╭ [0] ╭ Target: nmaguiar/imgutils:build-lite (alpine 3.22.0_alpha20250108)
│ ├ Class : os-pkgs
│ ╰ Type : alpine
╰ [1] ╭ Target : usr/bin/crictl
├ Class : lang-pkgs
├ Type : gobinary
╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45338
│ ├ PkgID : golang.org/x/[email protected]
│ ├ PkgName : golang.org/x/net
│ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/[email protected]
│ │ ╰ UID : 9ce1984a5172bc7c
│ ├ InstalledVersion: v0.30.0
│ ├ FixedVersion : 0.33.0
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:4bc2dbad26b6c1a007153c53e7cc98960abceb313d9b5
│ │ │ 7eed73dc2ac4cace9e2
│ │ ╰ DiffID: sha256:52aa4bbd38bdbc662c61837ae1c5fd699c221785eab6b
│ │ 48a7e4b5448dd92b347
│ ├ SeveritySource : ghsa
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45338
│ ├ DataSource ╭ ID : ghsa
│ │ ├ Name: GitHub Security Advisory Go
│ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ osystem%3Ago
│ ├ Title : golang.org/x/net/html: Non-linear parsing of case-insensitive
│ │ content in golang.org/x/net/html
│ ├ Description : An attacker can craft an input to the Parse functions that
│ │ would be processed non-linearly with respect to its length,
│ │ resulting in extremely slow parsing. This could cause a
│ │ denial of service.
│ ├ Severity : HIGH
│ ├ CweIDs ─ [0]: CWE-1333
│ ├ VendorSeverity ╭ amazon : 2
│ │ ├ azure : 3
│ │ ├ cbl-mariner: 3
│ │ ├ ghsa : 3
│ │ ├ redhat : 3
│ │ ╰ ubuntu : 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/
│ │ │ A:H
│ │ ╰ V3Score : 7.5
│ ├ References ╭ [0] : https://access.redhat.com/security/cve/CVE-2024-45338
│ │ ├ [1] : https://cs.opensource.google/go/x/net
│ │ ├ [2] : https://github.com/golang/go/issues/70906
│ │ ├ [3] : https://go-review.googlesource.com/c/net/+/637536
│ │ ├ [4] : https://go.dev/cl/637536
│ │ ├ [5] : https://go.dev/issue/70906
│ │ ├ [6] : https://groups.google.com/g/golang-announce/c/wSCRmFnN
│ │ │ mPA/m/Lvcd0mRMAwAJ
│ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45338
│ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3333
│ │ ├ [9] : https://ubuntu.com/security/notices/USN-7197-1
│ │ ╰ [10]: https://www.cve.org/CVERecord?id=CVE-2024-45338
│ ├ PublishedDate : 2024-12-18T21:15:08.173Z
│ ╰ LastModifiedDate: 2024-12-31T20:16:06.603Z
├ [1] ╭ VulnerabilityID : CVE-2024-45336
│ ├ PkgID : [email protected]
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/[email protected]
│ │ ╰ UID : c32ee6844a95cf7d
│ ├ InstalledVersion: v1.23.3
│ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc2
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:4bc2dbad26b6c1a007153c53e7cc98960abceb313d9b5
│ │ │ 7eed73dc2ac4cace9e2
│ │ ╰ DiffID: sha256:52aa4bbd38bdbc662c61837ae1c5fd699c221785eab6b
│ │ 48a7e4b5448dd92b347
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45336
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : golang: net/http: net/http: sensitive headers incorrectly
│ │ sent after cross-domain redirect
│ ├ Description : The HTTP client drops sensitive headers after following a
│ │ cross-domain redirect. For example, a request to a.com/
│ │ containing an Authorization header which is redirected to
│ │ b.com/ will not send that header to b.com. In the event that
│ │ the client received a subsequent same-domain redirect,
│ │ however, the sensitive headers would be restored. For
│ │ example, a chain of redirects from a.com/, to b.com/1, and
│ │ finally to b.com/2 would incorrectly send the Authorization
│ │ header to b.com/2.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.9
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45336
│ │ ├ [1]: https://go.dev/cl/643100
│ │ ├ [2]: https://go.dev/issue/70530
│ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ bk9LAa-lCgAJ
│ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ G461hA6lCgAJ
│ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45336
│ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3420
│ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45336
│ ├ PublishedDate : 2025-01-28T02:15:28.807Z
│ ╰ LastModifiedDate: 2025-01-28T16:15:38.22Z
╰ [2] ╭ VulnerabilityID : CVE-2024-45341
├ PkgID : [email protected]
├ PkgName : stdlib
├ PkgIdentifier ╭ PURL: pkg:golang/[email protected]
│ ╰ UID : c32ee6844a95cf7d
├ InstalledVersion: v1.23.3
├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc2
├ Status : fixed
├ Layer ╭ Digest: sha256:4bc2dbad26b6c1a007153c53e7cc98960abceb313d9b5
│ │ 7eed73dc2ac4cace9e2
│ ╰ DiffID: sha256:52aa4bbd38bdbc662c61837ae1c5fd699c221785eab6b
│ 48a7e4b5448dd92b347
├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45341
├ DataSource ╭ ID : govulndb
│ ├ Name: The Go Vulnerability Database
│ ╰ URL : https://pkg.go.dev/vuln/
├ Title : golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can
│ bypass URI name constraints
├ Description : A certificate with a URI which has a IPv6 address with a zone
│ ID may incorrectly satisfy a URI name constraint that
│ applies to the certificate chain. Certificates containing
│ URIs are not permitted in the web PKI, so this only affects
│ users of private PKIs which make use of URIs.
├ Severity : MEDIUM
├ VendorSeverity ─ redhat: 1
├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/
│ │ A:N
│ ╰ V3Score : 4.2
├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45341
│ ├ [1]: https://go.dev/cl/643099
│ ├ [2]: https://go.dev/issue/71156
│ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ bk9LAa-lCgAJ
│ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ G461hA6lCgAJ
│ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45341
│ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3373
│ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45341
├ PublishedDate : 2025-01-28T02:15:29.147Z
╰ LastModifiedDate: 2025-01-28T16:15:38.65Z