opensuse-su-2022:10081-1
Vulnerability from csaf_opensuse
Published
2022-08-06 16:01
Modified
2022-08-06 16:01
Summary
Security update for trivy
Notes
Title of the patch
Security update for trivy
Description of the patch
This update for trivy fixes the following issues:
trivy was updated to version 0.30.4:
* fix: remove the first arg when running as a plugin (#2595)
* fix: k8s controlplaner scanning (#2593)
* fix(vuln): GitLab report template (#2578)
Update to version 0.30.3:
* fix(server): use a new db worker for hot updates (#2581)
* docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)
* docs: split commands to download db for different versions of oras (#2582)
* feat(report): export exitcode for license checks (#2564)
* fix: cli can use lowercase for severities (#2565)
* fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
* fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
* fix: enable some features of the wasm runtime (#2575)
* fix(k8s): no error logged if trivy can't get docker image in kubernetes mode (#2521)
* docs(sbom): improve sbom attestation documentation (#2566)
Update to version 0.30.2:
* fix(report): show the summary without results (#2548)
* fix(cli): replace '-' to '_' for env vars (#2561)
Update to version 0.30.1:
* chore: remove a test repository (#2551)
* fix(license): lazy loading of classifiers (#2547)
* fix: CVE-2022-1996 in Trivy (#2499)
* docs(sbom): add sbom attestation (#2527)
* feat(rocky): set Rocky Linux 9 EOL (#2543)
* docs: add attributes to the video tag to autoplay demo videos (#2538)
* fix: yaml files with non-string chart name (#2534)
* fix: skip dirs (#2530)
* feat(repo): add support for branch, commit, & tag (#2494)
* fix: remove auto configure environment variables via viper (#2526)
Update to version 0.30.0:
* fix: separating multiple licenses from one line in dpkg copyright files (#2508)
* fix: change a capital letter for `plugin uninstall` subcommand (#2519)
* fix: k8s hide empty report when scanning resource (#2517)
* refactor: fix comments (#2516)
* fix: scan vendor dir (#2515)
* feat: Add support for license scanning (#2418)
* chore: add owners for secret scanning (#2485)
* fix: remove dependency-tree flag for image subcommand (#2492)
* fix(k8s): add shorthand for k8s namespace flag (#2495)
* docs: add information about using multiple servers to troubleshooting (#2498)
* ci: add pushing canary build images to registries (#2428)
* feat(dotnet): add support for .Net core .deps.json files (#2487)
* feat(amazon): add support for 2022 version (#2429)
* Type correction bitnami chart (#2415)
* docs: add config file and update CLI references (#2489)
* feat: add support for flag groups (#2488)
* refactor: move from urfave/cli to spf13/cobra (#2458)
* fix: Fix secrets output not containing file/lines (#2467)
* fix: clear output with modules (#2478)
* docs(cbl): distroless 1.0 supported (#2473)
* fix: Fix example dockerfile rego policy (#2460)
* fix(config): add helm to list of config analyzers (#2457)
* feat: k8s resouces scan (#2395)
* feat(sbom): add cyclonedx sbom scan (#2203)
* docs: remove links to removed content (#2431)
* ci: added rpm build for rhel 9 (#2437)
* fix(secret): remove space from asymmetric private key (#2434)
* test(integration): fix golden files for debian 9 (#2435)
* fix(cli): fix version string in docs link when secret scanning is enabled (#2422)
* refactor: move CycloneDX marshaling (#2420)
* docs(nodejs): add docs about pnpm support (#2423)
* docs: improve k8s usage documentation (#2425)
* feat: Make secrets scanning output consistant (#2410)
* ci: create canary build after main branch changes (#1638)
* fix(misconf): skip broken scans (#2396)
* feat(nodejs): add pnpm support (#2414)
* fix: Fix false positive for use of COS images (#2413)
* eliminate nerdctl dependency (#2412)
* Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)
* fix(go): no cast to lowercase go package names (#2401)
* BREAKING(sbom): change 'trivy sbom' to scan SBOM (#2408)
* fix(server): hot update the db from custom repository (#2406)
* feat: added license parser for dpkg (#2381)
* fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400)
* feat: extract stripe publishable and secret keys (#2392)
* feat: rbac support k8s sub-command (#2339)
* feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390)
* docs: Updating README with new CLI command (#2359)
* fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383)
* chore: add integration label and merge security label (#2316)
Update to version 0.29.2:
* chore: skip Visual Studio Code project folder (#2379)
* fix(helm): handle charts with templated names (#2374)
* docs: redirect operator docs to trivy-operator repo (#2372)
* fix(secret): use secret result when determining Failed status (#2370)
* try removing libdb-dev
* run integration tests in fanal
* use same testing images in fanal
* feat(helm): add support for trivy dbRepository (#2345)
* fix: Fix failing test due to deref lint issue
* test: Fix broken test
* fix: Fix makefile when no previous named ref is visible in a shallow clone
* chore: Fix linting issues in fanal
* refactor: Fix fanal import paths and remove dotfiles
Update to version 0.29.1:
* fix(report): add required fields to the SARIF template (#2341)
* chore: fix spelling errors (#2352)
* Omit Remediation if PrimaryURL is empty (#2006)
* docs(repo): Link to installation documentation in readme shows 404 (#2348)
* feat(alma): support for scanning of modular packages for AlmaLinux (#2347)
Update to version 0.29.0:
* fix(lang): fix dependency graph in client server mode (#2336)
* feat: allow expiration date for .trivyignore entries (#2332)
* feat(lang): add dependency origin graph (#1970)
* docs: update nix installation info (#2331)
* feat: add rbac scanning support (#2328)
* refactor: move WordPress module to another repository (#2329)
* ci: add support for ppc64le (#2281)
* feat: add support for WASM modules (#2195)
* feat(secret): show recommendation for slow scanning (#2051)
* fix(flag): remove --clear-cache flag client mode (#2301)
* fix(java): added check for looping for variable evaluation in pom file (#2322)
* BREAKING(k8s): change CLI API (#2186)
* feat(alpine): add Alpine Linux 3.16 (#2319)
* ci: add `go mod tidy` check (#2314)
* chore: run `go mod tidy` (#2313)
* fix: do not exit if one resource is not found (#2311)
* feat(cli): use stderr for all log messages (resolve #381) (#2289)
* test: replace deprecated subcommand client in integration tests (#2308)
* feat: add support for containerd (#2305)
* fix(kubernetes): Support floats in manifest yaml (#2297)
* docs(kubernetes): dead links (#2307)
* chore: add license label (#2304)
* feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)
* feat(helm): add pod annotations (#2272)
* refactor: do not import defsec in fanal types package (#2292)
* feat(report): Add misconfiguration support to ASFF report template (#2285)
* test: use images in GHCR (#2275)
* feat(helm): support pod annotations (#2265)
* feat(misconf): Helm chart scanning (#2269)
* docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267)
* fix: mask redis credentials when logging (#2264)
* refactor: extract commands Runner interface (#2147)
* docs: update operator release (#2263)
* feat(redhat): added architecture check (#2172)
* docs: updating links in the docs to work again (#2256)
* docs: fix readme (#2251)
* fix: fixed incorrect CycloneDX output format (#2255)
* refactor(deps): move dependencies to package (#2189)
* fix(report): change github format version to required (#2229)
* docs: update readme (#2110)
* docs: added information about choosing advisory database (#2212)
* chore: update trivy-kubernetes (#2224)
* docs: clarifying parts of the k8s docs and updating links (#2222)
* fix(k8s): timeout error logging (#2179)
* chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)
* feat(k8s): add --context flag (#2171)
* fix(k8s): properly instantiate TableWriter (#2175)
* test: fixed integration tests after updating testcontainers to v0.13.0 (#2208)
* chore: update labels (#2197)
* fix(report): fixed panic if all misconf reports were removed in filter (#2188)
* feat(k8s): scan secrets (#2178)
* feat(report): GitHub Dependency Snapshots support (#1522)
* feat(db): added insecure skip tls verify to download trivy db (#2140)
* fix(redhat): always use vulns with fixed version if there is one (#2165)
* chore(redhat): Add support for Red Hat UBI 9. (#2183)
* fix(k8s): update trivy-kubernetes (#2163)
* fix misconfig start line for code quality tpl (#2181)
* fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)
* docs(vuln): Include GitLab 15.0 integration (#2153)
* docs: fix the operator version (#2167)
* fix(k8s): summary report when when only vulns exit (#2146)
* chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156)
* perf(misconf): Improve performance when scanning very large files (#2152)
* docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150)
* chore(deps): Update fanal (for less verbose code in misconf results) (#2151)
* docs: fixed installation instruction for rhel/centos (#2143)
Patchnames
openSUSE-2022-10081
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for trivy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for trivy fixes the following issues:\n\ntrivy was updated to version 0.30.4:\n\n* fix: remove the first arg when running as a plugin (#2595)\n* fix: k8s controlplaner scanning (#2593)\n* fix(vuln): GitLab report template (#2578)\n\nUpdate to version 0.30.3:\n\n* fix(server): use a new db worker for hot updates (#2581)\n* docs: add trivy with download-db-only flag to Air-Gapped Environment (#2583)\n* docs: split commands to download db for different versions of oras (#2582)\n* feat(report): export exitcode for license checks (#2564)\n* fix: cli can use lowercase for severities (#2565)\n* fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)\n* fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)\n* fix: enable some features of the wasm runtime (#2575)\n* fix(k8s): no error logged if trivy can\u0027t get docker image in kubernetes mode (#2521)\n* docs(sbom): improve sbom attestation documentation (#2566)\n\nUpdate to version 0.30.2:\n\n* fix(report): show the summary without results (#2548)\n* fix(cli): replace \u0027-\u0027 to \u0027_\u0027 for env vars (#2561)\n\nUpdate to version 0.30.1:\n\n* chore: remove a test repository (#2551)\n* fix(license): lazy loading of classifiers (#2547)\n* fix: CVE-2022-1996 in Trivy (#2499)\n* docs(sbom): add sbom attestation (#2527)\n* feat(rocky): set Rocky Linux 9 EOL (#2543)\n* docs: add attributes to the video tag to autoplay demo videos (#2538)\n* fix: yaml files with non-string chart name (#2534)\n* fix: skip dirs (#2530)\n* feat(repo): add support for branch, commit, \u0026 tag (#2494)\n* fix: remove auto configure environment variables via viper (#2526)\n\nUpdate to version 0.30.0:\n\n* fix: separating multiple licenses from one line in dpkg copyright files (#2508)\n* fix: change a capital letter for `plugin uninstall` subcommand (#2519)\n* fix: k8s hide empty report when scanning resource (#2517)\n* refactor: fix comments (#2516)\n* fix: scan vendor dir (#2515)\n* feat: Add support for license scanning (#2418)\n* chore: add owners for secret scanning (#2485)\n* fix: remove dependency-tree flag for image subcommand (#2492)\n* fix(k8s): add shorthand for k8s namespace flag (#2495)\n* docs: add information about using multiple servers to troubleshooting (#2498)\n* ci: add pushing canary build images to registries (#2428)\n* feat(dotnet): add support for .Net core .deps.json files (#2487)\n* feat(amazon): add support for 2022 version (#2429)\n* Type correction bitnami chart (#2415)\n* docs: add config file and update CLI references (#2489)\n* feat: add support for flag groups (#2488)\n* refactor: move from urfave/cli to spf13/cobra (#2458)\n* fix: Fix secrets output not containing file/lines (#2467)\n* fix: clear output with modules (#2478)\n* docs(cbl): distroless 1.0 supported (#2473)\n* fix: Fix example dockerfile rego policy (#2460)\n* fix(config): add helm to list of config analyzers (#2457)\n* feat: k8s resouces scan (#2395)\n* feat(sbom): add cyclonedx sbom scan (#2203)\n* docs: remove links to removed content (#2431)\n* ci: added rpm build for rhel 9 (#2437)\n* fix(secret): remove space from asymmetric private key (#2434)\n* test(integration): fix golden files for debian 9 (#2435)\n* fix(cli): fix version string in docs link when secret scanning is enabled (#2422)\n* refactor: move CycloneDX marshaling (#2420)\n* docs(nodejs): add docs about pnpm support (#2423)\n* docs: improve k8s usage documentation (#2425)\n* feat: Make secrets scanning output consistant (#2410)\n* ci: create canary build after main branch changes (#1638)\n* fix(misconf): skip broken scans (#2396)\n* feat(nodejs): add pnpm support (#2414)\n* fix: Fix false positive for use of COS images (#2413)\n* eliminate nerdctl dependency (#2412)\n* Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)\n* fix(go): no cast to lowercase go package names (#2401)\n* BREAKING(sbom): change \u0027trivy sbom\u0027 to scan SBOM (#2408)\n* fix(server): hot update the db from custom repository (#2406)\n* feat: added license parser for dpkg (#2381)\n* fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key (#2400)\n* feat: extract stripe publishable and secret keys (#2392)\n* feat: rbac support k8s sub-command (#2339)\n* feat(ruby): drop platform strings from dependency versions bundled with bundler v2 (#2390)\n* docs: Updating README with new CLI command (#2359)\n* fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug (#2383)\n* chore: add integration label and merge security label (#2316)\n\nUpdate to version 0.29.2:\n\n* chore: skip Visual Studio Code project folder (#2379)\n* fix(helm): handle charts with templated names (#2374)\n* docs: redirect operator docs to trivy-operator repo (#2372)\n* fix(secret): use secret result when determining Failed status (#2370)\n* try removing libdb-dev\n* run integration tests in fanal\n* use same testing images in fanal\n* feat(helm): add support for trivy dbRepository (#2345)\n* fix: Fix failing test due to deref lint issue\n* test: Fix broken test\n* fix: Fix makefile when no previous named ref is visible in a shallow clone\n* chore: Fix linting issues in fanal\n* refactor: Fix fanal import paths and remove dotfiles\n\nUpdate to version 0.29.1:\n\n* fix(report): add required fields to the SARIF template (#2341)\n* chore: fix spelling errors (#2352)\n* Omit Remediation if PrimaryURL is empty (#2006)\n* docs(repo): Link to installation documentation in readme shows 404 (#2348)\n* feat(alma): support for scanning of modular packages for AlmaLinux (#2347)\n\nUpdate to version 0.29.0:\n\n* fix(lang): fix dependency graph in client server mode (#2336)\n* feat: allow expiration date for .trivyignore entries (#2332)\n* feat(lang): add dependency origin graph (#1970)\n* docs: update nix installation info (#2331)\n* feat: add rbac scanning support (#2328)\n* refactor: move WordPress module to another repository (#2329)\n* ci: add support for ppc64le (#2281)\n* feat: add support for WASM modules (#2195)\n* feat(secret): show recommendation for slow scanning (#2051)\n* fix(flag): remove --clear-cache flag client mode (#2301)\n* fix(java): added check for looping for variable evaluation in pom file (#2322)\n* BREAKING(k8s): change CLI API (#2186)\n* feat(alpine): add Alpine Linux 3.16 (#2319)\n* ci: add `go mod tidy` check (#2314)\n* chore: run `go mod tidy` (#2313)\n* fix: do not exit if one resource is not found (#2311)\n* feat(cli): use stderr for all log messages (resolve #381) (#2289)\n* test: replace deprecated subcommand client in integration tests (#2308)\n* feat: add support for containerd (#2305)\n* fix(kubernetes): Support floats in manifest yaml (#2297)\n* docs(kubernetes): dead links (#2307)\n* chore: add license label (#2304)\n* feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)\n* feat(helm): add pod annotations (#2272)\n* refactor: do not import defsec in fanal types package (#2292)\n* feat(report): Add misconfiguration support to ASFF report template (#2285)\n* test: use images in GHCR (#2275)\n* feat(helm): support pod annotations (#2265)\n* feat(misconf): Helm chart scanning (#2269)\n* docs: Update custom rego policy docs to reflect latest defsec/fanal changes (#2267)\n* fix: mask redis credentials when logging (#2264)\n* refactor: extract commands Runner interface (#2147)\n* docs: update operator release (#2263)\n* feat(redhat): added architecture check (#2172)\n* docs: updating links in the docs to work again (#2256)\n* docs: fix readme (#2251)\n* fix: fixed incorrect CycloneDX output format (#2255)\n* refactor(deps): move dependencies to package (#2189)\n* fix(report): change github format version to required (#2229)\n* docs: update readme (#2110)\n* docs: added information about choosing advisory database (#2212)\n* chore: update trivy-kubernetes (#2224)\n* docs: clarifying parts of the k8s docs and updating links (#2222)\n* fix(k8s): timeout error logging (#2179)\n* chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)\n* feat(k8s): add --context flag (#2171)\n* fix(k8s): properly instantiate TableWriter (#2175)\n* test: fixed integration tests after updating testcontainers to v0.13.0 (#2208)\n* chore: update labels (#2197)\n* fix(report): fixed panic if all misconf reports were removed in filter (#2188)\n* feat(k8s): scan secrets (#2178)\n* feat(report): GitHub Dependency Snapshots support (#1522)\n* feat(db): added insecure skip tls verify to download trivy db (#2140)\n* fix(redhat): always use vulns with fixed version if there is one (#2165)\n* chore(redhat): Add support for Red Hat UBI 9. (#2183)\n* fix(k8s): update trivy-kubernetes (#2163)\n* fix misconfig start line for code quality tpl (#2181)\n* fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)\n* docs(vuln): Include GitLab 15.0 integration (#2153)\n* docs: fix the operator version (#2167)\n* fix(k8s): summary report when when only vulns exit (#2146)\n* chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives in ksv038) (#2156)\n* perf(misconf): Improve performance when scanning very large files (#2152)\n* docs(misconf): Update examples and docs to refer to builtin/defsec instead of appshield (#2150)\n* chore(deps): Update fanal (for less verbose code in misconf results) (#2151)\n* docs: fixed installation instruction for rhel/centos (#2143)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2022-10081",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2022_10081-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2022:10081-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HVVWQ7QWDT7GBZUAYXIWYZURAWKCEVQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2022:10081-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5HVVWQ7QWDT7GBZUAYXIWYZURAWKCEVQ/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-1996 page",
"url": "https://www.suse.com/security/cve/CVE-2022-1996/"
}
],
"title": "Security update for trivy",
"tracking": {
"current_release_date": "2022-08-06T16:01:16Z",
"generator": {
"date": "2022-08-06T16:01:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2022:10081-1",
"initial_release_date": "2022-08-06T16:01:16Z",
"revision_history": [
{
"date": "2022-08-06T16:01:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.30.4-bp154.2.6.1.aarch64",
"product": {
"name": "trivy-0.30.4-bp154.2.6.1.aarch64",
"product_id": "trivy-0.30.4-bp154.2.6.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.30.4-bp154.2.6.1.i586",
"product": {
"name": "trivy-0.30.4-bp154.2.6.1.i586",
"product_id": "trivy-0.30.4-bp154.2.6.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.30.4-bp154.2.6.1.s390x",
"product": {
"name": "trivy-0.30.4-bp154.2.6.1.s390x",
"product_id": "trivy-0.30.4-bp154.2.6.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "trivy-0.30.4-bp154.2.6.1.x86_64",
"product": {
"name": "trivy-0.30.4-bp154.2.6.1.x86_64",
"product_id": "trivy-0.30.4-bp154.2.6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.i586 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.s390x as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.i586 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.s390x as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "trivy-0.30.4-bp154.2.6.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
},
"product_reference": "trivy-0.30.4-bp154.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1996",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-1996"
}
],
"notes": [
{
"category": "general",
"text": "Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-1996",
"url": "https://www.suse.com/security/cve/CVE-2022-1996"
},
{
"category": "external",
"summary": "SUSE Bug 1200528 for CVE-2022-1996",
"url": "https://bugzilla.suse.com/1200528"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.aarch64",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.i586",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.s390x",
"SUSE Package Hub 15 SP4:trivy-0.30.4-bp154.2.6.1.x86_64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.aarch64",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.i586",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.s390x",
"openSUSE Leap 15.4:trivy-0.30.4-bp154.2.6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2022-08-06T16:01:16Z",
"details": "critical"
}
],
"title": "CVE-2022-1996"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…