mongodb-8.2.5_linux_arm64

digest	sha256:ef1633654bdeb0cd15b30f9cbfc54c452bcbd2860cfc5c9c64098ad435fe2b9e
vulnerabilities
platform	linux/arm64
size	478 MB
packages	266

stdlib 1.25.0 (golang) pkg:golang/stdlib@1.25.0 # mongo-8.dockerfile (114:114) RUN mkdir -p /opt/bitnami/mongodb Affected range >=1.25.0-0 <1.25.7 Fixed version 1.25.7 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.033% EPSS Percentile 10th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range >=1.25.0 <1.25.5 Fixed version 1.25.5 EPSS Score 0.023% EPSS Percentile 6th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.034% EPSS Percentile 10th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.040% EPSS Percentile 12th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.039% EPSS Percentile 12th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.009% EPSS Percentile 1st percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range >=1.25.0 <1.25.3 Fixed version 1.25.3 EPSS Score 0.018% EPSS Percentile 5th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.019% EPSS Percentile 5th percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range >=1.25.0 <1.25.5 Fixed version 1.25.5 EPSS Score 0.011% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range >=1.25.0 <1.25.1 Fixed version 1.25.1 EPSS Score 0.011% EPSS Percentile 1st percentile Description When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.021% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.012% EPSS Percentile 2nd percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.037% EPSS Percentile 11th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.031% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.022% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range >=1.25.0 <1.25.2 Fixed version 1.25.2 EPSS Score 0.017% EPSS Percentile 4th percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.005% EPSS Percentile 0th percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.010% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

stdlib 1.24.6 (golang) pkg:golang/stdlib@1.24.6 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range <1.24.13 Fixed version 1.24.13 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.033% EPSS Percentile 10th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.023% EPSS Percentile 6th percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.034% EPSS Percentile 10th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.040% EPSS Percentile 12th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.039% EPSS Percentile 12th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.009% EPSS Percentile 1st percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.018% EPSS Percentile 5th percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.019% EPSS Percentile 5th percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.011% EPSS Percentile 1st percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.24.12 Fixed version 1.24.12 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.021% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.037% EPSS Percentile 11th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.031% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.022% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.017% EPSS Percentile 4th percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.005% EPSS Percentile 0th percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.010% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

stdlib 1.25.5 (golang) pkg:golang/stdlib@1.25.5 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range >=1.25.0-0 <1.25.7 Fixed version 1.25.7 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.033% EPSS Percentile 10th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.034% EPSS Percentile 10th percentile Description The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.019% EPSS Percentile 5th percentile Description archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range >=1.25.0 <1.25.6 Fixed version 1.25.6 EPSS Score 0.009% EPSS Percentile 1st percentile Description During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.005% EPSS Percentile 0th percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.010% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

stdlib 1.25.7 (golang) pkg:golang/stdlib@1.25.7 # mongo-8.dockerfile (124:124) RUN chmod -R g+rwX /opt/bitnami Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.033% EPSS Percentile 10th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.005% EPSS Percentile 0th percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.010% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

golang.org/x/crypto 0.35.0 (golang) pkg:golang/golang.org/x/crypto@0.35.0 # mongo-8.dockerfile (124:124) RUN chmod -R g+rwX /opt/bitnami Affected range <0.43.0 Fixed version 0.43.0 EPSS Score 0.039% EPSS Percentile 12th percentile Description SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. Allocation of Resources Without Limits or Throttling Affected range <0.45.0 Fixed version 0.45.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.087% EPSS Percentile 25th percentile Description SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. Out-of-bounds Read Affected range <0.45.0 Fixed version 0.45.0 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.021% EPSS Percentile 6th percentile Description SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

golang.org/x/net 0.36.0 (golang) pkg:golang/golang.org/x/net@0.36.0 # mongo-8.dockerfile (124:124) RUN chmod -R g+rwX /opt/bitnami Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.011% EPSS Percentile 1st percentile Description The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Affected range <0.45.0 Fixed version 0.45.0 EPSS Score 0.016% EPSS Percentile 4th percentile Description The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.119% EPSS Percentile 31st percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. $,,\; etc\; contexts).$

curl 8.5.0-2ubuntu10.7 (deb) pkg:deb/ubuntu/curl@8.5.0-2ubuntu10.7?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range <8.5.0-2ubuntu10.8 Fixed version 8.5.0-2ubuntu10.8 EPSS Score 0.016% EPSS Percentile 4th percentile Description When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one. Affected range <8.5.0-2ubuntu10.8 Fixed version 8.5.0-2ubuntu10.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with user1:password1 and then does another operation to the same server also using Negotiate but with user2:password2 (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with CURLOPT_HTTPAUTH. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API). Affected range <8.5.0-2ubuntu10.8 Fixed version 8.5.0-2ubuntu10.8 EPSS Score 0.015% EPSS Percentile 3rd percentile Description curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Affected range <8.5.0-2ubuntu10.8 Fixed version 8.5.0-2ubuntu10.8 EPSS Score 0.341% EPSS Percentile 57th percentile Description When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.

openssl 3.0.13-0ubuntu3.7 (deb) pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.7?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.012% EPSS Percentile 1st percentile Description Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.029% EPSS Percentile 8th percentile Description Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.029% EPSS Percentile 8th percentile Description Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. Affected range <3.0.13-0ubuntu3.9 Fixed version 3.0.13-0ubuntu3.9 EPSS Score 0.020% EPSS Percentile 5th percentile Description Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

js-yaml 3.13.1 (npm) pkg:npm/js-yaml@3.13.1 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <3.14.2 Fixed version 4.1.1 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N EPSS Score 0.022% EPSS Percentile 6th percentile Description Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2. Workarounds You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default). References https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

systemd 255.4-1ubuntu8.12 (deb) pkg:deb/ubuntu/systemd@255.4-1ubuntu8.12?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range <255.4-1ubuntu8.14 Fixed version 255.4-1ubuntu8.14 EPSS Score 0.011% EPSS Percentile 1st percentile Description systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

expat 2.6.1-2ubuntu0.4 (deb) pkg:deb/ubuntu/expat@2.6.1-2ubuntu0.4?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (62:101) RUN apt-get update && \ apt-get upgrade -y && \ apt-get install -y --no-install-recommends \ ca-certificates \ curl \ libbrotli1 \ libcom-err2 \ libcurl4 \ libffi8 \ libgcc-s1 \ libgmp10 \ libgnutls30 \ libgssapi-krb5-2 \ libhogweed6 \ libidn2-0 \ libk5crypto3 \ libkeyutils1 \ libkrb5-3 \ libkrb5support0 \ libldap2 \ libnettle8 \ libnghttp2-14 \ libp11-kit0 \ libpsl5 \ librtmp1 \ libsasl2-2 \ libssh2-1 \ libssl3 \ libtasn1-6 \ libunistring5 \ libzstd1 \ numactl \ procps \ zlib1g \ yq \ wait-for-it \ && apt-get autoremove -y \ && apt-get autoclean \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* Affected range >=0 Fixed version Not Fixed CVSS Score 5.5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.011% EPSS Percentile 1st percentile Description In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

libssh 0.10.6-2ubuntu0.3 (deb) pkg:deb/ubuntu/libssh@0.10.6-2ubuntu0.3?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range <0.10.6-2ubuntu0.4 Fixed version 0.10.6-2ubuntu0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.099% EPSS Percentile 28th percentile Description A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

tar 1.35+dfsg-3build1 (deb) pkg:deb/ubuntu/tar@1.35%2Bdfsg-3build1?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range >=0 Fixed version Not Fixed EPSS Score 0.081% EPSS Percentile 24th percentile Description GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

libgcrypt20 1.10.3-2build1 (deb) pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range >=0 Fixed version Not Fixed EPSS Score 0.745% EPSS Percentile 73rd percentile Description A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

shadow 1:4.13+dfsg1-4ubuntu3.2 (deb) pkg:deb/ubuntu/shadow@1%3A4.13%2Bdfsg1-4ubuntu3.2?os_distro=noble&os_name=ubuntu&os_version=24.04 # mongo-8.dockerfile (51:51) FROM mongo:8.2.5 Affected range >=0 Fixed version Not Fixed EPSS Score 4.509% EPSS Percentile 89th percentile Description shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.