
Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are
vulnerable to Regular Expression Denial of Service (ReDoS) via the function "new Range", when
untrusted user data is provided as a range.

Npm-vite-3.0.9

RECURRENT | 50

State: To Verify
Status: RECURRENT
First scan id: 7dc951a9-d5df-470c-b387-4dc699dd3956
Found date: 2024-01-14 08:14:45 +0000 UTC

First found date: 2023-08-30 12:25:50 +0000 UTC

Version: 3.0.9
Outdated: Yes
CWE: CWE-50
CVE: CVE-2023-34092

Description: Vite provides front-end tooling. In versions through 2.9.15, 3.0.2 through 3.2.6, 4.0.0-alpha.0
through 4.0.4, 4.1.0-beta.0 through 4.1.4, 4.2.0-beta.0 through 4.2.2, and 4.3.0-beta.0
through 4.3.8, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-
slash (//) allows any unauthenticated user to read file from the Vite root-path of the
application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users
explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config
option) are affected, and only files in the immediate Vite project root folder could be exposed.

26/50
Npm-webpack-5.74.0

RECURRENT | 284

State: To Verify
Status: RECURRENT

First scan id: ed519e52-2d15-4cc2-8f65-4abf8c0c306d

Found date: 2024-01-14 08:14:45 +0000 UTC
First found date: 2023-08-09 12:09:59 +0000 UTC
Version: 5.74.0
Outdated: Yes

CWE: CWE-284
CVE: CVE-2023-28154
Description: Webpack 5.0.0-alpha.0 through 5.75.0 does not avoid cross-realm object access.
''ImportParserPlugin.js'' mishandles the magic comment feature. An attacker who controls a
property of an untrusted object can obtain access to the real global object.

Npm-word-wrap-1.2.3

RECURRENT | 1333

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:45 +0000 UTC

First found date: 2022-08-29 13:47:07 +0000 UTC

Version: 1.2.3
Outdated: No
CWE: CWE-1333
CVE: CVE-2023-26115

Description: Versions prior to 1.24 of the package word-wrap are vulnerable to Regular Expression Denial of
Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

27/50
Npm-yaml-2.1.1

RECURRENT | 248

State: To Verify
Status: RECURRENT
First scan id: 7dc951a9-d5df-470c-b387-4dc699dd3956

Found date: 2024-01-14 08:14:45 +0000 UTC

First found date: 2023-08-30 12:25:50 +0000 UTC
Version: 2.1.1
Outdated: Yes
CWE: CWE-248

CVE: CVE-2023-2251
Description: Uncaught Exception in `yaml` versions 2.0.0-5 through 2.2.1 and 2.3.0-0 through 2.3.0-4.

Npm-yauzl-2.10.0

RECURRENT | 22

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:45 +0000 UTC
First found date: 2022-08-29 13:47:07 +0000 UTC

Version: 2.10.0
Outdated: No
CWE: CWE-22
CVE: Cxf6e7f2c1-dc59
Description: The package `yauzl` is vulnerable to Arbitrary File Write implemented through improper
validation of symlinks. The function `validateFileName` in the file `index.js` doesn't validate
malicious symlink files when checking for path traversal attacks. It is possible to create a
malicious archive containing symlinks which leads to the file decompression outside the
original filesystem location. This can be abused to read/write files in an arbitrary location. This
affects the three CIA impact metrics: Confidentiality, Integrity and Availability. All of the
versions appear to be vulnerable, as the Issue still has not been addressed and no fix is
available.

28/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 772

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes
CWE: CWE-772

CVE: Cx7ef609d2-efb5
Description: MySQL Connector/J before 5.1.31 is vulnerable to Memory Leak. Upon continuous interruption
between the server and the database, the dead connections are accumulated in a map in
`ProfilerEventHandlerFactory` factory and aren't removed from the memory. When the number of
database connections reaches a certain number, it causes the application to throw an
OutOfMemoryException as the garbage collector fails to collect the dead connections.

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 401

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 5.1.18
Outdated: Yes
CWE: CWE-401
CVE: Cx6f651376-312a
Description: MySQL Connector/J before version 5.1.44 and 6.x is vulnerable to memory leak. When using
cached server-side prepared statements, a memory leak occurred as references to opened
statements were being kept while the statements were being decached; it happened when
either the close() method has been called twice on a statement, or when there were conflicting
cache entries for a statement and the older entry had not been closed and removed from the
opened statement list.

29/50
Npm-file-type-3.9.0

RECURRENT | 835

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 3.9.0
Outdated: Yes
CWE: CWE-835
CVE: CVE-2022-36313

Description: An issue was discovered in the file-type package versions prior to 16.5.4 and 17.0.x prior to
17.1.3 for "Node.js". A malformed MKV file could cause the file type detector to get caught in
an infinite loop. This would make the application become unresponsive and could be used to
cause a DoS attack.

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 611

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes
CWE: CWE-611

CVE: CVE-2021-2471
Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). This
vulnerability affects versions through 8.0.26. Difficult to exploit vulnerability allows high
privileged attacker with network access via multiple protocols to compromise MySQL
Connectors. Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all MySQL Connectors accessible data and unauthorized
ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.

30/50
Npm-file-type-5.2.0

RECURRENT | 835

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 5.2.0
Outdated: Yes
CWE: CWE-835
CVE: CVE-2022-36313
Description: An issue was discovered in the file-type package versions prior to 16.5.4 and 17.0.x prior to
17.1.3 for "Node.js". A malformed MKV file could cause the file type detector to get caught in
an infinite loop. This would make the application become unresponsive and could be used to
cause a DoS attack.

Npm-file-type-6.2.0

RECURRENT | 835

State: To Verify
Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 6.2.0
Outdated: Yes
CWE: CWE-835
CVE: CVE-2022-36313

Description: An issue was discovered in the file-type package versions prior to 16.5.4 and 17.0.x prior to
17.1.3 for "Node.js". A malformed MKV file could cause the file type detector to get caught in
an infinite loop. This would make the application become unresponsive and could be used to
cause a DoS attack.

31/50
Npm-follow-redirects-1.15.1

RECURRENT | 601

State: To Verify

Status: RECURRENT
First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-08-29 13:47:04 +0000 UTC

Version: 1.15.1
Outdated: No
CWE: CWE-601
CVE: CVE-2023-26159
Description: The package follow-redirects versions prior to 1.15.4 are vulnerable to Improper Input
Validation due to the improper handling of URLs by the "url.parse()" function. When a new
"URL()" throws an error, it can be manipulated to misinterpret the hostname. An attacker could
exploit this weakness to redirect traffic to a malicious site, potentially leading to information
disclosure, phishing attacks, or other security breaches.

Npm-jquery-3.2.1

RECURRENT | 79

State: To Verify
Status: RECURRENT

First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:43 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 3.2.1
Outdated: Yes

CWE: CWE-79
CVE: CVE-2020-11023
Description: In jQuery versions 1.0.3 through 3.4.1, passing HTML containing <option> elements from
untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e.
.html(), .append(), and others) may execute untrusted code. This vulnerability also affects
jquery-rails versions through 4.3.5.

32/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 284

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18

Outdated: Yes
CWE: CWE-284
CVE: CVE-2017-3586
Description: Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable"
vulnerability allows low privileged attacker with network access via multiple protocols to
compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may
significantly impact additional products. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Connectors accessible data as
well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0
Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Npm-jquery-3.2.1

RECURRENT | 200

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:43 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 3.2.1
Outdated: Yes
CWE: CWE-200
CVE: CVE-2007-2379

Description: The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an
associated protection scheme, which allows remote attackers to obtain the data via a web
page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and
captures the data using other JavaScript code, aka "JavaScript Hijacking." The package
maintainer disputes the validity of this vulnerability since it's expected language behavior. If
JSONP is used in a browser, the vulnerability is not exploitable, but it's up to the consumer
application to use protective measures and not up to jQuery to fix it.

33/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 400

State: To Verify
Status: RECURRENT

First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes

CWE: CWE-400
CVE: CVE-2020-2934
Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).
Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise MySQL Connectors. Successful attacks require human interaction
from a person other than the attacker. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of MySQL Connectors accessible data as
well as unauthorized read access to a subset of MySQL Connectors accessible data and
unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors.
CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Npm-postcss-8.4.16

RECURRENT | 74

State: To Verify
Status: RECURRENT

First scan id: e0cf5b1b-f699-47ad-ac22-168bc57f8007

Found date: 2024-01-14 08:14:43 +0000 UTC
First found date: 2022-08-29 13:47:04 +0000 UTC
Version: 8.4.16
Outdated: No

CWE: CWE-74
CVE: CVE-2023-44270
Description: An issue was discovered in postcss versions prior to 8.4.31. The vulnerability affects linters
using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way
that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS,
it will be included in the PostCSS output in CSS nodes (rules, properties) despite being
included in a comment.

34/50
Maven-junit:junit-4.10

RECURRENT | 732

State: To Verify
Status: RECURRENT

First scan id: ead6cd8a-90e0-448b-a53d-1d40bc3bb8b2

Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2023-07-03 09:38:43 +0000 UTC
Version: 4.10
Outdated: Yes

CWE: CWE-732
CVE: CVE-2020-15250
Description: In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local
information disclosure vulnerability. On Unix like systems, the system's temporary directory is
shared between all users on that system. Because of this, when files and directories are
written into this directory they are, by default, readable by other users on that same system.
This vulnerability does not allow other users to overwrite the contents of these directories or
files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the
JUnit tests write sensitive information, like API keys or passwords, into the temporary folder,
and the JUnit tests execute in an environment where the OS has other untrusted users.
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent
upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is
fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the
workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the
`java.io.tmpdir` system environment variable to a directory that is exclusively owned by the
executing user will fix this vulnerability. For more information, including an example of
vulnerable code, see the referenced GitHub Security Advisory.

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 20

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18

Outdated: Yes
CWE: CWE-20
CVE: CVE-2019-2692
Description: Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit
vulnerability allows high privileged attacker with logon to the infrastructure where MySQL
Connectors executes to compromise MySQL Connectors. Successful attacks require human
interaction from a person other than the attacker. Successful attacks of this vulnerability can
result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity
and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

35/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 20

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes
CWE: CWE-20

CVE: CVE-2022-21363
Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).
Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability
allows high privileged attacker with network access via multiple protocols to compromise
MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL
Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 284

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes
CWE: CWE-284

CVE: CVE-2020-2875
Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).
Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple
protocols to compromise MySQL Connectors. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is in MySQL Connectors,
attacks may significantly impact additional products. Successful attacks of this vulnerability
can result in unauthorized update, insert or delete access to some of MySQL Connectors
accessible data as well as unauthorized read access to a subset of MySQL Connectors
accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

36/50
Npm-@adobe/css-tools-4.0.1

RECURRENT | 20

State: To Verify
Status: RECURRENT
First scan id: 9a05bd51-aa42-4028-8c49-a9f3ad522428
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2023-07-25 10:19:23 +0000 UTC

Version: 4.0.1
Outdated: Yes
CWE: CWE-20
CVE: CVE-2023-26364

Description: The package @adobe/css-tools in versions prior to 4.3.1 are affected by an Improper Input
Validation vulnerability that could result in a minor denial of service while attempting to parse
CSS. Exploitation of this issue does not require user interaction or privileges.

Npm-jquery-3.2.1

RECURRENT | 79

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:43 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 3.2.1

Outdated: Yes
CWE: CWE-79
CVE: CVE-2014-6071
Description: jQuery can potentially allow remote attackers to conduct Cross-site Scripting (XSS) attacks
when using methods such as "jQuery()", "append()" and "after()". These methods accept an
HTML string and can, by design, execute code. This vulnerability can be avoided by sanitizing
inputs such as URL query parameters, cookies, or form inputs when obtained from untrusted
sources. This issue wasn't fixed because it's considered to be present by design and it was
documented for users to be careful when passing user input to specific functions. This security
issue exists in all JQuery versions.

37/50
Npm-axios-0.27.2

RECURRENT | 352

State: To Verify
Status: RECURRENT
First scan id: 72950619-35e6-4b86-83c9-c8bc8af5697b
Found date: 2024-01-14 08:14:42 +0000 UTC

First found date: 2023-08-09 11:17:59 +0000 UTC

Version: 0.27.2
Outdated: Yes
CWE: CWE-352
CVE: CVE-2023-45857

Description: An issue discovered in Axios, inadvertently reveals the confidential XSRF-TOKEN stored in
cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host,
allowing attackers to view sensitive information. This vulnerability affects axios package
versions 0.8.1 through 1.5.1.

Npm-jquery-3.2.1

RECURRENT | 1321

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:43 +0000 UTC

First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 3.2.1
Outdated: Yes
CWE: CWE-1321

CVE: CVE-2019-11358
Description: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles
jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object
contained an enumerable __proto__ property, it could extend the native Object.prototype.

38/50
Npm-jquery-3.2.1

RECURRENT | 79

State: To Verify
Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:43 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC

Version: 3.2.1
Outdated: Yes
CWE: CWE-79
CVE: CVE-2020-11022
Description: In jQuery versions before 3.5.0, passing HTML from untrusted sources - even after sanitizing it
- to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute
untrusted code. This problem is patched in jQuery 3.5.0.

Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 284

State: To Verify
Status: RECURRENT

First scan id: c5cf55af-3680-404a-9b0a-ddedca080624

Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18
Outdated: Yes

CWE: CWE-284
CVE: CVE-2017-3589
Description: Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent:
Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable"
vulnerability allows low privileged attacker with logon to the infrastructure where MySQL
Connectors executes to compromise MySQL Connectors. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to some of MySQL
Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

39/50
Maven-mysql:mysql-connector-java-5.1.18

RECURRENT | 400

State: To Verify

Status: RECURRENT
First scan id: c5cf55af-3680-404a-9b0a-ddedca080624
Found date: 2024-01-14 08:14:42 +0000 UTC
First found date: 2022-07-22 09:23:10 +0000 UTC
Version: 5.1.18

Outdated: Yes
CWE: CWE-400
CVE: CVE-2020-2933
Description: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).
Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability
allows high privileged attacker with network access via multiple protocols to compromise
MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2
(Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Container Vulnerabilities (9)

github.com/cyphar/filepath-securejoin

NEW | 23

State: To Verify

Status: NEW
First scan id: -
Found date: 1970-01-01 00:00:00 +0000 UTC
First found date: 1970-01-01 00:00:00 +0000 UTC
Version: v0.2.3

Outdated: No
CWE: CWE-23
CVE:
Description: For Windows users of github.com/cyphar/filepath-securejoin versions prior to v0.2.4 is
vulnerable to Relative Path Traversal. In certain rootfs and path combinations (in particular,
where a malicious Unix-style /-separated unsafe path was used with a Windows-style rootfs
path), they resulted in generated paths that were outside freof the provided rootfs.

40/50
github.com/containerd/containerd

NEW | 284

State: To Verify

Status: NEW
First scan id: -
Found date: 1970-01-01 00:00:00 +0000 UTC
First found date: 1970-01-01 00:00:00 +0000 UTC
Version: v1.7.7

Outdated: No
CWE: CWE-284
CVE:
Description: In github.com/containerd/containerd package, versions prior to 1.6.26, 1.7.x prior to 1.7.11,
and 2.0.0-beta.0 allows RAPL (Running Average Power Limit) to be accessible to a container.

github.com/containerd/containerd

NEW | 284

State: To Verify
Status: NEW
First scan id: -
Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v1.6.22
Outdated: No
CWE: CWE-284
CVE:

Description: In github.com/containerd/containerd package, versions prior to 1.6.26, 1.7.x prior to 1.7.11,

and 2.0.0-beta.0 allows RAPL (Running Average Power Limit) to be accessible to a container.

41/50
golang.org/x/crypto

NEW | 345

State: To Verify
Status: NEW

First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC
First found date: 1970-01-01 00:00:00 +0000 UTC
Version: v0.14.0
Outdated: No

CWE: CWE-345
CVE:

Description: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6
and other products, allows remote attackers to bypass integrity checks such that some
packets are omitted (from the extension negotiation message), and a client and server may
consequently end up with a connection for which some security features have been downgraded
or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP),
implemented by these extensions, mishandles the handshake phase and mishandles the use
of sequence numbers. For example, there is an effective attack against SSH's use of
"ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC)". The bypass occurs in "chacha20-
[email protected]" and (if CBC is used) the "[email protected]" MAC algorithms. This
vulnerability affects Go-github.com/golang/crypto package versions prior to 0.17.0, Python-
paramiko package versions prior to 3.4.0 and Python-asyncssh package versions prior to
2.14.2, CPP-libssh2 package all verisons, CPP-libssh package versions prior to 0.9.8, and
0.10.x verison prior to 0.10.6, NPM-ssh2 package verisons 1.15.0, Maven-
com.github.mwiede:jsch package verisons prior to 0.2.15, Php-phpseclib/phpseclib package
version prior to 1.0.22 , 2.0.x prior to 2.0.46 , 3.0.x prior to 3.0.35.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

NEW | 770

State: To Verify
Status: NEW

First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v0.45.0
Outdated: No

CWE: CWE-770

CVE:
Description: OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. In
versions through 0.45.0, and 1.0.0 through 1.20.0 the grpc Unary Server Interceptor out of
the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound
cardinality. It leads to the server's potential memory exhaustion when many malicious
requests are sent. An attacker can easily flood the peer address and port for requests. As a
workaround to stop being affected, a view removing the attributes can be used. The other
possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider`
option with `noop.NewMeterProvider`.

42/50
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

NEW | 770

State: To Verify

Status: NEW
First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v0.40.0

Outdated: No
CWE: CWE-770

CVE:
Description: OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. In
versions through 0.45.0, and 1.0.0 through 1.20.0 the grpc Unary Server Interceptor out of
the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound
cardinality. It leads to the server's potential memory exhaustion when many malicious
requests are sent. An attacker can easily flood the peer address and port for requests. As a
workaround to stop being affected, a view removing the attributes can be used. The other
possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider`
option with `noop.NewMeterProvider`.

go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc

NEW | 770

State: To Verify

Status: NEW
First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v0.29.0

Outdated: No
CWE: CWE-770

CVE:
Description: OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. In
versions through 0.45.0, and 1.0.0 through 1.20.0 the grpc Unary Server Interceptor out of
the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound
cardinality. It leads to the server's potential memory exhaustion when many malicious
requests are sent. An attacker can easily flood the peer address and port for requests. As a
workaround to stop being affected, a view removing the attributes can be used. The other
possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider`
option with `noop.NewMeterProvider`.

43/50
go.etcd.io/etcd/server/v3

NEW | 200

State: To Verify

Status: NEW
First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v3.5.6

Outdated: No
CWE: CWE-200

CVE:
Description: The package etcd is a distributed key-value store for the data of a distributed system. In
versions prior to 3.4.26, 3.5.x prior to 3.5.9, and 3.6.0-alpha.0 the "LeaseTimeToLive" API
allows access to key names (not value) associated with a lease when "Keys" parameter is true,
even a user doesn't have read permission to the keys. The impact is limited to a cluster that
enables auth (RBAC).

go.etcd.io/etcd/server/v3

NEW | 287

State: To Verify

Status: NEW
First scan id: -

Found date: 1970-01-01 00:00:00 +0000 UTC

First found date: 1970-01-01 00:00:00 +0000 UTC

Version: v3.5.6

Outdated: No
CWE: CWE-287

CVE:

Description: An authentication vulnerability found in Etcd-io in version 3.4.10 through 3.4.24 and v3.5.0-
alpha.0 through 3.5.7 allows remote attackers to escalate privileges via the "debug" function.

44/50
 IaC Security

11 1 4 51

Dockerfile

RECURRENT

State: To Verify
Status: RECURRENT

Query Name: Missing User Instruction

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile

Expected Value: The 'Dockerfile' should contain the 'USER' instruction

Actual Value: The 'Dockerfile' does not contain any 'USER' instruction

Issue Type: MissingAttribute

Category: Build Process

Description: A user should be specified in the dockerfile, otherwise the image will run as root

RECURRENT

State: To Verify
Status: RECURRENT

Query Name: Unpinned Package Version in Apk Add

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile

Expected Value: RUN instruction with 'apk add <package>' should use package pinning form 'apk add
<package>=<version>'

Actual Value: RUN instruction cd /tmp && sha256sum -c consul-template_0.19.5_SHA256SUMS 2>&1 |

grep OK && unzip consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.zip && mv
consul-template /bin/consul-template && rm -rf /tmp && apk --update add curl bash does
not use package pinning form

Issue Type: IncorrectValue

Category: Supply-Chain
Description: Package version pinning reduces the range of versions that can be installed, reducing the
chances of failure due to unanticipated changes

45/50
 RECURRENT

State: To Verify

Status: RECURRENT

Query Name: Image Version Using 'latest'

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile

Expected Value: FROM docker:latest:'version' where version should not be 'latest'

Actual Value: FROM docker:latest'

Issue Type: IncorrectValue

Category: Supply-Chain

Description: When building images, always tag them with useful tags which codify version information,
intended destination (prod or test, for instance), stability, or other information that is useful
when deploying the application in different environments. Do not rely on the automatically-
created latest tag

RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Add Instead of Copy

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: 'COPY' https://releases.hashicorp.com/consul-template/0.19.5/consul-
template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.zip
Actual Value: 'ADD' https://releases.hashicorp.com/consul-template/0.19.5/consul-
template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.zip

Issue Type: IncorrectValue

Category: Supply-Chain
Description: Using ADD to load external installation scripts could lead to an evil web server leveraging this
and loading a malicious script.

46/50
 RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Add Instead of Copy

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: 'COPY' https://releases.hashicorp.com/consul-template/0.19.5/consul-
template_${CONSUL_TEMPLATE_VERSION}_SHA256SUMS
Actual Value: 'ADD' https://releases.hashicorp.com/consul-template/0.19.5/consul-
template_${CONSUL_TEMPLATE_VERSION}_SHA256SUMS
Issue Type: IncorrectValue

Category: Supply-Chain
Description: Using ADD to load external installation scripts could lead to an evil web server leveraging this
and loading a malicious script.

RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Healthcheck Instruction Missing

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: Dockerfile should contain instruction 'HEALTHCHECK'

Actual Value: Dockerfile doesn't contain instruction 'HEALTHCHECK'

Issue Type: MissingAttribute

Category: Insecure Configurations

Description: Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to
test a container to check that it is still working

47/50
 RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Curl or Wget Instead of Add

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: Should use 'curl' or 'wget' to download https://releases.hashicorp.com/consul-
template/0.19.5/consul-template_${CONSUL_TEMPLATE_VERSION}_SHA256SUMS
Actual Value: 'ADD' https://releases.hashicorp.com/consul-template/0.19.5/consul-
template_${CONSUL_TEMPLATE_VERSION}_SHA256SUMS

Issue Type: IncorrectValue

Category: Best Practices

Description: Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to
the use of Add being strongly discouraged

RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Curl or Wget Instead of Add

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: Should use 'curl' or 'wget' to download https://releases.hashicorp.com/consul-
template/0.19.5/consul-template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.zip

Actual Value: 'ADD' https://releases.hashicorp.com/consul-template/0.19.5/consul-

template_${CONSUL_TEMPLATE_VERSION}_linux_amd64.zip

Issue Type: IncorrectValue

Category: Best Practices

Description: Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to
the use of Add being strongly discouraged

48/50
 RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Multiple RUN, ADD, COPY, Instructions Listed

First Scan ID: c5cf55af-3680-404a-9b0a-ddedca080624

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2022-07-22 09:22:10 +0000 UTC

File: /Dockerfile
Expected Value: There isn´t any ADD instruction that could be grouped

Actual Value: There are ADD instructions that could be grouped

Issue Type: RedundantAttribute

Category: Best Practices

Description: Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of
layers.

RECURRENT

State: To Verify

Status: RECURRENT

Query Name: MAINTAINER Instruction Being Used

First Scan ID: c5cf55af-3680-404a-9b0a-ddedca080624

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2022-07-22 09:22:10 +0000 UTC

File: /Dockerfile

Expected Value: Maintainer instruction being used in Label 'LABEL maintainer=Albert van t Hart
<[email protected]>'
Actual Value: Maintainer instruction not being used in Label 'MAINTAINER Albert van t Hart
<[email protected]>'
Issue Type: IncorrectValue

Category: Best Practices

Description: The MAINTAINER instruction sets the Author field of the generated images. The LABEL
instruction is a much more flexible version of this and you should use it instead, as it enables
setting any metadata you require, and can be viewed easily

49/50
 RECURRENT

State: To Verify

Status: RECURRENT
Query Name: Apk Add Using Local Cache Path

First Scan ID: 06ba470d-7ab8-4593-a912-76c9dcf841c6

Found Date: 2024-01-14 08:12:35 +0000 UTC

First Found Date: 2023-05-11 13:55:52 +0000 UTC

File: /Dockerfile
Expected Value: 'RUN' should not contain 'apk add' command without '--no-cache' switch

Actual Value: 'RUN' contains 'apk add' command without '--no-cache' switch
Issue Type: IncorrectValue

Category: Supply-Chain

Description: When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and
remove '/var/cache/apk/*'

50/50