You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.
Search by package name:
my-package (implicit)
name:my-package (explicit)
Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)
Search by package tag:
latest (implicit)
tag:latest (explicit)
Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)
Search by package architecture:
architecture:x86_64
Search by package distribution:
distribution:el
Search by package license:
license:MIT
Search by package format:
format:deb
Search by package status:
status:in_progress
Search by package file checksum:
checksum:5afba
Search by package security status:
severity:critical
Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000
Search by # of package downloads:
downloads:>8
downloads:<100
Search by package type:
type:binary
type:source
Search by package size (bytes):
size:>50000
size:<10000
Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0
Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"
Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY
Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true
Search by repository:
repository:repo-name
Search queries for all Debian-specific (and related) package types
Search by component:
deb_component:unstable
Search queries for all Maven-specific (and related) package types
Search by group ID:
maven_group_id:org.apache
Search queries for all Docker-specific (and related) package types
Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)
Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)
Field type modifiers (depending on the type, you can influence behaviour)
For all queries, you can use:
~foo for negation
For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching
For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal
Need a secure and centralised artifact repository to deliver Alpine,
Cargo,
CocoaPods,
Composer,
Conan,
Conda,
CRAN,
Dart,
Debian,
Docker,
Go,
Helm,
Hex,
LuaRocks,
Maven,
npm,
NuGet,
P2,
Python,
RedHat,
Ruby,
Swift,
Terraform,
Vagrant,
Raw & More packages?
Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.
With support for all major package formats, you can trust us to manage your software supply chain.
Alpine
Cargo
CocoaPods
Composer
Conan
Conda
CRAN
Dart
Debian
Go
Helm
Hex
LuaRocks
Maven
npm
NuGet
Python
RedHat
Ruby
Swift
Terraform
Vagrant
Raw
cloudsmith
(Cloudsmith)
/
bitbucket-pipes
—
BitBucket Project
publish
3543bd6e7488bee6aa5909ec5f5…
One-liner (summary)
Description
| Status | Completed |
|---|---|
| GPG Signature | |
| Storage Region | Dublin, Ireland |
| Type | Binary (contains binaries and binary artifacts) |
| Uploaded At | 5 years, 1 month ago |
| Uploaded By |
|
| Slug Id | publish-4 |
| Unique Id | wJqpGLkmMhSE |
| Version (Raw) | 3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4 |
| Version (Parsed) |
|
| docker-specific metadata | |
| Image Digest | sha256:3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4 |
| Config Digest | sha256:8fc847f4b70249a4150b5aed39093a545806151eae2ffa3c06dfe39ce49c0fe9 |
| V2 Distribution Digest | sha256:3543bd6e7488bee6aa5909ec5f525f8422528de95c3638a88fe9eceea5fff1d4 |
| V2 Distribution List Digest | sha256:2b7e7185aa146d4f9fe6d8a70c5d475a6964eea4aa286ffd38217d8b81f3b8b3 |
| V1 OCI Index Digest | sha256:8253abb635cb561c2a519ca1582f6814d921249938b4cd2ee306ec597827f5d7 |
| V1 Distribution (Signed) Digest | sha256:7983ba508255df87e5b5fdcc433f9dad233a159fdceb91917178865e125b01d3 |
| V1 OCI Digest | sha256:9c5273f45402d0c5c75a4326c4ae6dababfe5ec072f119da5fcb5638d8d006b4 |
| V1 Distribution Digest | sha256:ec84ece80f5ca2181be6d281108eda3c3e7a19c9fc6948f600b4ddde22e61104 |
| extended metadata | |
| Architecture | amd64 |
| Config | |
| Container | 05baccaa2fc79d911a09aaf329d5a323b768e22aadd1179cccfb52dcd8f43e2b |
| Container Config | |
| Created | 2019-12-09 22:50:25 UTC |
| Docker Version | 18.09.1 |
| Os | linux |
This package was uploaded with the following V2 Distribution manifest:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"digest": "sha256:3bea83aa549faa539263719e7ca0d8ae7ada299f3e4ab2af975295a641b8d4f0"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:c87736221ed0bcaa60b8e92a19bec2284899ef89226f2a07968677cf59e637a4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:81d020c7ae84eacb409907ee15e96669428d464ff0ecfad624d02ccd28f049fd"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:8f5ad7e774b3e4f09e94f4ace1bbff187fc99e448927f2adcd5ed11e29e4d39c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2"
}
]
}|
Digest:
sha256:c87736221ed0bcaa60b8e92a19bec2284899ef89226f2a07968677cf59e637a4
Command: /bin/sh -c #(nop) ADD file:38bc6b51693b13d84a63e281403e2f6d0218c44b1d7ff12157c4523f9f0ebb1e in / |
2.1 MB | ||
|
Digest:
sha256:81d020c7ae84eacb409907ee15e96669428d464ff0ecfad624d02ccd28f049fd
Command: /bin/sh -c #(nop) CMD ["/bin/sh"] |
17.3 MB | ||
|
Digest:
sha256:8f5ad7e774b3e4f09e94f4ace1bbff187fc99e448927f2adcd5ed11e29e4d39c
Command: /bin/sh -c apk update && apk add bash python3 |
4.9 MB | ||
|
Digest:
sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2
Command: /bin/sh -c pip3 install cloudsmith-cli==0.10.0 |
1.5 KB | ||
|
Digest:
sha256:c7f58bcc220aeec92a5d708a0842c2ecfeff6fda62370bd10573d6ec86da6ac2
Command: /bin/sh -c #(nop) ENTRYPOINT ["/pipe.sh"] |
1.5 KB |
Last scanned
12 hours ago
Scan result
Vulnerable
Vulnerability count
16
Max. severity
Critical| Target: | . (alpine 3.8.4) | |
| CRITICAL |
CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.Package Name: musl Installed Version: 1.1.19-r10 Fixed Version: 1.1.19-r11 References: www.openwall.com git.musl-libc.org git.musl-libc.org security.gentoo.org ubuntu.com www.cve.org www.openwall.com www.openwall.com |
|
| CRITICAL |
CVE-2019-14697: musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.Package Name: musl-utils Installed Version: 1.1.19-r10 Fixed Version: 1.1.19-r11 References: www.openwall.com git.musl-libc.org git.musl-libc.org security.gentoo.org ubuntu.com www.cve.org www.openwall.com www.openwall.com |
|
| HIGH |
CVE-2019-19244: sqlite: allows a crash if a sub-select uses both DISTINCT and window functions and also has certain ORDER BY usagesqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.Package Name: sqlite-libs Installed Version: 3.25.3-r2 Fixed Version: 3.25.3-r3 References: access.redhat.com cert-portal.siemens.com github.com nvd.nist.gov ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com |
|
| MEDIUM |
CVE-2019-19242: sqlite: SQL injection in sqlite3ExprCodeTarget in expr.cSQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.Package Name: sqlite-libs Installed Version: 3.25.3-r2 Fixed Version: 3.25.3-r3 References: access.redhat.com cert-portal.siemens.com github.com nvd.nist.gov ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com |
|
| Target: | Python | |
| HIGH |
CVE-2023-37920: python-certifi: Removal of e-Tugra root certificateCertifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.Package Name: certifi Installed Version: 2019.11.28 Fixed Version: 2023.7.22 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com errata.almalinux.org github.com github.com github.com github.com groups.google.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org |
|
| HIGH |
CVE-2022-40899: python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web serverAn issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.Package Name: future Installed Version: 0.18.2 Fixed Version: 0.18.3 References: access.redhat.com github.com github.com github.com github.com github.com github.com nvd.nist.gov pypi.org pypi.org pyup.io pyup.io ubuntu.com www.cve.org |
|
| HIGH |
CVE-2020-7212: python-urllib3: inefficient algorithm allows a DoS (CPU consumption) in _encode_invalid_chars function in util/url.pyThe _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 1.25.8 References: access.redhat.com bugzilla.novell.com github.com github.com github.com github.com github.com nvd.nist.gov pypi.org pypi.org www.cve.org |
|
| HIGH |
CVE-2021-33503: python-urllib3: ReDoS in the parsing of authority part of URLAn issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 1.26.5 References: access.redhat.com errata.almalinux.org github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org ubuntu.com www.cve.org www.oracle.com |
|
| HIGH |
CVE-2023-43804: python-urllib3: Cookie request header isn't stripped during cross-origin redirectsurllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 2.0.6, 1.26.17 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.netapp.com security.netapp.com ubuntu.com ubuntu.com www.cve.org www.vicarius.io |
|
| MEDIUM |
CVE-2022-23491: python-certifi: untrusted root certificatesCertifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.Package Name: certifi Installed Version: 2019.11.28 Fixed Version: 2022.12.07 References: access.redhat.com github.com github.com github.com github.com groups.google.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2024-3651: python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.Package Name: idna Installed Version: 2.8 Fixed Version: 3.7 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com huntr.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2023-32681: python-requests: Unintended leak of Proxy-Authorization headerRequests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.Package Name: requests Installed Version: 2.22.0 Fixed Version: 2.31.0 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org ubuntu.com ubuntu.com www.cve.org |
|
| MEDIUM |
CVE-2024-35195: requests: subsequent requests to the same host ignore cert verificationRequests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0.Package Name: requests Installed Version: 2.22.0 Fixed Version: 2.32.0 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov www.cve.org |
|
| MEDIUM |
CVE-2020-26137: python-urllib3: CRLF injection via HTTP request methodurllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 1.25.9 References: access.redhat.com bugs.python.org bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.debian.org lists.debian.org nvd.nist.gov ubuntu.com usn.ubuntu.com usn.ubuntu.com www.cve.org www.oracle.com www.oracle.com |
|
| MEDIUM |
CVE-2023-45803: urllib3: Request body not stripped after redirect from 303 status changes request method to GETurllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 2.0.7, 1.26.18 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com github.com github.com github.com github.com linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com ubuntu.com www.cve.org www.rfc-editor.org |
|
| MEDIUM |
CVE-2024-37891: urllib3: proxy-authorization request header is not stripped during cross-origin redirectsurllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.Package Name: urllib3 Installed Version: 1.25.7 Fixed Version: 1.26.19, 2.2.2 References: access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org errata.almalinux.org errata.rockylinux.org github.com github.com github.com github.com linux.oracle.com linux.oracle.com nvd.nist.gov ubuntu.com ubuntu.com www.cve.org |
|
These instructions assume you have setup the repository first (or read it).
To pull publish @ reference/tag 0.3.0:
docker pull docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:0.3.0You can also pull the latest version of this image (if it exists):
docker pull docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:latestTo refer to this image after pulling in a Dockerfile, specify the following:
FROM docker.cloudsmith.io/cloudsmith/bitbucket-pipes/publish:0.3.0