Snyk - Open Source Security

Snyk test report

June 16th 2024, 12:21:13 am (UTC+00:00)

Scanned the following paths:
  • redis:7.0.15-alpine (apk)
  • redis:7.0.15-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
3 known vulnerabilities
19 vulnerable dependency paths
18 dependencies

Use After Free

medium severity

  • Package Manager: alpine:3.20
  • Vulnerable module: busybox/busybox
  • Introduced through: docker-image|redis@7.0.15-alpine and busybox/busybox@1.36.1-r28

Detailed paths

  • Introduced through: docker-image|redis@7.0.15-alpine busybox/busybox@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine alpine-baselayout/alpine-baselayout@3.6.5-r0 busybox/busybox-binsh@1.36.1-r28 busybox/busybox@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/busybox-binsh@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine alpine-baselayout/alpine-baselayout@3.6.5-r0 busybox/busybox-binsh@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/ssl_client@1.36.1-r28

NVD Description

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

Remediation

Upgrade Alpine:3.20 busybox to version 1.36.1-r29 or higher.

References


Use After Free

medium severity

  • Package Manager: alpine:3.20
  • Vulnerable module: busybox/busybox
  • Introduced through: docker-image|redis@7.0.15-alpine and busybox/busybox@1.36.1-r28

Detailed paths

  • Introduced through: docker-image|redis@7.0.15-alpine busybox/busybox@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine alpine-baselayout/alpine-baselayout@3.6.5-r0 busybox/busybox-binsh@1.36.1-r28 busybox/busybox@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/busybox-binsh@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine alpine-baselayout/alpine-baselayout@3.6.5-r0 busybox/busybox-binsh@1.36.1-r28
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/ssl_client@1.36.1-r28

NVD Description

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.

Remediation

Upgrade Alpine:3.20 busybox to version 1.36.1-r29 or higher.

References


CVE-2024-4741

low severity

  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|redis@7.0.15-alpine and openssl/libcrypto3@3.3.0-r2

Detailed paths

  • Introduced through: docker-image|redis@7.0.15-alpine openssl/libcrypto3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine .redis-rundeps@20240524.005525 openssl/libcrypto3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine apk-tools/apk-tools@2.14.4-r0 openssl/libcrypto3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/ssl_client@1.36.1-r28 openssl/libcrypto3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine .redis-rundeps@20240524.005525 openssl/libssl3@3.3.0-r2 openssl/libcrypto3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine openssl/libssl3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine .redis-rundeps@20240524.005525 openssl/libssl3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine apk-tools/apk-tools@2.14.4-r0 openssl/libssl3@3.3.0-r2
  • Introduced through: docker-image|redis@7.0.15-alpine busybox/ssl_client@1.36.1-r28 openssl/libssl3@3.3.0-r2

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.0-r3 or higher.