diff --git a/e2etests/testcase_test.go b/e2etests/testcase_test.go index 5a9cb18e0..7010fd35a 100644 --- a/e2etests/testcase_test.go +++ b/e2etests/testcase_test.go @@ -1017,100 +1017,52 @@ var testCases = []testCase{ namespace: "ubuntu:14.04", expectedFeatures: []apiV1.Feature{ { - Name: "cron", + Name: "pam", NamespaceName: "ubuntu:14.04", VersionFormat: "dpkg", - Version: "3.0pl1-124ubuntu2", + Version: "1.1.8-1ubuntu2.2", AddedBy: "sha256:bae382666908fd87a3a3646d7eb7176fa42226027d3256cac38ee0b79bdb0491", + FixedBy: "1.1.8-1ubuntu2.2+esm4", Vulnerabilities: []apiV1.Vulnerability{ { - Name: "CVE-2017-9525", + Name: "CVE-2022-28321", NamespaceName: "ubuntu:14.04", - Description: "In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.", - Link: "https://ubuntu.com/security/CVE-2017-9525", + Description: "The Linux-PAM package before 1.5.2-6.1 for openSUSE Tumbleweed allows authentication bypass for SSH logins. The pam_access.so module doesn't correctly restrict login if a user tries to connect from an IP address that is not resolvable via DNS. In such conditions, a user with denied access to a machine can still get access. NOTE: the relevance of this issue is largely limited to openSUSE Tumbleweed and openSUSE Factory; it does not affect Linux-PAM upstream.", + Link: "https://ubuntu.com/security/CVE-2022-28321", Severity: "Low", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ "CVSSv2": map[string]interface{}{ - "ExploitabilityScore": 3.4, - "ImpactScore": 10.0, - "Score": 6.9, - "Vectors": "AV:L/AC:M/Au:N/C:C/I:C/A:C", - }, - "CVSSv3": map[string]interface{}{ - "ExploitabilityScore": 0.8, - "ImpactScore": 5.9, - "Score": 6.7, - "Vectors": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - }, - "LastModifiedDateTime": "2019-03-21T23:29Z", - "PublishedDateTime": "2017-06-09T16:29Z", - }, - }, - }, - { - Name: "CVE-2019-9704", - NamespaceName: "ubuntu:14.04", - Description: "Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (daemon crash) via a large crontab file because the calloc return value is not checked.", - Link: "https://ubuntu.com/security/CVE-2019-9704", - Severity: "Low", - Metadata: map[string]interface{}{ - "NVD": map[string]interface{}{ - "CVSSv2": map[string]interface{}{ - "ExploitabilityScore": 3.9, - "ImpactScore": 2.9, - "Score": 2.1, - "Vectors": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "ExploitabilityScore": float64(0), + "ImpactScore": float64(0), + "Score": float64(0), + "Vectors": "", }, "CVSSv3": map[string]interface{}{ - "ExploitabilityScore": 1.8, - "ImpactScore": 3.6, - "Score": 5.5, - "Vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - }, - "LastModifiedDateTime": "2021-11-30T19:53Z", - "PublishedDateTime": "2019-03-12T01:29Z", - }, - }, - }, - { - Name: "CVE-2019-9705", - NamespaceName: "ubuntu:14.04", - Description: "Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (memory consumption) via a large crontab file because an unlimited number of lines is accepted.", - Link: "https://ubuntu.com/security/CVE-2019-9705", - Severity: "Low", - Metadata: map[string]interface{}{ - "NVD": map[string]interface{}{ - "CVSSv2": map[string]interface{}{ "ExploitabilityScore": 3.9, - "ImpactScore": 2.9, - "Score": 2.1, - "Vectors": "AV:L/AC:L/Au:N/C:N/I:N/A:P", - }, - "CVSSv3": map[string]interface{}{ - "ExploitabilityScore": 1.8, - "ImpactScore": 3.6, - "Score": 5.5, - "Vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "ImpactScore": 5.9, + "Score": 9.8, + "Vectors": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", }, - "LastModifiedDateTime": "2021-11-30T18:50Z", - "PublishedDateTime": "2019-03-12T01:29Z", + "LastModifiedDateTime": "2024-11-21T06:57:00Z", + "PublishedDateTime": "2022-09-19T22:15:00Z", }, }, + FixedBy: "1.1.8-1ubuntu2.2+esm1", }, { - Name: "CVE-2019-9706", + Name: "CVE-2024-22365", NamespaceName: "ubuntu:14.04", - Description: "Vixie Cron before the 3.0pl1-133 Debian package allows local users to cause a denial of service (use-after-free and daemon crash) because of a force_rescan_user error.", - Link: "https://ubuntu.com/security/CVE-2019-9706", - Severity: "Low", + Description: "linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a denial of service (blocked login process) via mkfifo because the openat call (for protect_dir) lacks O_DIRECTORY.", + Link: "https://ubuntu.com/security/CVE-2024-22365", + Severity: "Moderate", Metadata: map[string]interface{}{ "NVD": map[string]interface{}{ "CVSSv2": map[string]interface{}{ - "ExploitabilityScore": 3.9, - "ImpactScore": 2.9, - "Score": 2.1, - "Vectors": "AV:L/AC:L/Au:N/C:N/I:N/A:P", + "ExploitabilityScore": float64(0), + "ImpactScore": float64(0), + "Score": float64(0), + "Vectors": "", }, "CVSSv3": map[string]interface{}{ "ExploitabilityScore": 1.8, @@ -1118,10 +1070,11 @@ var testCases = []testCase{ "Score": 5.5, "Vectors": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", }, - "LastModifiedDateTime": "2021-11-30T18:50Z", - "PublishedDateTime": "2019-03-12T01:29Z", + "LastModifiedDateTime": "2024-11-21T08:56:00Z", + "PublishedDateTime": "2024-02-06T08:15:00Z", }, }, + FixedBy: "1.1.8-1ubuntu2.2+esm4", }, }, },