AWS ECS scan Critical vulnerability in Docker Image version 1.12.0
394 views
Skip to first unread message
joao reigota
Jan 31, 2023, 4:56:59 AM1/31/23
to OWASP ZAP User Group
Hi,
After running an AWS ECS scan on top of ZAP docker image v1.12.0, a CRITICAL issue appeared as well as HIGH results
CVE-2019-19814 in package linux:5.10.158-2 (CRITICAL)
Thank you,
João Reigota
After running an AWS ECS scan on top of ZAP docker image v1.12.0, a CRITICAL issue appeared as well as HIGH results
CVE-2019-19814 in package linux:5.10.158-2 (CRITICAL)
Thank you,
João Reigota
Simon Bennetts
Jan 31, 2023, 5:03:56 AM1/31/23
to OWASP ZAP User Group
- In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image can cause __remove_dirty_segment slab-out-of-bounds write access because an array is bounded by the number of dirty types (8) but the array index can exceed this.
ZAP doesnt mount filesystems.
If you dont mount crafted f2fs filesystems on the ZAP image then I dont see how this could be a problem.
If anyone can think of a way this can be realistically a problem then let us know asap.
We update the stable docker image at the start of the month as per https://www.zaproxy.org/docs/docker/about/#stable
I dont see any reason to bring that forward right now.
Cheers,
Simon
joao reigota
Feb 2, 2023, 12:48:35 PM2/2/23
to OWASP ZAP User Group
I am sorry I wrote the wrong version is not 1.12.0 it is 2.12.0
Thank you,
João Reigota
Simon Bennetts
Feb 3, 2023, 4:35:56 AM2/3/23
to OWASP ZAP User Group
Yeah, I guessed ;)
But my previous response still stands.
Reply all
Reply to author
Forward
0 new messages