beats/heartbeat-oss:8.6.2-amd64

Size

813.55 MB

Architecture

amd64

Created

2023-02-12

Pull command

docker pull docker.elastic.co/beats/heartbeat-oss:8.6.2-amd64

Vulnerability report

Critical

0 High

0 Medium

22 Low

13 Negligible

4 Unknown

0

Medium

CVE	Package	Version	Description
CVE-2022-48303	tar	1.30+dfsg-7ubuntu0.20.04.2	GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.
CVE-2023-0797	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2022-48281	tiff	4.1.0+git191117-2ubuntu0.20.04.7	processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image.
CVE-2023-0801	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0796	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0803	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0800	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0799	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0804	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0802	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0795	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0798	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2023-0767	nss	2:3.49.1-1ubuntu1.8	Arbitrary memory write via PKCS 12 in NSS
CVE-2021-37750	krb5	1.17-6ubuntu4.2	The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
CVE-2021-36222	krb5	1.17-6ubuntu4.2	ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.
CVE-2016-1585	apparmor	2.13.3-7ubuntu5.1	In all versions of AppArmor mount rules are accidentally widened when compiled.
CVE-2023-23916	curl	7.68.0-1ubuntu2.15	An allocation of resources without limits or throttling vulnerability exists in curl
CVE-2023-27535	curl	7.68.0-1ubuntu2.15	FTP too eager connection reuse
CVE-2023-0361	gnutls28	3.6.13-2ubuntu1.7	A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.
CVE-2022-4415	systemd	245.4-4ubuntu3.19	A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.
CVE-2022-3821	systemd	245.4-4ubuntu3.19	An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.
CVE-2023-25193	harfbuzz	2.6.4-1ubuntu4.2	hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Low

CVE	Package	Version	Description
CVE-2018-10126	tiff	4.1.0+git191117-2ubuntu0.20.04.7	LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16x16 function in jfdctint.c.
CVE-2023-27536	curl	7.68.0-1ubuntu2.15	GSS delegation too eager connection re-use
CVE-2023-27538	curl	7.68.0-1ubuntu2.15	SSH connection too eager reuse still
CVE-2023-27533	curl	7.68.0-1ubuntu2.15	TELNET option IAC injection
CVE-2023-27534	curl	7.68.0-1ubuntu2.15	SFTP path ~ resolving discrepancy
CVE-2017-7475	cairo	1.16.0-4ubuntu1	Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash.
CVE-2018-18064	cairo	1.16.0-4ubuntu1	cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).
CVE-2019-6461	cairo	1.16.0-4ubuntu1	An issue was discovered in cairo 1.16.0. There is an assertion problem in the function _cairo_arc_in_direction in the file cairo-arc.c.
CVE-2023-26604	systemd	245.4-4ubuntu3.19	systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.
CVE-2022-3219	gnupg2	2.2.19-3ubuntu2.2	GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.
CVE-2022-3857	libpng1.6	1.6.37-2	A flaw was found in libpng 1.6.38. A crafted PNG image can lead to a segmentation fault and denial of service in png_setup_paeth_row() function.
CVE-2013-4235	shadow	1:4.8.1-1ubuntu5.20.04.4	shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees
CVE-2016-2781	coreutils	8.30-3ubuntu2	chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Negligible

CVE	Package	Version	Description
CVE-2017-11164	pcre3	2:8.39-12ubuntu0.1	In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.
CVE-2016-20013	glibc	2.31-0ubuntu9.9	sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.
CVE-2021-39537	ncurses	6.2-0ubuntu2	An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.
CVE-2022-29458	ncurses	6.2-0ubuntu2	ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.