Main Vulnerability Database SB2025032969

SB2025032969 - Anolis OS update for container-tools:an8 module

Published: March 29, 2025

Security Bulletin ID SB2025032969

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2023-45290)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to application does not properly control consumption of internal resources when parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Memory leak (CVE-ID: CVE-2024-1394)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the RSA encrypting/decrypting code when handling untrusted input. A remote attacker can pass specially crafted data to the application and perform denial of service attack.

3) Error Handling (CVE-ID: CVE-2024-24783)

CWE-ID: CWE-388 - Error Handling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to improper validation of a certificate chain that contains an unknown public key. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service attack.

4) Input validation error (CVE-ID: CVE-2024-24784)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of display names within the ParseAddressList function in net/mail. A remote attacker can pass specially crafted input to the application and perform a spoofing attack.

5) Input validation error (CVE-ID: CVE-2024-24789)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to insufficient validation of user-supplied input in archive/zip when handling zip archives. A remote attacker can create a zip file with content that will vary depending on the implementation reading the file.

6) Improper validation of integrity check value (CVE-ID: CVE-2024-3727)

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper validation of integrity check. A remote attacker can trick the victim into providing authenticated registry accesses, causing resource exhaustion, local path traversal, and other attacks.

7) Resource exhaustion (CVE-ID: CVE-2024-37298)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in schema.Decoder.Decode() . A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

8) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-6104)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data obtain from HTTP requests.

Remediation

Install update from vendor's website.

References

https://anas.openanolis.cn/errata/detail/ANSA-2024:0838

Vulnerable Software

Anolis OS: 8
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
udica: before 0.2.6-21
runc: before 1.1.12-4.0.1
slirp4netns: before 1.2.3-1
oci-seccomp-bpf-hook: before 1.2.10-1
containernetworking-plugins: before 1.4.0-5.0.1
aardvark-dns: before 1.10.0-2.0.1
netavark: before 1.10.3-1.0.1
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
skopeo-tests: before 1.14.5-3.0.1
skopeo: before 1.14.5-3.0.1
buildah: before 1.34.0-1
buildah-tests: before 1.34.0-1
containers-common: before 1-82.0.1
conmon: before 2.1.10-1
container-selinux: before 2.229.0-2
criu-devel: before 3.18-5.0.1
crit: before 3.18-5.0.1
criu: before 3.18-5.0.1
criu-libs: before 3.18-5.0.1
python3-criu: before 3.18-5.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
python3-podman: before 4.9.0-2
podman-tests: before 4.9.4-12.0.1
podman-remote: before 4.9.4-12.0.1
podman-plugins: before 4.9.4-12.0.1
podman-gvproxy: before 4.9.4-12.0.1
podman-catatonit: before 4.9.4-12.0.1
podman: before 4.9.4-12.0.1
podman-docker: before 4.9.4-12.0.1
cockpit-podman: before 84.1-1

SB2025032969 - Anolis OS update for container-tools:an8 module

Breakdown by Severity

Description

Remediation

References

Please verify you're human