Application security report
Adeptia follows established processes for security testing and ensures that there is zero critical and high vulnerability in the released product. The following table contains the summary of high and medium severity vulnerabilities of the microservice images of Adeptia Connect v4.1.
| Image Name | Severity | Vulnerability ID | Package Name | Description | Published | Modified | Status |
|---|---|---|---|---|---|---|---|
Database Migration Shared License Webapp gateway REST API Publisher API Publisher Gateway Migration Listener Archival and Cleanup | Low | CVE-2022-37434 | zlib | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader | 6 Aug 2022 | 6 Aug 2022 | To be planned in v4.2 |
Webapp Gateway API Publisher Gateway Migration | High | CVE-2022-2097 | openssl | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. | 6 Jul 2022 | 6 Jul 2022 | To be planned in v4.2 |
| RabbitMQ | High | CVE-2022-32207 | curl | When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally widen the permissions for the target file, leaving the updated file accessible to more users than intended. | 28 Jun 2022 | 28 Jun 2022 | |
| High | CVE-2019-8457 | db5.3 | SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables. | 30 May 2019 | 30 May 2019 | ||
| High | CVE-2022-1664 | dpkg | The Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. | 26 May 2022 | 26 May 2022 | ||
| High | CVE-2022-23219 | glibc | The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. | 14 Jan 2022 | 14 Jan 2022 | ||
| High | CVE-2022-23218 | glibc | The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. | 14 Jan 2022 | 14 Jan 2022 | ||
| High | CVE-2022-29155 | openldap | In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping. | 5 May 2022 | 5 May 2022 | ||
| High | openssl | The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. | 4 May 2022 | 4 May 2022 | |||
| High | CVE-2022-2274 | openssl | The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. | 2 Jul 2022 | 2 Jul 2022 | ||
| High | pcre2 | An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. | 6 May 2022 | 6 May 2022 | |||
| High | CVE-2022-24407 | cyrus-sasl2 | In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. | 23 Feb 2022 | 23 Feb 2022 | ||
| High | CVE-2022-22576 | curl | An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). | 28 Apr 2022 | 28 Apr 2022 | ||
| High | CVE-2022-27778 | curl | A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when --no-clobber is used together with --remove-on-error. | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2022-1304 | e2fsprogs | An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. | 12 Apr 2022 | 12 Apr 2022 | ||
| High | CVE-2020-16156 | perl | CPAN 2.28 allows Signature Verification Bypass. | 24 Nov 2021 | 24 Nov 2021 | ||
| High | CVE-2022-27775 | curl | An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. | 27 Apr 2022 | 27 Apr 2022 | ||
| High | CVE-2022-27781 | curl | libcurl provides the | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2022-27782 | curl | libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2022-27780 | curl | The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a different URL usingthe wrong host name when it is later retrieved. | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2022-2509 | gnutils28 | A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. | 1 Aug 2022 | 1 Aug 2022 | ||
| High | CVE-2021-46828 | libtirpc | In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections. | 23 Jul 2022 | 23 Jul 2022 | ||
| High | CVE-2022-0778 | openssl | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli | 16 Mar 2022 | 16 Mar 2022 | ||
| High | CVE-2022-2097 | openssl | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. | 5 Jul 2022 | 5 Jul 2022 | ||
| High | CVE-2018-25032 | zlib | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | 26 Mar 2022 | 26 Mar 2022 | ||
| High | CVE-2022-29458 | ncurses | ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library. | 19 Apr 2022 | 19 Apr 2022 | ||
| Medium | CVE-2022-27776 | curl | A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. | 27 Apr 2022 | 27 Apr 2022 | ||
| Medium | CVE-2022-32206 | curl | curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. | 28 Jun 2022 | 28 Jun 2022 | ||
| Medium | CVE-2022-34903 | gnupg2 | GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | 2 Jul 2022 | 2 Jul 2022 | ||
| Medium | CVE-2022-32208 | curl | When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. | 28 Jun 2022 | 28 Jun 2022 | ||
| Medium | CVE-2021-4160 | openssl | There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. | 29 Jan 2022 | 29 Jan 2022 | ||
| Medium | CVE-2022-27774 | curl | An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers. | 27 Apr 2022 | 27 Apr 2022 | ||
| Medium | CVE-2022-27779 | curl | libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt with or without Public Suffix Listawareness. If PSL support not provided, a more rudimentary check exists to atleast prevent cookies from being set on TLDs. This check was broken if thehost name in the URL uses a trailing dot.This can allow arbitrary sites to set cookies that then would get sent to adifferent and unrelated site or domain. | 11 May 2022 | 11 May 2022 | ||
| Medium | CVE-2022-30115 | curl | Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or the otherway around - by having the trailing dot in the HSTS cache and not using thetrailing dot in the URL. | 11 May 2022 | 11 May 2022 | ||
| Medium | CVE-2022-32205 | curl | A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error. | 28 Jun 2022 | 28 Jun 2022 | ||
| AI Map | High | CVE-2022-1664 | dpkg | the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs. | 26 May 2022 | 26 May 2022 | |
| High | expat | defineAttribute, addBinding, build_model, lookup, storeAtts, nextScaffoldPart, doProlog, copyString, storeRawNames in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | 8 Jan 2022 | 8 Jan 2022 | |||
| High | CVE-2022-25235 | expat | xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | 16 Feb 2022 | 16 Feb 2022 | ||
| High | CVE-2022-23852 | expat | Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. | 24 Jan 2022 | 24 Jan 2022 | ||
| High | CVE-2022-25235 | expat | xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. | 16 Feb 2022 | 16 Feb 2022 | ||
| High | CVE-2022-25236 | expat | xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | 16 Feb 2022 | 16 Feb 2022 | ||
| High | CVE-2021-45960 | expat | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). | 2 Jan 2022 | 2 Jan 2022 | ||
| High | openssl | The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. | 4 May 2022 | 4 May 2022 | |||
| High | CVE-2022-2068 | openssl | In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found | 22 Jun 2022 | 22 Jun 2022 | ||
| High | CVE-2022-22576 | curl | An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). | 28 Apr 2022 | 28 Apr 2022 | ||
| High | CVE-2018-12886 | gcc-8 | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. | 22 May 2019 | 22 May 2019 | ||
| High | CVE-2022-27782 | curl | libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2022-27781 | curl | libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. | 11 May 2022 | 11 May 2022 | ||
| High | CVE-2021-43618 | gmp | GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. | 15 Nov 2021 | 15 Nov 2021 | ||
| High | CVE-2022-2509 | gnutls28 | A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function. | 1 Aug 2022 | 1 Aug 2022 | ||
| High | CVE-2022-0778 | openssl | The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. | 16 Mar 2022 | 16 Mar 2022 | ||
| High | CVE-2018-25032 | zlip | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | 26 Mar 2022 | 26 Mar 2022 | ||
| Medium | CVE-2022-27776 | curl | A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. | 27 Apr 2022 | 27 Apr 2022 | ||
| Medium | CVE-2022-32206 | curl | curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. | 28 Jun 2022 | 28 Jun 2022 | ||
| Medium | CVE-2022-25313 | expat | In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element. | 18 Feb 2022 | 18 Feb 2022 | ||
| Medium | CVE-2022-34903 | gnupg | GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line. | 2 Jul 2022 | 2 Jul 2022 |