feat: Add consistent labels to all resources created by the Helm chart #302
7 fail in 0s
1 files 4 suites 0s ⏱️
7 tests 0 ✅ 0 💤 7 ❌
8 runs 0 ✅ 0 💤 8 ❌
Results for commit 913e9e4.
Annotations
Check warning on line 0 in libcrypto3-3.1.4-r4
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] CVE-2024-0727 (libcrypto3-3.1.4-r4) failed
trivy-junit-results.xml
Raw output
openssl: denial of service via null dereference
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Check warning on line 0 in libssl3-3.1.4-r4
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] CVE-2024-0727 (libssl3-3.1.4-r4) failed
trivy-junit-results.xml
Raw output
openssl: denial of service via null dereference
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Check warning on line 0 in openssl-3.1.4-r4
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] CVE-2024-0727 (openssl-3.1.4-r4) failed
trivy-junit-results.xml
Raw output
openssl: denial of service via null dereference
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Check warning on line 0 in moment-timezone-0.5.34
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] GHSA-v78c-4p63-2j6c (moment-timezone-0.5.34) failed
trivy-junit-results.xml
Raw output
Cleartext Transmission of Sensitive Information in moment-timezone
### Impact
* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)
### Patches
Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.
### Workarounds
Specify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.
Check warning on line 0 in semver-7.3.7
github-actions / node-red:3.0.2-main-linux-arm64 scan results
All 2 runs failed: [MEDIUM] CVE-2022-25883 (semver-7.3.7)
trivy-junit-results.xml
Raw output
nodejs-semver: Regular expression denial of service
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Check warning on line 0 in tough-cookie-4.0.0
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] CVE-2023-26136 (tough-cookie-4.0.0) failed
trivy-junit-results.xml
Raw output
tough-cookie: prototype pollution in cookie memstore
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.
Check warning on line 0 in xml2js-0.4.23
github-actions / node-red:3.0.2-main-linux-arm64 scan results
[MEDIUM] CVE-2023-0842 (xml2js-0.4.23) failed
trivy-junit-results.xml
Raw output
node-xml2js: xml2js is vulnerable to prototype pollution
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.