[GH-ISSUE #287] Dependency vulernability report #150

New issue

Open

opened 2026-03-13 15:57:06 +03:00 by kerem · 3 comments

kerem commented 2026-03-13 15:57:06 +03:00

Owner

Copy link

Originally created by @anthonator on GitHub (Dec 23, 2021).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/287

This report was generated using trivy for Docker image joohoi/acme-dns:latest.

Command used

$> trivy image joohoi/acme-dns:latest

Alpine related vulnerabilities

joohoi/acme-dns:latest (alpine 3.12.3)
======================================
Total: 38 (UNKNOWN: 0, LOW: 2, MEDIUM: 6, HIGH: 27, CRITICAL: 3)

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apk-tools    | CVE-2021-36159   | CRITICAL | 2.10.5-r1         | 2.10.7-r0     | libfetch before 2021-07-26, as        |
|              |                  |          |                   |               | used in apk-tools, xbps, and          |
|              |                  |          |                   |               | other products, mishandles...         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-36159 |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-30139   | HIGH     |                   | 2.10.6-r0     | In Alpine Linux apk-tools             |
|              |                  |          |                   |               | before 2.12.5, the tarball            |
|              |                  |          |                   |               | parser allows a buffer...             |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-30139 |
+--------------+------------------+          +-------------------+---------------+---------------------------------------+
| busybox      | CVE-2021-28831   |          | 1.31.1-r19        | 1.32.1-r4     | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42378   |          |                   | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-3711    | CRITICAL | 1.1.1i-r0         | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23841   | MEDIUM   |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+                   +---------------+---------------------------------------+
| libssl1.1    | CVE-2021-3711    | CRITICAL |                   | 1.1.1l-r0     | openssl: SM2 Decryption               |
|              |                  |          |                   |               | Buffer Overflow                       |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3711  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23840   | HIGH     |                   | 1.1.1j-r0     | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check         |
|              |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450  |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3712    |          |                   | 1.1.1l-r0     | openssl: Read buffer overruns         |
|              |                  |          |                   |               | processing ASN.1 strings              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3712  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23841   | MEDIUM   |                   | 1.1.1j-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in signature_algorithms processing    |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449  |
+              +------------------+----------+                   +---------------+---------------------------------------+
|              | CVE-2021-23839   | LOW      |                   | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| ssl_client   | CVE-2021-28831   | HIGH     | 1.31.1-r19        | 1.32.1-r4     | busybox: invalid free or segmentation |
|              |                  |          |                   |               | fault via malformed gzip data         |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-28831 |
+              +------------------+          +                   +---------------+---------------------------------------+
|              | CVE-2021-42378   |          |                   | 1.31.1-r21    | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42378 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42379   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42379 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42380   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42380 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42381   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42381 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42382   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42382 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42383   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42383 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42384   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42384 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42385   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42385 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-42386   |          |                   |               | busybox: use-after-free in            |
|              |                  |          |                   |               | awk applet leads to denial            |
|              |                  |          |                   |               | of service and possibly...            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42386 |
+              +------------------+----------+                   +               +---------------------------------------+
|              | CVE-2021-42374   | MEDIUM   |                   |               | busybox: out-of-bounds read           |
|              |                  |          |                   |               | in unlzma applet leads to             |
|              |                  |          |                   |               | information leak and denial...        |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-42374 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

acme-dns related vulnerabilities

root/acme-dns (gobinary)
========================
Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
|       LIBRARY        | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |            FIXED VERSION             |                 TITLE                 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
| github.com/miekg/dns | CVE-2019-19794   | MEDIUM   | v1.1.22                            | 1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable  |
|                      |                  |          |                                    |                                      | TXID can lead to response forgeries   |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2019-19794 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+
| golang.org/x/crypto  | CVE-2020-29652   | HIGH     | v0.0.0-20191011191535-87dc89f01550 | v0.0.0-20201216223049-8b5274cf687f   | golang: crypto/ssh: crafted           |
|                      |                  |          |                                    |                                      | authentication request can            |
|                      |                  |          |                                    |                                      | lead to nil pointer dereference       |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2020-29652 |
+----------------------+------------------+          +------------------------------------+--------------------------------------+---------------------------------------+
| golang.org/x/text    | CVE-2020-14040   |          | v0.3.2                             | 0.3.3                                | golang.org/x/text: possibility        |
|                      |                  |          |                                    |                                      | to trigger an infinite loop in        |
|                      |                  |          |                                    |                                      | encoding/unicode could lead to...     |
|                      |                  |          |                                    |                                      | -->avd.aquasec.com/nvd/cve-2020-14040 |
+                      +------------------+----------+                                    +--------------------------------------+---------------------------------------+
|                      | CVE-2021-38561   | UNKNOWN  |                                    | 0.3.7                                | -->avd.aquasec.com/nvd/cve-2021-38561 |
+----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+

Originally created by @anthonator on GitHub (Dec 23, 2021). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/287 This report was generated using [`trivy`](https://github.com/aquasecurity/trivy) for Docker image `joohoi/acme-dns:latest`. Command used ``` $> trivy image joohoi/acme-dns:latest ``` ## Alpine related vulnerabilities ``` joohoi/acme-dns:latest (alpine 3.12.3) ====================================== Total: 38 (UNKNOWN: 0, LOW: 2, MEDIUM: 6, HIGH: 27, CRITICAL: 3) +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-36159 | CRITICAL | 2.10.5-r1 | 2.10.7-r0 | libfetch before 2021-07-26, as | | | | | | | used in apk-tools, xbps, and | | | | | | | other products, mishandles... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-30139 | HIGH | | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +--------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.31.1-r19 | 1.32.1-r4 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+----------+ + +---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+ +---------------+---------------------------------------+ | libssl1.1 | CVE-2021-3711 | CRITICAL | | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | ssl_client | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.32.1-r4 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+----------+ + +---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ ``` ## `acme-dns` related vulnerabilities ``` root/acme-dns (gobinary) ======================== Total: 4 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0) +----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+ | github.com/miekg/dns | CVE-2019-19794 | MEDIUM | v1.1.22 | 1.1.25-0.20191211073109-8ebf2e419df7 | golang-github-miekg-dns: predictable | | | | | | | TXID can lead to response forgeries | | | | | | | -->avd.aquasec.com/nvd/cve-2019-19794 | +----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+ | golang.org/x/crypto | CVE-2020-29652 | HIGH | v0.0.0-20191011191535-87dc89f01550 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted | | | | | | | authentication request can | | | | | | | lead to nil pointer dereference | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29652 | +----------------------+------------------+ +------------------------------------+--------------------------------------+---------------------------------------+ | golang.org/x/text | CVE-2020-14040 | | v0.3.2 | 0.3.3 | golang.org/x/text: possibility | | | | | | | to trigger an infinite loop in | | | | | | | encoding/unicode could lead to... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-14040 | + +------------------+----------+ +--------------------------------------+---------------------------------------+ | | CVE-2021-38561 | UNKNOWN | | 0.3.7 | -->avd.aquasec.com/nvd/cve-2021-38561 | +----------------------+------------------+----------+------------------------------------+--------------------------------------+---------------------------------------+ ```

kerem commented 2026-03-13 15:57:13 +03:00

Author

Owner

Copy link

@anthonator commented on GitHub (Dec 23, 2021):

Sorry for the churn in the title. I didn't want to needlessly scare anyone.

This is a report from trivy on vulnerabilities detected for the Docker image joohoi/acme-dns:latest (I'm assuming this is maintained by @joohoi). Since this is a public image I thought it was important to report on vulnerabilities within the base Alpine image as well as the Go dependencies of acme-dns.

I was able to resolve CVE-2019-19794, CVE-2020-29652 and CVE-2020-14040 by updating to the latest versions of github.com/miekg/dns and golang.org/x/crypto. The only vulnerability left is CVE-2021-38561 which currently has a severity of UNKNOWN.

The steps needed to resolve the vulnerabilities in the manner I described above are:

1. Update the base Docker image to the latest version of Alpine (as of now that would be 3.15.0) in Dockerfile
2. Update dependency github.com/miekg/dns to version v1.1.45 at go.mod:24
3. Update dependency golang.org/x/crypto to version v0.0.0-20211215153901-e495a2d5b3d3 at go.mod:35

My hope is this report will encourage the maintainers of this project to update this project's dependencies so these issues can be resolved. I would also encourage automating dependency updates using a tool like Dependabot or Renovate.

I would submit a pull request for these issues myself but it doesn't look like this project has seen much attention recently and a lot of issues and pull requests have gone unanswered so I don't want to spend more time on this unless I get a 👍 from someone who could merge a pull request.

<!-- gh-comment-id:1000515825 --> @anthonator commented on GitHub (Dec 23, 2021): Sorry for the churn in the title. I didn't want to needlessly scare anyone. This is a report from `trivy` on vulnerabilities detected for the Docker image `joohoi/acme-dns:latest` (I'm assuming this is maintained by @joohoi). Since this is a public image I thought it was important to report on vulnerabilities within the base Alpine image as well as the Go dependencies of `acme-dns`. I was able to resolve `CVE-2019-19794`, `CVE-2020-29652` and `CVE-2020-14040` by updating to the latest versions of `github.com/miekg/dns` and `golang.org/x/crypto`. The only vulnerability left is `CVE-2021-38561` which currently has a severity of `UNKNOWN`. The steps needed to resolve the vulnerabilities in the manner I described above are: 1. Update the base Docker image to the latest version of Alpine (as of now that would be `3.15.0`) in `Dockerfile` 2. Update dependency `github.com/miekg/dns` to version `v1.1.45` at `go.mod:24` 3. Update dependency `golang.org/x/crypto` to version `v0.0.0-20211215153901-e495a2d5b3d3` at `go.mod:35` My hope is this report will encourage the maintainers of this project to update this project's dependencies so these issues can be resolved. I would also encourage automating dependency updates using a tool like Dependabot or Renovate. I would submit a pull request for these issues myself but it doesn't look like this project has seen much attention recently and a lot of issues and pull requests have gone unanswered so I don't want to spend more time on this unless I get a 👍 from someone who could merge a pull request.

kerem commented 2026-03-13 15:57:18 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Jan 25, 2022):

Thanks for this report, it's highly appreciated. I had to make some changes to how certmagic is used because they updated their whole API between the versions, but I believe I have everything sorted out now... Well except CVE-2021-38561 that seems to still be unpublished.

<!-- gh-comment-id:1021655497 --> @joohoi commented on GitHub (Jan 25, 2022): Thanks for this report, it's highly appreciated. I had to make some changes to how certmagic is used because they updated their whole API between the versions, but I believe I have everything sorted out now... Well except `CVE-2021-38561` that seems to still be unpublished.

kerem commented 2026-03-13 15:57:23 +03:00

Author

Owner

Copy link

@hstock commented on GitHub (Jan 27, 2023):

image might need a rebuild with Alpine security updates:

NAME  INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY 
zlib  1.2.12-r1  1.2.12-r2  apk   CVE-2022-37434  Critical  

(Report created by grype)

<!-- gh-comment-id:1406818278 --> @hstock commented on GitHub (Jan 27, 2023): image might need a rebuild with Alpine security updates: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY zlib 1.2.12-r1 1.2.12-r2 apk CVE-2022-37434 Critical (Report created by grype)

kerem referenced this issue 2026-03-13 16:17:40 +03:00

[PR #150] [MERGED] Prepare for point release #322

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix_dockerhub

dockerhub

readme2.0

goreleaser_action

refactoring

linter_update_config

update_deps_122

dependabot/go_modules/github.com/valyala/fasthttp-1.34.0

deps_bump

update_goreleaser

update_golint

deps_update

update_dockerfile

v2.0.2

v2.0.1

v2.0

v1.1

v1.0

v0.8

v0.7.2

v0.7.1

v0.7

v0.6

v0.5

v0.4

v0.3.2

v0.3.1

v0.3

v0.2

v0.1

Labels

Clear labels   

Documentation

  

Documentation

  

bug

  

enhancement

  

feature request

  

feature request

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

security

  

security

  

testing

No labels

Documentation

Documentation

bug

enhancement

feature request

feature request

help wanted

pull-request

question

security

security

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/acme-dns#150

No description provided.