id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2361	CVEs against Nginx 1.22	gburton1@…		"Our Twislock scanner is picking up a large number of CVEs against the latest version of Nginx, as well as the official Nginx Docker image for that version. Is there any plan to address these, or have some been deemed to be false positives?

There was no option to select version 1.22 in the dropdown, so I selected the latest (1.19).

Here are the results of the scan report:

nginx	1.22	debian-bullseye	CVE-2016-2781	coreutils		8.32-4	chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\'s input buffer.

nginx	1.22	debian-bullseye	CVE-2013-0337	nginx		1.22.0-1~bullseye	The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

nginx	1.22	debian-bullseye	CVE-2020-36309	nginx		1.22.0-1~bullseye	ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

nginx	1.22	debian-bullseye	CVE-2021-3618	nginx		1.22.0-1~bullseye	ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim\'s traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

nginx	1.22	debian-bullseye	CVE-2021-33560	libgcrypt20		1.8.7-6	Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

nginx	1.22	debian-bullseye	CVE-2022-27404	libfreetype6	freetype	2.10.4+dfsg-1	FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

nginx	1.22	debian-bullseye	CVE-2022-27405	libfreetype6	freetype	2.10.4+dfsg-1	FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

nginx	1.22	debian-bullseye	CVE-2022-27406	libfreetype6	freetype	2.10.4+dfsg-1	FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

nginx	1.22	debian-bullseye	CVE-2021-4209	libgnutls30	gnutls28	3.7.1-5	DOCUMENTATION: A NULL pointer dereference flaw was found in GnuTLS. As Nettle\'s hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.              STATEMENT: According to the analysis on the upstream issue, this flaw has been rated as having a security impact of Low.             MITIGATION: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

nginx	1.22	debian-bullseye	CVE-2022-2068	libssl1.1,openssl	openssl	1.1.1n-0+deb11u2	In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
nginx	1.22	debian-bullseye	CVE-2022-1587	libpcre2-8-0	pcre2	10.36-2	An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
nginx	1.22	debian-bullseye	CVE-2022-1586	libpcre2-8-0	pcre2	10.36-2	An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
nginx	1.22	debian-bullseye	CVE-2022-29458	libncursesw6,libtinfo6,ncurses-bin,ncurses-base	ncurses	6.2+20201114-2	ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

nginx	1.22	debian-bullseye	CVE-2019-8457	libdb5.3	db5.3	5.3.28+dfsg1-0.8	SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

nginx	1.22	debian-bullseye	CVE-2021-3999	libc-bin,libc6	glibc	2.31-13+deb11u3	The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly.  Security Fix(es):  * glibc: Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999)  * glibc: Stack-based buffer overflow in svcunix_create via long pathnames (CVE-2022-23218)  * glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname (CVE-2022-23219)  For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

nginx	1.22	debian-bullseye	CVE-2021-36084	libsepol1	libsepol	3.1-1	The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).

nginx	1.22	debian-bullseye	CVE-2021-36085	libsepol1	libsepol	3.1-1	The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).

nginx	1.22	debian-bullseye	CVE-2021-36086	libsepol1	libsepol	3.1-1	The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

nginx	1.22	debian-bullseye	CVE-2021-36087	libsepol1	libsepol	3.1-1	The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.

nginx	1.22	debian-bullseye	CVE-2021-38115	libgd3	libgd2	2.3.0-2	read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.

nginx	1.22	debian-bullseye	CVE-2021-40812	libgd3	libgd2	2.3.0-2	The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

nginx	1.22	debian-bullseye	CVE-2022-1210	libtiff5	tiff	4.2.0-1+deb11u1	A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

nginx	1.22	debian-bullseye	CVE-2022-1354	libtiff5	tiff	4.2.0-1+deb11u1	DOCUMENTATION: No description is available for this CVE.

nginx	1.22	debian-bullseye	CVE-2022-1355	libtiff5	tiff	4.2.0-1+deb11u1	DOCUMENTATION: No description is available for this CVE.

nginx	1.22	debian-bullseye	CVE-2022-1622	libtiff5	tiff	4.2.0-1+deb11u1	LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

nginx	1.22	debian-bullseye	CVE-2022-1623	libtiff5	tiff	4.2.0-1+deb11u1	LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

nginx	1.22	debian-bullseye	CVE-2021-22947	libcurl4,curl	curl	7.74.0-1.3+deb11u1	When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker\'s injected data comes from the TLS-protected server.
nginx	1.22	debian-bullseye	CVE-2021-22898	libcurl4,curl	curl	7.74.0-1.3+deb11u1	curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
nginx	1.22	debian-bullseye	CVE-2021-22946	libcurl4,curl	curl	7.74.0-1.3+deb11u1	A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

nginx	1.22	debian-bullseye	CVE-2021-22945	libcurl4,curl	curl	7.74.0-1.3+deb11u1	When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

nginx	1.22	debian-bullseye	CVE-2021-22924	libcurl4,curl	curl	7.74.0-1.3+deb11u1	libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \'issuercert\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\'t include the \'issuer cert\' which a transfer can setto qualify how to verify the server certificate.

nginx	1.22	debian-bullseye	CVE-2022-22576	libcurl4,curl	curl	7.74.0-1.3+deb11u1	An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

nginx	1.22	debian-bullseye	CVE-2022-27782	libcurl4,curl	curl	7.74.0-1.3+deb11u1	libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

nginx	1.22	debian-bullseye	CVE-2022-27775	libcurl4,curl	curl	7.74.0-1.3+deb11u1	An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

nginx	1.22	debian-bullseye	CVE-2022-27781	libcurl4,curl	curl	7.74.0-1.3+deb11u1	libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server\'s certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

nginx	1.22	debian-bullseye	CVE-2022-27776	libcurl4,curl	curl	7.74.0-1.3+deb11u1	A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

nginx	1.22	debian-bullseye	CVE-2022-27774	libcurl4,curl	curl	7.74.0-1.3+deb11u1	An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

nginx	1.22	debian-bullseye	CVE-2020-16156	libperl5.32,perl-base,perl-modules-5.32,perl	perl	5.32.1-4+deb11u2	CPAN 2.28 allows Signature Verification Bypass.

nginx	1.22	debian-bullseye	CVE-2021-46822	libjpeg62-turbo	libjpeg-turbo	1:2.0.6-4	The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

nginx	1.22	debian-bullseye	CVE-2022-1304	libcom-err2,libss2,libext2fs2,logsave,e2fsprogs	e2fsprogs	1.46.2-2	An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

nginx	1.22	debian-bullseye	Image should be created with a non-root user				Image should be created with a non-root user"	defect	closed	minor	nginx-1.23	other	1.19.x	wontfix	CVE, vulnerability		"# uname -a
Linux cortex-nginx-7894f8d8f9-cbj6f 5.4.0-1073-azure #76~18.04.1-Ubuntu SMP Thu Mar 10 11:17:35 UTC 2022 x86_64 GNU/Linux"	"nginx version: nginx/1.22.0
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
built with OpenSSL 1.1.1n  15 Mar 2022"