Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25914: Check if file exists when executable path is passed in through jib dockerClient.executable by mpeddada1 · Pull Request #3744 · GoogleContainerTools/jib

The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.

CVE
#google#rce#docker

Conversation

*

* @return {@code true} if Docker is installed on the user’s system and accessible

*/

public static boolean isDefaultDockerInstalled() {

return isDockerInstalled(DEFAULT_DOCKER_CLIENT);

try {

new ProcessBuilder(DEFAULT_DOCKER_CLIENT.toString()).start();

*

* @return {@code true} if Docker is installed on the user’s system and accessible

*/

public static boolean isDefaultDockerInstalled() {

return isDockerInstalled(DEFAULT_DOCKER_CLIENT);

try {

new ProcessBuilder(DEFAULT_DOCKER_CLIENT.toString()).start();

This was referenced

Aug 25, 2022

mpeddada1 marked this pull request as ready for review

Aug 25, 2022

Related news

Red Hat Security Advisory 2023-0471-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

RHSA-2023:0471: Red Hat Security Advisory: Migration Toolkit for Runtimes security update

An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...

GHSA-936v-cg49-m2g5: com.google.cloud.tools:jib-core vulnerable to Remote Code Execution (RCE)

The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907