Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amazonAmazonALAS-2023-2339
HistoryNov 09, 2023 - 7:19 p.m.

Important: nerdctl

2023-11-0919:19:00
alas.aws.amazon.com
5
nerdctl
security update
http/2 protocol
denial of service
xss attack
amazon linux 2
cve-2023-3978
cve-2023-39325

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

59.0%

JSON

Issue Overview:

2024-02-01: CVE-2023-3978 was added to this advisory.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-39325)

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. (CVE-2023-3978)

Affected Packages:

nerdctl

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update nerdctl to update your system.

New Packages:

aarch64:  
    nerdctl-1.6.2-1.amzn2.0.2.aarch64  
    nerdctl-debuginfo-1.6.2-1.amzn2.0.2.aarch64  
  
src:  
    nerdctl-1.6.2-1.amzn2.0.2.src  
  
x86_64:  
    nerdctl-1.6.2-1.amzn2.0.2.x86_64  
    nerdctl-debuginfo-1.6.2-1.amzn2.0.2.x86_64

Additional References

Red Hat: CVE-2023-39325, CVE-2023-3978

Mitre: CVE-2023-39325, CVE-2023-3978

Related

nessus 73
ibm 2
redhat 14
redhatcve 1
prion 2
redos 1
cbl_mariner 29
veracode 2
github 2
debiancve 2
osv 7
wolfi 2
ubuntucve 2
cgr 2
cve 2
fedora 25
alpinelinux 1
openvas 25
amazon 4
rocky 1
nessus
nessus
Fedora 40 : xq (2024-e9ca3462aa)
2024-04-29 00:00:00
Amazon Linux 2 : nerdctl (ALAS-2023-2339)
2023-11-15 00:00:00
Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2024-037)
2024-02-06 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities affect IBM CICS TX Advanced 11.1 and IBM CICS TX Standard 11.1 (CVE-2023-3978, CVE-2023-44487 and CVE-2023-39325).
2023-12-06 09:46:53
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to golang compiler ( CVE-2023-39325 )
2024-03-20 17:43:57
redhat
redhat
(RHSA-2023:7216) Moderate: Red Hat OpenShift Service Mesh Containers for 2.4.5
2023-11-15 00:15:54
(RHSA-2024:0944) Moderate: OpenShift Container Platform 4.14.14 packages and security update
2024-02-28 00:25:30
(RHSA-2023:7315) Important: OpenShift Container Platform 4.14.3 bug fix and security update
2023-11-21 09:25:58
redhatcve
redhatcve
CVE-2023-3978
2023-08-07 05:49:01
prion
prion
Design/Logic Flaw
2023-08-02 20:15:00
Design/Logic Flaw
2023-10-11 22:15:00
redos
redos
ROS-20240408-02
2024-04-08 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-3978 affecting package telegraf for versions less than 1.29.4-1
2024-04-17 22:02:46
CVE-2023-3978 affecting package telegraf for versions less than 1.27.4-1
2023-11-17 23:23:29
CVE-2023-3978 affecting package packer for versions less than 1.10.1-1
2024-04-12 05:06:27
veracode
veracode
Cross-Site Scripting (XSS)
2023-08-04 04:52:36
Denial Of Service (DoS)
2023-10-13 09:18:05
github
github
Improper rendering of text nodes in golang.org/x/net/html
2023-08-02 21:30:20
HTTP/2 rapid reset can cause excessive work in net/http
2023-10-11 20:35:43
debiancve
debiancve
CVE-2023-3978
2023-08-02 20:15:12
CVE-2023-39325
2023-10-11 22:15:09
osv
osv
Improper rendering of text nodes in golang.org/x/net/html
2023-08-02 15:06:27
Improper rendering of text nodes in golang.org/x/net/html
2023-08-02 21:30:20
CVE-2023-3978
2023-08-02 20:15:12
wolfi
wolfi
CVE-2023-3978 vulnerabilities
2024-05-10 03:06:50
CVE-2023-39325 vulnerabilities
2024-05-10 03:06:50
ubuntucve
ubuntucve
CVE-2023-3978
2023-08-02 00:00:00
CVE-2023-39325
2023-10-11 00:00:00
cgr
cgr
CVE-2023-3978 vulnerabilities
2024-05-10 03:09:19
CVE-2023-39325 vulnerabilities
2024-05-10 03:09:19
cve
cve
CVE-2023-3978
2023-08-02 20:15:12
CVE-2023-39325
2023-10-11 22:15:09
fedora
fedora
[SECURITY] Fedora 38 Update: prometheus-podman-exporter-1.5.0-1.fc38
2023-11-20 01:30:10
[SECURITY] Fedora 39 Update: golang-github-google-dap-0.11.0-1.fc39
2023-12-01 01:23:35
[SECURITY] Fedora 37 Update: golang-github-google-dap-0.11.0-1.fc37
2023-12-01 01:09:24
alpinelinux
alpinelinux
CVE-2023-39325
2023-10-11 22:15:09
openvas
openvas
Fedora: Security Advisory for golang-github-google-dap (FEDORA-2023-fa2ec3d3e0)
2023-12-02 00:00:00
Fedora: Security Advisory for prometheus-podman-exporter (FEDORA-2023-b43faebc9f)
2023-11-20 00:00:00
Fedora: Security Advisory for golang-x-net (FEDORA-2024-0ac454dafc)
2024-01-18 00:00:00
amazon
amazon
Low: containerd
2023-11-10 17:32:00
Important: golist
2023-10-30 23:59:00
Important: cni-plugins
2023-10-30 23:59:00
rocky
rocky
go-toolset:rhel8 security update
2023-10-24 18:35:47

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

59.0%

JSON
Related for ALAS-2023-2339
nessus73ibm2redhat14redhatcve1prion2redos1cbl_mariner29veracode2github2debiancve2osv7wolfi2ubuntucve2cgr2cve2fedora25alpinelinux1openvas25amazon4rocky1